The new Washington Privacy Act; a move towards enhanced privacy rights. 

The new Washington Privacy Act is expected to take effect on 31/12/2020.  The Act is slated to be the second comprehensive State law on privacy protection in the US after the California Consumer Privacy Act, which will take effect in early 2020. 

The Act recognizes that the growth of technology and business has escalated the collection of personal data. The Act seeks to maintain consumer confidence in the protection of their personal data while concurrently promoting the free flow of information. The Act borrows extensively from the rich provisions of the GDPR.  Below is a synopsis of the main features of the proposed Act.

Scope

The Act will apply to legal business entities that control or process data of up to 100,000 Washington residents and to data brokers that generate half of their gross revenue from the sale of personal data of 25,000 or more Washington residents. This however leaves consumers whose data is controlled or processed by smaller entities without any protection. The Act does not apply to other sets of health and financial data that are regulated by federal laws like the Gramm-Leach-Bliley Act and data maintained for employment records.

Responsibility, Consumer rights and Controller/processor obligations

The relationship between the Controller and the processor must be governed by a contract that binds the processor to the instructions of the controller. Ultimately, the controller will bear the responsibility of complying with the obligations set out in the Act. However in case of violation of the Act, both Controllers and Processors may be held liable under the principle of “comparative fault” unless otherwise predetermined through contract.

The Act will provide consumers with a number of rights including the ability to request access to their personal data that is being processed or has been sold to brokers whether by electronic copy or otherwise. Consumers shall also have the right to request the expeditious deletion of their data (the right to be forgotten) where it is no longer relevant, when the processing was based on consent which has since been revoked, when they object and there are no other legitimate grounds for processing and when the processing is unlawful among other circumstances. This right will be subject to free speech and public interest exceptions. Consumers will have further rights to correction of inaccurate data and against profiling of their data solely by automated methods. Objection against processing and profiling of personal data for direct marketing purposes is given special preference. Controllers will additionally have the duty to communicate any reservations of consumers in regard to their rights to third parties like data brokers.

Controllers will have a cardinal obligation of transparency under the Act. This will require them to explain to consumers in a clear privacy notice: the categories of personal data being collected, the purposes of the collection, the rights of consumers, disclosure of profiling or the possibility of sale of their data to brokers among others. Controllers will also be under a duty to make prior documented risk assessments of their personal data processing activities which shall be available to the Attorney General upon request.

The Act will also impose very strict restrictions on the use of facial recognition technology for automated profiling and must involve human review in their decision making. Law enforcement will only use facial recognition technology ongoing surveillance in public spaces upon a Court order or in exigent circumstances.

Enforcement and remedies

Actions for violation against the Act will be brought in the name of the State or on behalf of the consumers by the Attorney General. It is rather strange that unlike the GDPR, the Act does not provide for individual consumers to bring actions against violations on their own behalf. Each intentional violation will be punishable with a civil penalty of not more than 7500 dollars. Each unintentional breach will be punished with a penalty of not more than 2500 dollars. These violations will only be actionable in case of noncompliance after 30 days of receiving a notice. The Act will create the office of Privacy and Data protection within the office of the Chief Information Officer. It will be the central point to offer guidance and training to State agencies on matters of privacy protection.

Conclusion

As the discussion goes on for a federal bill on Privacy protection, the Washington Privacy Act is momentous. While the penalties of each breach appear low compared to those under the GDPR, when aggregated for violations affecting thousands of consumers, Controllers may lose millions of dollars. It is important that businesses align their operations to the requirements of the new Act, seeking specialist support where required.