The Washington Privacy Act (WPA) was a piece of legislation that aimed to introduce far tougher data protection regulations within Washington state.
The bill was originally passed by an overwhelming majority in the state Senate but would ultimately fail to come before the House of Representatives in time for its 17th April deadline. However, senators have pledged to support its enactment once again in 2020.
Washington is one of a number of US states seeking to enforce tougher rules around what companies can and can’t do with consumer data. The proposed changes mirror many of the provisions created under the European Union’s General Data Protection Regulation introduced in May 2018, and California’s own Consumer Privacy Act (CCPA), set to come into force in January 2020.
In terms of what the law covers, the WPA is closely aligned with the CCPA, although there are a handful of notable differences – and despite deriving inspiration from the European Union, both the WPA and CCPA are in fact significantly weaker in terms of user protection and compliance obligations.
Like the CCPA, it was considered to be one of the most progressive and toughest sets of data protection rules in US history. Generally speaking, the Washington Privacy Bill sought to give data subjects greater rights over how and when they could access the data that companies hold on them. It would have also forced companies to be far more transparent with how they process data and to facilitate the new rights of data subjects.
Tougher penalties for breaching these rules were also planned, which largely mirrored the CCPA but fell far short of those possible under the EU’s GDPR.
Why was the Washington Privacy Act proposed?
The issue of data protection rights has become a concern for many consumers across the globe. States across the US, as well as governments in Europe, Africa, Latin America and Asia, have all sought to manage this upswell by creating rules that protect consumers without stifling business opportunities too much.
However, a great deal of pressure has been placed on governments to create effective laws, and to do so soon. In the past ten years alone we've seen some of the worst data breaches and abuses of data in history, with hacks on Yahoo, Equifax, Marriott International, First American Bank, Facebook and Uber, to name a few, affecting billions of customers worldwide. Importantly, these breaches were not only the result of poor security but also flippancy, malpractice and improper data sharing.
The US remains an unusual case within the global context, as it still does not have a federal data protection regime, despite its national imperative. This has forced many states to start drafting their own laws, one of the first being the state of Washington.
Who would the WPA apply to?
The WPA proposed a fairly broad jurisdiction. Firstly, it would have applied to any natural persons deemed to be residents of Washington state, acting either as an individual or on behalf of a household.
It would also apply to any legal entity that falls under one of the following brackets:
- Processes data belonging to 100,000 or more residents
or
- Generates at least 50% of its revenue from the sale of consumer data, provided they control data belonging to at least 25,000 consumers
In this sense, the WPA would have been considerably narrower than the European Union legislation from which it draws inspiration. The scope is also notably different from the CCPA, which has three possible catchment criteria instead of two.
How would personal data be defined under WPA?
The Washington Privacy Act also proposed a fairly expansive definition of personal data – namely, “any information relating to any identified or identifiable natural person” acting either as an individual or on behalf of a household. This is notably broader than the CCPA, which only covers data belonging to each individual.
The WPA would also give special provisions to “sensitive data” – that is any “personal data revealing racial or ethnic origin, religious or philosophical beliefs, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning a minor, data concerning health, or data concerning a natural person’s sex life or sexual orientation”. The WPA would require businesses to ensure they have specific systems in place to safeguard this category of data, a provision which is not present in the CCPA.
Personal data in this instance does not stretch to de-identified or anonymous data. This means that if a company is unable to verify the identity of a data subject based on the information they hold, it does not need to inform the consumer about what data it holds on them.
Employment records are also not defined as personal data under the scope of the WPA.
What rights would the WPA give to consumers?
The proposed act stipulated that consumers would have the following:
Right to access – The right to be informed whether their data is being processed, and the right to obtain a copy of said data
Right to correction – The right to force a controller to correct any inaccuracies in the data they hold
Right to erasure – The right to have their data deleted under certain conditions, with controllers also being required to inform any third parties with which data was shared
Right to restrict processing – The right to have the processing of their personal data restricted under certain circumstances, with controllers being required to seek consent from the data subject before processing
Right to portability – The right to have a copy of their data supplied in a machine-readable, commonly used format
Right to object to processing – The right to object to the processing of their own data under certain circumstances.
Right to object to automated decisions – The right to object to being the subject of decisions based solely on automated processing. This right applies unless the processing is fundamental to certain business activities, or is approved by law. Controllers may also use entirely automated decision making if they have received user consent.
What would the WPA require of businesses?
Like the CCPA and GDPR, the Washington Privacy Act would require businesses to be more transparent about their data processing activities, including what data they collect and why certain data is processed.
It would also require businesses to maintain robust data practices in order to ensure a smooth transfer of data between business and consumer and to ensure that said data remains accurate and protected.
Signposting of data rights
The WPA would require businesses to provide a public-facing privacy policy and clearly signpost this on their website. Importantly, this information should be made clear before any personal data is collected.
This policy would need to outline the various data rights afforded to Washington residents, and the various procedures that consumers can use to exercise these. It would also need to clearly indicate what categories of data are being collected, why this is collected, and highlight any third-parties with whom this is shared.
The business would also need to explain to consumers how it processes data in relation to any targeted advertising associated with its content.
Access requests
The WPA would also require businesses to facilitate access requests from consumers. These can cover the correction of information, the deletion of data, or a request to see a copy of any data held.
Businesses would also be required to respond to these requests, which are similar to subject access requests under GDPR, without undue delay and the companies response policy should be displayed on their website. This correspondence should be free of charge for consumers. The timing of any action can be extended based on the complexity of the requested task.
Like the CCPA, the WPA also permits the resale of personal data by third parties, however, consumers have the right to opt-out of this sale and businesses must make this a simple process. Under the WPA, the definition of ‘sale’ is slightly narrower – that is, any activity that would be consistent with a consumer’s expectations of the service at the time they provided data to the controller, would not fall under the scope of the WPA.
For any changes to data, such as a consumer deciding to suddenly opt-out of direct marketing, businesses are required to communicate this to any third parties.
Risk assessments
Businesses would also be required to conduct risk assessments for each processing activity that involves personal data. This would need to take into account the various categories of data being held, including those deemed sensitive, and the context in which the data is being processed.
Automated decisions
As explained above in the consumer rights section, businesses would be prohibited from basing decisions solely on automated processes. This type of processing can still occur, but it needs to be made in conjunction with other processing types, and involve oversight from the data controller to ensure decisions have not been made about them entirely based on automated processes.
Facial recognition
The WPA would restrict the use of facial recognition technology unless the consumer has given consent.
This is a notable divergence from the CCPA, which has no such restriction. An amendment was considered in the later stages of the Californian bill designed to force businesses to publicly disclose whether they were using the technology, however, this was ultimately rejected.
Sanctions under the WPA
The WPA would introduce far tougher sanctions for data misuse in comparison with current state laws.
All enforcement responsibility would lie with the state’s Attorney General, and there would also be no possibility for private action under the bill agreed upon by the state Senate. This is in contrast to the CCPA, which allows residents to take action against companies with potential damages of between $100 and &750.
Aside from private action, the WPA closely mirrors the CCPA in terms of financial penalty and process. The statute would provide a 30-day cure period from the point of notice, providing a window for the company to fix any issues of non-compliance.
If a sanction is necessary, the Attorney General can either request an injunction to forcibly prevent non-compliant activity from taking place, or impose financial penalties based on the violation.
The current fines stand at $2,500 per violation found, or $7,500 per violation if it’s evident that non-compliance was intentional – though it’s unclear what criteria is needed to be met to constitute an intentional act.
Multiple parties can be implicated in an act of non-compliance, with fines being distributed based on comparative fault.
Importantly, the data controller is not liable for any non-compliant data activities of a third-party, unless it’s clear they were aware of this happening. The controller is also not liable for any data received from a non-compliant third-party, which was later found to have been processed illegally. This is a notable difference to the EU’s GDPR, in which both processor and controller are jointly liable for any data loss, theft, or misuse.
