CLIENT ALERT:
Washington Privacy Act
State Legislature Introduces 2020 Washington Privacy Act
January 13th marked the start of Washington State’s legislative session in Olympia and lawmakers introduced a host of new bills on the same day, including the Washington Privacy Act (SB 4873), sponsored by Senator Reuven Carlyle. The bill, similar to the one of the same name which failed in the state legislature last year, would allow Washington consumers to control how their personal data is collected and used.
The 2019 privacy legislation passed in the Senate, but failed in the House despite widespread support in the legislature and support from industry stakeholders, due to a number of last-minute amendments and proposed increased regulation around facial recognition provisions. If the WPA into law this year, Washington would become only the second state to pass comprehensive privacy legislation, behind the California Consumer Privacy Act (CCPA).
While the WPA largely mirrors the General Data Protection Regulation (GDPR) legislation in the EU and the CCPA in many ways, it is nevertheless considered to be the most comprehensive statewide privacy legislation introduced to date. It would apply to Washington residents and entities that:
1. Conduct business in the state, or
2. Produce products or services targeted at Washington residents and they:
• Control or process personal data of 100,000 consumers or more, or
• Obtain 50% of gross revenue from the sale of personal data and process or control personal data of at least 25,000 consumers.
The legislation would do a number of things, including:
1. Require companies to comply with individuals’ requests to access, correct, and delete their personal data;
2. Require companies to comply with individuals’ requests to access personal data in a portable format;
3. Allow consumers to opt out of the collection and use of their personal data for certain purposes, including targeted advertising;
4. Require companies to provide transparent privacy policies that are “accessible, clear, and meaningful” about how consumers’ personal data is used;
5. Limit collection of consumers’ personal data to that which is “reasonably necessary in relation to the specified and express purposes for which such data are processed”;
6. Require companies to implement reasonable administrative, technical, and physical data security practices to protect personal data, in a manner that is appropriate to the nature and volume of the data at hand;
7. Restrict companies from processing a consumer’s sensitive data without first obtaining the consumer’s consent;
8. Invalidate any provision of a contract or agreement that aims to waive or limit in any way a consumer’s rights under this legislation.
The bill also includes provisions governing facial recognition technology, including capabilities to test accuracy and any potential unfair performance, documentation requirements for companies that provide facial recognition technology, and information about where consumers can obtain additional information about the facial recognition services included.
Further, the WPA outlines penalties for non-compliance with its requirements. While it does not include a private right of action for individuals, it does give the state Attorney General the authority to enforce penalties, which are capped at $7,500 per violation.
If approved by the state legislature, the WPA would go into effect on July 31, 2021.
BPM’s Business Practice Group will continue to monitor the progress of the WPA as it makes its way through the Washington state legislature this year. Contact one of BPM’s Business and Corporate Law attorneys to discuss how passage of the WPA could impact your business.