With the California Consumer Privacy Act (CCPA) now in effect as of January 1, 2020, other states are moving to consider comprehensive privacy legislation.
Case in point, on January 14, 2020, Washington re-introduced its Washington Privacy Act. Similar to a bill that stalled in the Washington legislature last year, the 2020 version of the Washington Privacy Act includes privacy protections seen in CCPA and the European Union’s General Data Protection Regulation that, if enacted, would grant Washington residents unprecedented rights with regard to privacy and personal data.
Much like CCPA, a threshold requirement for the Washington Privacy Act to apply is that a legal entity conduct business in Washington or produce products or services targeted to Washington residents. In addition, for the Act to apply, such an entity would either have to (1) control or process personal data of 100,000 or more consumers or (2) derive 50% of gross revenue from the sale of personal data and process or control data of 25,000 or more consumers. The jurisdictional coverage provisions carve out a number of exceptions, including state and local governments, protected health information covered by the Health Insurance Portability and Accountability Act, consumer credit information covered by the Fair Credit Reporting Act, and nonpublic personal information covered by the Gramm-Leach-Bliley Act.
Consumers would have a number of rights under the Washington Privacy Act, including (1) the right to access, which is defined as knowledge whether a controller is processing personal data of the consumer and access to such data; (2) the right to correct inaccurate personal data; (3) the right to deletion of personal data concerning the consumer; (4) the right to data portability or receiving personal data requested under the right to access in a portable and readily usable format; and (5) the right to opt out of processing the consumer’s personal data for targeted advertising, sale of personal data, or profiling. Controllers are responsible for ensuring that requests to correct, delete, or opt out are passed on to any third party to whom the controller disclosed any such information during the prior year. Similar to CCPA, requests must be authenticated, can be made up to twice annually, and should be responded to within 45 days, with a possible extension of another 45 days if needed.
The contents of a company’s privacy notice are also defined under the Washington Privacy Act. Privacy notices would need to include (1) categories of personal data processed by the controller; (2) purposes for which such data is processed; (3) how and where consumers can exercise the five rights noted in the paragraph above; (4) categories of personal data the controller shares with third parties; and (5) categories of third parties with whom data is shared. Furthermore, if a company sells personal data or processes it for targeted advertising, the notice must clearly disclose such activities and the ways in which a consumer can exercise the right to opt out.
The Washington Privacy Act contains numerous additional provisions designed to ensure the privacy and security of consumer’s data and ensure that consumers have a choice as to how such data is processed and retained. While it has some similarities with CCPA, significant differences exist. Should it become law, companies will find themselves caught in a balancing act between the two statutes. And if other state privacy acts come online, like the New York Privacy Act proposed in 2019 or AB 1049 currently before the Pennsylvania legislature, this balancing act will become all the more complex.