We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
24 January 2020
Last year, SB 5376 (also known as the Washington Privacy Act, or WPA) gained significant traction in the legislature, passing the state Senate almost unanimously but ultimately failing in the House due to discussions around facial recognition and compliance challenges. State Senator Reuven Carlyle (D), chair of the state's Senate Energy, Climate & Technology Committee, has now released a revised draft of the WPA for 2020. If enacted as drafted, this new version of the WPA would come into effect on July 31, 2021.
The draft bill proposes a comprehensive set of privacy requirements that have been influenced by both the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). An example of the GDPR influence is the use of the terms "controllers" and "processors" to describe organizations that handle personal data in different ways with the imposition of contracting obligations between controllers and processors. The bill also tracks closely to the recently effective CCPA, while in some ways providing more flexibility and in other ways going beyond the requirements in California's law. We provide a brief overview of the draft bill below.
The draft would apply to legal entities that:
Personal data under the bill is "any information that is linked or reasonably linkable to an identified or identifiable natural person."
Unlike the CCPA, which has a private right of action for certain security breaches, the 2020 draft WPA prohibits all private rights of action but offers no cure period for violations (fines are roughly in-line with the CCPA, at a maximum of $7,500 per violation). The Washington law also places a greater emphasis on privacy expectations in public areas and would regulate the use of facial recognition technologies, imposing obligations on both processors and controllers using such technologies. Processors providing facial recognition technologies would need to, for example, allow third parties to access and test their systems for accuracy and unfair performance. Controllers using such technologies may need consent from consumers before adding facial templates to facial recognition systems.
The draft bill also defines "personal data," "sensitive data," "pseudonymous data," and "de-identified data." Personal data subject to HIPAA, FCRA, GLBA, FERPA, and certain other laws are exempted from the WPA.
Like the GDPR, the WPA characterizes organizations that process personal data as "controllers" or "processors" and imposes different responsibilities on each. For example, controllers would be required to have contracts with processors, and processors would be obligated to help controllers with certain compliance obligations. The bill defines controllers as persons that determine the purposes and means of processing personal data. Controllers would also be responsible for notifying consumers when they "sell" personal data or use it for targeted advertising; complying with purpose limitation, data minimization, and security obligations; and completing "data protection assessments" (DPAs) for each processing activity that involves personal data. Notably, controllers would also be required to obtain consent (a defined term under the WPA) before processing sensitive data.
Under the bill, processors are persons that process personal data "on behalf of a controller." To qualify as a processor, an organization would need a written contract with a controller that contains specific terms to allow for information processing support.
The WPA grants consumers five rights:
Although this is the first significant piece of draft state privacy legislation we have seen surface in 2020, we expect it will not be the last. A number of state legislators, inspired by recent laws in California and Nevada and influenced by some recent proposals at the federal level and the GDPR, are likely to make privacy a priority for 2020 legislative sessions. We are tracking drafts in a number of states and expect to remain engaged as bills work their way through state legislatures this year.
For further information on this topic please contact Mark M Brennan, Timothy P Tobin, Bret S Cohen or Melissa K Bianchi at Hogan Lovells by telephone (+1 202 637 5600) or email (firstname.lastname@example.org, email@example.com, firstname.lastname@example.org or email@example.com). The Hogan Lovells website can be accessed at www.hoganlovells.com.
This article has been reproduced in its original format from Lexology – www.Lexology.com.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.