Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

New Washington State Privacy Bill Incorporates Some GDPR Concepts

Share

A new bill, titled the “Washington Privacy Act,” was introduced in the Washington State Senate on January 18, 2019. If enacted, Washington would follow California to become the second state to adopt a comprehensive privacy law.

Similar to the California Consumer Privacy Act (CCPA), the Washington bill applies to entities that conduct business in the state or produce products or services that are intentionally targeted to residents of Washington and includes similar, though not identical size triggers. For example, it would apply to businesses that 1) control or process data of 100,000 or more consumers; or 2) derive 50 percent or more of gross revenue from the sale of personal information, and process or control personal information of 25,000 or more consumers. The bill would not apply to certain data sets regulated by some federal laws, or employment records and would not apply to state or local governments.

The bill incorporates aspects of the EU’s General Data Protection Regulation (GDPR) and borrows the “controller”/“processor” lexicon in identifying obligations for each role from the GDPR. It defines personal data as any information relating to an identified or identifiable natural person, but does not include de-identified data. Similar to the GDPR, it treats certain types of sensitive information differently. Unlike the CCPA, the bill excludes from the definition of “consumer” employees and contractors acting in the scope of their employment. Additionally, the definition of “sale” is narrower and limited to the exchange of personal data to a third party, “for purposes of licensing or selling personal data at the third party’s discretion to additional third parties,” while excluding any exchange that is “consistent with a consumer’s reasonable expectations considering the context in which the consumer provided the personal data to the controller.”

Another element similar to the GDPR in the bill, requires businesses to conduct and document comprehensive risk assessments when their data processing procedures materially change and on an annual basis. In addition, it would impose notice requirements when engaging in profiling and a prohibition against decision-making solely based on profiling.

Consumer rights 

Similar to both the GDPR and the CCPA, the bill outlines specific consumer rights.  Specifically, upon request from the consumer, a controller must:

  • Confirm if a consumer’s personal data is being processed and provide access to such data.
  • Correct inaccurate consumer data.
  • Delete the consumer’s personal data if certain grounds apply, such as in cases where the data is no longer necessary for the purpose for which it was collected.
  • Restrict the processing of such information if certain grounds apply, including the right to object to the processing of personal data related to direct marketing. If the consumer objects to processing for any purpose other than direct marketing, the controller may continue processing the personal data if the controller can demonstrate a compelling legitimate ground to process such data.

If a controller sells personal data to data brokers or processes personal data for direct marketing purposes, it must disclose such processing as well as how a consumer may exercise the right to object to such processing.

The bill specifically addresses the use of facial recognition technologies. It requires controllers that use facial recognition for profiling purposes to employ meaningful human review prior to making final decisions and obtain consumer consent prior to deploying facial recognition services. State and local government agencies are prohibited from using facial recognition technology to engage in ongoing surveillance of specified individuals in public spaces, absent a court order or in the case of an emergency.

The Washington State Attorney General would enforce the act and would have the authority to obtain not more than $2,500 for each violation or $7,500 for each intentional violation. There is no private right of action.

The Washington Senate Committee on Environment, Energy & Technology held a public hearing on January 22, 2019 to solicit public opinions on this proposed legislation. At the beginning of the public hearing, the Chief Privacy Officer of Washington, Alex Alben, commented that the proposed legislation would be just in time to address a “point of crisis [when] our economy has shifted into a data-driven economy” in the absence of federal legislation regarding data security and privacy protection.

Industry reaction to the bill

Companies and industry groups with an interest in this process applauded this proposed legislation as good news for entities that have become, or are on their way, to becoming compliant with the GDPR. Many also shared suggestions or criticisms. Among others, some speakers cautioned that by setting a high standard closely resembling the GDPR, the bill might drive small- or medium-sized companies to block Washington customers, just as they have done in the past to avoid compliance with the GDPR.

Some representatives, including the Chief of the Consumer Protection Division of the Washington Attorney General’s Office, call for a private cause of action so that this law would mean more to a private citizen than simply “a click on the banner.” The retail industry, the land title association, and other small business representatives expressed their preference for legislation on a federal level and a higher threshold for applicable businesses. Specifically, Stuart Halsan from the Washington Land Title Association recommended that the Washington Senate consider this bill’s impact on industries, such as the land title insurance industry, where the number of customers is significantly lower than the amount of data it processes in their ordinary course of business.

In response to these industry concerns, the committee acknowledged that this new legislation would need to be very sensitive to apply proportionately to businesses of different sizes and technology capabilities. The committee also recognized the need to make this legislation more administratively feasible for certain industries or entities that face difficulty in compliance (such as the secondary ticketing market) or subject to complicated regulatory frameworks (such as the bank industry). The Washington Senate continues to invite individuals, companies, or industry groups to submit brief written comments here.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

About the Author: Qiusi Newcom

Qiusi Y. Newcom is an associate in the firm's government & regulatory affairs practice. Read Qiusi's full bio on the Faegre Drinker website.

Receive Email Alerts to New Articles

SUBSCRIBE

January 31, 2019
Written by: Qiusi Newcom
Category: CCPA, GDPR, Privacy
Tags: CCPA, consumers, data, GDPR, privacy, Washington, Washington State Attorney General

Post navigation

Previous Previous post: N.Y. Attorney General Enforces Mobile App Security Initiative, Announces Settlements with Five Companies
Next Next post: England’s National Health Service Long Term Plan Envisions NHS-wide Adoption of Digital Tools

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT