Washington Privacy Act is latest piece of the privacy legislation puzzle

On Jan. 14, five Washington state senators introduced Senate Bill 6281, a proposed statute relating to the management and oversight of personal data. The introduction of SB 6281, known as the Washington Privacy Act (WPA), came a mere 13 days after the California Consumer Privacy Act (CCPA) took effect. Talk of the CCPA, including its unprecedented, comprehensive scope, has inundated the news for the past few months, forcing many companies to consider -- for the first time -- how they collect, use, store and disclose personal information.

Although California became the first state to enact a comprehensive privacy statute, it is unlikely to be the last. As more states propose privacy laws that empower their residents with privacy rights and impose upon companies corresponding obligations surrounding their collection, usage, storage and disclosure of personal information, some of these states, such as Washington, will consider already enacted privacy regulations (e.g., the General Data Protection Regulation (GDPR), the European Union data privacy law enacted in 2018) and statutes as a beginning framework. The newly proposed WPA borrows from, and adds to, both the GDPR and the CCPA.

Theoretically, expanding upon existing privacy statutes should lead to refined privacy rights for consumers. Such expansion, however, creates fragmented privacy laws, each with slightly different consumer protections and corresponding obligations. Refinement therefore comes at the expense of uniformity.

Indeed, a high-level comparison of the WPA (in its proposed form) and the CCPA reveals differences that result in dissimilar privacy rights for consumers and disparate obligations on businesses. If all 50 states enact slightly different privacy statutes, navigation of the privacy landscape will become even more complex.

WPA's Scope

Like the CCPA, the WPA imports quantitative restrictions on its scope. The WPA applies to legal entities that first, either conduct business in Washington or produce products or services targeted to Washingtonians, and that second: (1) control or process the personal data of at least 100,000 consumers; or (2) derive more than 50% of their gross revenue from the sale of personal data and process or control personal data of at least 25,000 consumers.

The WPA's quantitative restrictions differ from the CCPA's, however. The CCPA applies to for-profit entities, as opposed to legal entities, that: (1) have annual gross revenue in excess of $25 million; (2) alone or in combination, annually buy, receive for the businesses' commercial purposes, sell or share for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices; or (3) derive at least 50% of their annual revenue from selling consumers' personal information. The CCPA also extends to households and devices.

Companies that conduct business with Washingtonians and Californians must not only determine whether the WPA or the CCPA applies to them based on these quantitative metrics, but they must also determine whether the information they collect, use, store or disclose constitutes "personal information" under the CCPA, "personal data" under the WPA or both.

The WPA defines "personal data" as any information that is linked or reasonably linkable to an identified or identifiable natural person. The CCPA defines "personal information" as information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household. The WPA's personal data definition is narrower than personal information under the CCPA; it does not extend to information that could reasonably be linked indirectly to a household.

Given the different application requirements, a company must conduct two separate assessments to determine whether the WPA, the CCPA or both apply.

Varying Rights to Consumers

Consumers also have different rights under the WPA and the CCPA. The WPA empowers Washingtonians with certain rights regarding their personal data. They have: (1) a right to access, which allows them to confirm whether a controller is processing personal data and to access such data; (2) a right to correction, which allows them to change inaccurate personal data; (3) a right to deletion; (4) a right to data portability, which allows them to access personal data in a portable format that they previously provided to a controller; and (5) a right to opt out, which allows them to opt out of the processing of personal data for targeted advertising, the sale of personal data or profiling.

The CCPA does empower California consumers with disclosure, deletion, portability and opt-out rights; however, the CCPA conspicuously lacks a right to correction.

And unlike the CCPA, the WPA requires controllers (the person or entity that determines the purposes and means of the processing of personal data) to disclose certain information, regardless of whether it has been requested by a consumer. Controllers under the WPA must provide consumers with a reasonably accessible, clear and meaningful privacy notice that includes: (1) the categories of personal data the controller processed; (2) the purposes for which the categories of personal data are processed; (3) how and where consumers may exercise their WPA rights; (4) the categories of personal data that the controller shares with third parties; and (5) the categories of third parties with whom the controller shares personal data.

Given the different privacy rights the WPA and the CCPA afford, Washingtonians and Californians have different privacy rights.

Private Right of Action

Companies have different obligations under the WPA and the CCPA. And consumers have different rights under these two statutes. The differences do not end there. The WPA and the CCPA provide different enforcement mechanisms for Washingtonians and Californians.

Under the WPA, a violation does not serve as a basis of a private right of action. The attorney general has exclusive authority to enforce the WPA. The CCPA allows consumers to assert a private right of action if their personal information is subject to an unauthorized access and exfiltration, theft, or disclosure resulting from the business's violation of the duty to implement and maintain reasonable security procedures and practices.

The WPA Picks Up Where the CCPA Left Off

Differences aside, the WPA also imposes affirmative obligations on controllers not found in the CCPA. Under the WPA, controllers have data assessment requirements. They must conduct a data protection assessment of each of their processing activities involving personal data. If the assessment determines that the potential risks of privacy harm to consumers are substantial and outweigh the interests of the controller, the controller may engage in such processing only with the consent of the consumer. The attorney general may request a copy of the data assessment when assessing penalties for noncompliance.

The WPA also addresses facial recognition technology; the CCPA does not address facial recognition technology. Accordingly, several cities such as San Francisco and Oakland have banned police from using facial recognition software.

The WPA does not ban facial recognition technology. Instead, under the WPA, processors (the person or entity that processes the personal data) must enable controllers or third parties to conduct legitimate, independent and reasonable tests of those facial recognition services for accuracy and unfair performance differences across distinct subpopulations. And controllers must provide conspicuous notice whenever a facial recognition service is deployed at a physical premise open to the public. Controllers must also obtain consent from a consumer before enrolling an image of that consumer in a facial recognition service.

• • •

Many advocate for federal privacy legislation. Assuming a federal privacy statute preempts state privacy statutes, a single federal privacy statute would present uniform privacy rights to individuals, obligations on companies and enforcement mechanisms for those privacy rights. An interesting question becomes when the optimal time for federal privacy legislation is. While an immediate federal privacy law would provide uniformity, it would provide that uniformity without the benefit of states working one by one to build better privacy statutes piece by piece. 

The views and opinions expressed herein are his own and do not necessarily reflect those of BakerHostetler.