Image Credit: Free-Photos from Pixabay.
Hard on the heels of the California Consumer Privacy Act of 2018 (CCPA) and updated state privacy laws in Nevada and Maine which took effect in 2019, state data privacy legislation is still on the rise.
In November of 2020, California citizens approved the California Privacy Rights and Enforcement Act (CPRA), further amending the CCPA. The CPRA is intended to strengthen privacy regulations in California by creating new requirements for companies that collect and share sensitive personal information. It also creates a new agency, the California Privacy Protection Agency, that will be responsible for enforcing CPRA violations.
Most recently, the Virginia Governor signed the Consumer Data Protection Act into law, thereby making Virginia yet another U.S. state with a comprehensive state privacy law.
As momentum builds for state privacy laws, 2021 could be the year that privacy laws gain footing across the country, helping Americans exercise control over their digital lives.
Washington’s Privacy Act 2021, SB 5062
**Update: The WPA did not pass the House by the April 11 deadline. On April 12, however, Senator Carlyle tweeted that the “bill remains alive through the end of the session.” The legislature will close on April 25.
*** Update 4/26: The WPA did not pass for the third year in a row, due to the late introduction of a limited private right of action (for injunctive relief). Jump to the bottom of the page for links to other pending state legislation.
The most notable – due to its furthest progression in state legislation – is the current draft of the Washington Privacy Act 2021 (“WPA”). This draft bill is the third version of the act introduced by Washington state Sen. Reuven Carlyle (D-Seattle) in as many years.
The WPA would apply to legal entities that:
- Conduct business in Washington or producing products or services targeted to Washington residents, and
- control or process the personal data of 100,000 or more Washington residents, or
- derive 50 percent of their gross revenue from the sale of personal data and process or control the personal data of 25,000 or more consumers.
Personal data under the bill is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.”
Personal data subject to Federal privacy and security regulations such as HIPAA, FCRA, GLBA, FERPA, and certain other laws are exempted from the WPA.
Data Processing Agreements
Unlike the CCPA, which refers to a “business” and “service provider,” the WPA, heavily influenced by the European General Data Protection Regulation (“GDPR”), refers to “controllers” and “processors”. Controllers would be responsible for notifying consumers when they “sell” personal data or use it for targeted advertising; complying with purpose limitation, data minimization, and security obligations; and completing data protection assessments. In addition, the WPA requires a processor’s processing activities to be governed by a contract with the controller, setting out the processing instructions by which the processor is bound. Such requirements mirror the kind of data processing agreements parties enter into under the GDPR. Processors also would need to secure approval from data controllers before using subprocessors and enter into appropriate subprocessing agreements.
Data Protection Assessments
Similar to the GDPR, under the WPA, controllers must conduct a data protection assessment when processing personal data for certain functions such as targeted advertising, the sale of the data, certain types of profiling, the processing of sensitive data, and processing that presents a heightened risk of harm to consumers. Data protection assessments would need to “identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks”. The attorney general’s office would be entitled to request, and evaluate for compliance, data protection assessments as part of an investigation.
Further, controllers would be prohibited from processing sensitive personal data without consent. Sensitive data is defined as:
- personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status;
- the processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
- the personal data from a known child; or
- specific geolocation data.
The WPA provides Washington consumers with the right of access, correction, deletion, and data portability, as well as the right to opt out of certain processing activities. Notably, the right to opt out is broader than the CCPA’s and includes the processing of personal data “for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer”. Under the WPA, a “sale” is defined as “the exchange of personal data for monetary or other valuable consideration by the controller to a third party”.
The WPA provides the Washington attorney general with exclusive authority to enforce the law. Fines are roughly in line with the CCPA, at a maximum of $7,500 per violation.
Section 111 of the 2021 WPA states that a violation “may not serve as a basis for, or be subject to, a private right of action under this chapter or under any other law.” However, in a change from the 2020 WPA, it also states that “[r]ights possessed by consumers as of July 1, 2020, under chapter 19.86 RCW, the Washington state constitution, the United States Constitution, and other laws are not altered.” Chapter 19.86 RCW is Washington’s Consumer Protection Act.
Notably, Section 112 of the 2021 WPA, which addresses enforcement, includes language that “[a] violation of this chapter is not reasonable in relation to the development and preservation of business and is an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the consumer protection act.”
The lack of a private right of action was a dealbreaker for legislators when the bill failed last year and presumably will continue to be an issue.
If passed, the WPA could become one of the most comprehensive state privacy laws in the United States, and would go into effect on July 31, 2022. Given the short legislative term in Washington state, by April 25 we should know the fate of this year’s legislation.
Washington’s People’s Privacy Act, HB 1433
Advocacy groups such as the ACLU of Washington have criticized the repeated lack of a private right of action, saying the current Senate bill is still too business-centric and fails to give consumers meaningful privacy rights.
A competing bill co-created by the ACLU of Washington, the People’s Privacy Act, was thus introduced in the Washington House in January. It would require companies to obtain opt-in consent for the collection and use of personal information while also giving consumers the ability to sue in the event of a violation of their privacy rights.
Pending Data Privacy Legislation in Other States
There are over a dozen other bills currently on the docket in other states, all of which follow an approach similar to California’s CCPA. These proposed state privacy laws rely on consumers to opt out of data collection, rather than pushing companies to obtain consent before collecting data – a win for tech companies. Mirroring the CCPA, most bills include consumer rights such as the right of access, deletion, and data portability. And just like the CCPA and the draft WPA, very few allow for a private right of action. While some – if not most – of the bills will likely fail to become law, they still show a developing trend towards transparency in data privacy in the United States.