The proposed Washington Privacy Act (WPA) continues to move forward with new enforcement provisions, including a limited private right of action. The Washington House Committee on Civil Rights and Judiciary narrowly approved the so-called “striker” amendment, which would enable state residents to sue companies for injunctive relief over alleged violations; but does not allow suit for monetary damages. The bill had already passed in the Washington Senate by a vote of 48-1.
This marks the third year in a row that the Washington Senate overwhelmingly passed the WPA, although it has yet to become law. Last year, the state’s House of Representatives passed an amended version of the WPA that included a private right of action. The bill ultimately failed when the two sides were unable to reconcile their differences before the close of the legislative session. This year may be different with further recent legislative developments.
Several of the Committee’s latest changes to the WPA include the following. For a description of other key provisions already in the WPA, see below.
- Private Right of Action: the amendment adds a new enforcement provision, effective July 31, 2023, that allows consumers to sue for injunctive relief under the following conditions: (1) if they allege their consumer rights were violated (e.g. rights of access, correction, deletion, portability and opt-out), (2) if they allege they were discriminated against for exercising their rights, or (3) if they allege a company did not obtain consent prior to processing sensitive information or children’s information. Although this is a narrower scope of a private right of action than those considered in the past, which would have allowed for monetary in addition to injunctive relief. Unlike the California Consumer Privacy Act (CCPA), the WPA’s cause of action would apply to all of the WPA’s privacy terms, not merely data breaches. Additionally, while it does not include damages, plaintiffs’ attorneys may still be incentivized to file actions in order to be awarded attorneys fees.
- Cure Period: the amendment adds a one-year sunset to the “right to cure” that would allow companies a window to correct any alleged violations before facing a penalty.
- DSAR Requests: the amendment strengthens requirements that companies comply with individuals’ requests’ to access their data, to correct or amend it, to delete it, and to access it in a portable format. It allows consumers to access specific personal data from a controller, not just categories of data, and adds a 45-day limit for businesses to respond to the right-to-access request.
- Opt Outs: the amendment would permit the use of designated and authorized agents for consumer rights, and requires compliance with global privacy controls that communicate a request to opt out.
- Privacy Notice: the amendment clarifies that privacy notices should: (1) use clear and plain language, be in English and any other language the controller uses to communicate with the consumer to whom the information pertains, and understandable to the least sophisticated consumer – a far lower standard that the reasonable consumer standard that is more frequently used.
WPA’s Applicability and Scope, Generally
The WPA would create new privacy obligations for companies doing business in Washington. Some of its key terms are as follows:
Covered Entities. The WPA applies to legal entities that conduct business in Washington or produce products or services targeted to residents of Washington if they satisfy at least one of the following thresholds:
- Annually control or process personal data of at least 100,000 Washington residents (the CDPA has the same requirement), or
- Control or process personal data of at least 25,000 Washington residents and derive over 25% of gross revenue from the sale of personal data
The WPA would not apply to state and local governments or municipal corporations, and non-profit organizations that do not sell information. There are also exclusions for information covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or Gramm-Leach-Bliley act (GBLA), among others.
Personal Data. “Personal data” is defined under the WPA as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” This language mirrors the CDPA and is very similar to the EU’s General Data Protection Regulation definition. The WPA also contains a carve-out for “deidentified data or publicly available information” defining deidentified data as data that cannot be reasonably used to identify natural persons.
Covered Individuals. The WPA applies to Washington residents “acting only in an individual or household context. As with the CDPA, there is an explicit exemption for individuals acting in a commercial or employment capacity creating an inherent employee and B2B exemption.
Obligations for Controllers and Processors
Controllers. WPA defines controllers as any entity that alone or joint determines the purposes and means of processing data. The provisions that provide rights to covered individuals (e.g., the right to access their data, to correct or amend it, to delete it, etc.) are largely the obligations of controllers. Generally, these controllers are obligated to be transparent and careful in the way they handle consumer data, including in how they handle consumer requests regarding rights to their data, and take “reasonable steps” to through notification to third parties to whom they have disclosed personal data of consumer correction, deletion, or opt out requests.
Processors. Processors are defined as entities that process personal data on behalf of a controller. They are required to adhere to controllers’ instructions to help them meet their data obligations to covered individuals. They must also maintain security procedures taking into account the context through which the personal data is being processed.
Data Protection Assessments
The WPA would require data controllers and processors to conduct Data Protection Impact Assessments (DPAs) for all processing activities involving personal data and whenever processing activities change in a manner that materially increases risks to consumers. This requirement is broader than the obligations under both the similar Virginia requirements and international privacy laws also requiring DPAs in some circumstances. Whereas the GDPR only requires Data Protection Assessments when profiling leads to automated decision-making having a substantial effect upon an individual and other limited circumstances, the WPA expands on this significantly.
Sensitive Data and Consent
“Sensitive Data.” Under the WPA, companies need to obtain affirmative consent for the processing of “sensitive” personal data. Sensitive personal data includes:
- personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status;
- the processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
- the personal data from a known child; or
- specific geolocation data
Commercial Facial Recognition
The WPA has specific provisions beyond its general personal data requirements specifically pertaining to commercial uses of facial regulation. Generally, the Act would require consumers to affirmatively opt in (consent) to use of their personal data related to facial identification, and would place heightened obligations on controllers and processors who operate this technology.
* * *
Activity on the WPA comes on the heels of the recent passage of Virginia’s comprehensive privacy law, the Virginia Consumer Data Protection Act (CDPA). If the WPA were to become law, Washington would join Virginia along with California and Nevada as states to pass comprehensive privacy legislation. Privacy has been an active area for lawmaking proposals and the velocity of this legislation appears to be accelerating with nearly half of all states having introduced broad consumer privacy bills. New York is another state to watch for forthcoming legislation with its own proposed comprehensive privacy laws, the New York Privacy Act (NYPA) and Senate Bill S567.
Passage of the WPA may also put further pressure on Congress to pass comprehensive federal privacy legislation, something an increasing amount of businesses support. In the interim, increased privacy regulations are compelling clients to continue shifting towards global privacy policies with appropriate local variations as necessary to accommodate the variances in these different state laws. Although the WPA may further be amended before it is able to pass both chambers of Washington legislature (if it passes at all), it is clear that the privacy law space is continuing to heat up, and businesses should be prepared to comply with individual state laws’ nuances.
We will continue to watch and report on developments surrounding the WPA and other privacy laws. If you have any questions about this Alert or other privacy law developments, please contact Ropes & Gray’s data, privacy & cybersecurity attorneys.