The GDPR Comes to the U.S. in the Form of the Washington Privacy Act
Washington is gearing up to be the next state to implement a privacy law, following California’s Consumer Privacy Act (“CCPA”). On March 6, 2019, SB 5376—formally titled as “an act relating to the management and oversight of personal data,” or the “Washington Privacy Act” for short—passed the Washington Senate and is now pending in the Washington House of Representatives. Largely mirroring the European Union’s General Data Protection Regulation (“GDPR”), the Act cites to the GDPR as providing for “the strongest privacy protections in the world” and adopts the GDPR’s expansive definition of “personal data.”
The Act mandates that consumers are entitled to basic rights with regard to their data:
- Consumers may request information from a company as to whether their personal data is being processed and sold.
- Consumers may access their personal data, either by request or with access to an online site;
- Consumers may request that companies delete data about them;
- Consumers may request that companies correct inaccurate data;
- Consumers may request that companies restrict the purposes for which data is processed (with certain exclusions);
- Consumers may request that companies provide them with their data in a “structured, commonly used, and machine-readable format” to enable the consumer to port the data to another company/service provider;
- Consumers may object to their data being processed for direct marketing (or for any other purpose), as long as the company does not have a legitimate purpose for continuing the processing; and
- Companies may not profile a consumer’s economic, health or other situation unless the consumer consent, the decision is necessary for the performance of a contract with the consumer, or the profiling is permitted by law.
In addition to honoring consumers’ requests to exercise the above-mentioned rights, businesses would have to conduct and document risk assessments (1) prior to processing personal data, (2) any time processing changes will impact individual consumer risk, and (3) at least once annually. These risk assessments would need to identify and weigh the benefits of processing against the personal risk to the consumer. If the risk outweighed benefit, businesses could not process the data without consumer consent.
If enacted, the Act will apply to legal entities that (1) do business in Washington, or (2) target Washington residents if the legal entity:
- Controls or processes the personal data of 100,000 or more consumers; or
- Derives over 50 percent of gross revenue from controlling or processing such data of 25,000 or more consumers.
The obligations imposed by the Act would not apply to:
- State and local governments;
- Data sets to the extent that they are regulated by the Health Insurance Portability and Accountability Act (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH), or the Gramm-Leach-Bliley Act of 1999 (“GLBA”); or
- Employment records.
The Act would also require businesses to publish a privacy notice informing consumers of the categories of personal data the business collects and the purposes for which the data is used or disclosed, which mirrors a similar requirement in the CCPA. Additionally, businesses would also be required to inform consumers, at the time of sale or processing, when their personal data is sold to data brokers or processed for direct marketing. Similar to requirements under the GDPR, the Act would also require businesses that engage in profiling to also disclose such profiling at or before the collection of personal data and prohibit them from subjecting consumers to a decision based solely on profiling which produces legal, or similarly significant, effects concerning the consumer (such as the denial of housing, employment opportunities or healthcare services).
As mentioned above, “personal data” is broadly defined under the Act as “any information about an identified or identifiable natural person,” but does not include data sets that are already regulated by federal law, such as health care data (HIPAA or HITECH) or financial data (GLBA). Financial and health care institutions may need to comply as to other personal data not protected under these statutes. If a health care or financial institution collects or processes other personal data and meets the thresholds above, then it is likely covered. De-identified data is specifically carved out.
Companies must conduct risk assessments to determine if the security of personal information might be compromised by a particular practice or use. Many U.S.-based companies are already required to do this for the data of European residents under the General Data Protection Regulation that went into effect in May of 2018. A violation of the Act would be considered a violation of Washington’s Consumer Protection Act, with penalties of up to $2,500 per violation or $7,500 per intentional violation. There is no private right of action under the bill, and the Office of the Attorney General would be responsible for enforcement.
Grayson J. Derrick
Chair, Technology and Intellectual Property Section