Inspired by the example of the European General Data Protection Regulation (GDPR), Washington State is now considering a comprehensive data privacy act that would protect the personal information of its citizens. If the new Washington Privacy Act (SB 5376) passes the state legislature this year, it would make Washington only the second state in America to adopt a comprehensive data privacy law.
Provisions of the new Washington data privacy act
What is most notable about the new data privacy act is how much it is modeled on the General Data Protection Regulation, which is still considered to be the “gold standard” when it comes to protecting personal privacy. In fact, much of the language used within the Washington data privacy act is almost exactly the same as that found within the GDPR, especially when it comes to the definition of “personal data” and the notion of which protections should be offered to consumers as a fundamental basis of security and privacy.
With an emphasis on protecting personal information, the Washington data privacy act gives state residents several key rights, including the right to the deletion of data; the right to request any data errors to be corrected; the right to receive a personal copy of any personal data collected by a company in electronic format; and the right to withdraw consent from any personal data being processed.
At the same time, the Washington data privacy act places a number of demands on “covered” businesses, which are defined to be any companies that process the personal data of 100,000+ Washington State residents, or any data brokers that derive more than 50 percent of their revenue from the sale of personal information of at least 25,000 Washington State residents. These covered businesses must provide consumers with an easy-to-read and conspicuous privacy notice that fully details what data is being collected, how it is being used, and which third parties have access to this data. In addition, these covered businesses must carry out and document risk assessments if they record and/or transmit personal data.
The most comprehensive American data privacy act yet
Until now, the California Consumer Privacy Act (CCPA) stood out as the only data privacy act in the United States. Set to go into effect on January 1, 2020, the CCPA has widely been seen as the basis for all forthcoming data privacy acts on a nationwide basis. But the Washington data privacy act looks like it might turn up the pressure another notch on corporations, and for that reason, should be seen as a game-changer. It is the closest yet that America has come to embracing GDPR-like data privacy.
One way to see this is how the data privacy act offers a very expansive definition of “personal data.” This is defined by the Washington data privacy act as “any information relating to any identified or identifiable natural person.” This is a more expansive definition than offered by the CCPA, and also a more expansive definition than offered by Washington State’s current data breach statute. According to that statute, for example, personal information was defined only in terms of the most sensitive consumer data that, if exposed, would pose an immediate privacy risk.
What the Washington data privacy act does not include
While the Washington data privacy act would offer state residents much greater data privacy than anywhere else in the United States, there are some things that it does not cover. For example, corporations that do not meet the 100,000-resident threshold would not be covered. Some critics have noted this means that some corporations may attempt to block or dissuade consumers from Washington State from becoming their customers. For example, if a company is running a regional or national marketing campaign to attract more customers, it might choose to ignore any marketing efforts in Washington State. Or, for example, an e-commerce company might choose not to offer shipping to Washington State.
Moreover, the new Washington data privacy act does not extend to certain data sets, including some health-related data and finance-related public records covered by national legislation (including health information covered by the 1996 HIPAA). And it does not cover any data sets maintained only for employment purposes. Thus, a major statewide employer like Boeing, Starbucks or Amazon would not have to worry about data sets related to their employees. They would, however, have to worry about data collected about their consumers.
There is also a gray area when it comes to facial recognition technologies (FRTs). The proposed Washington data privacy act would appear to extend to “facial recognition technology” (i.e. using the unique geometry of a user’s face to identify him or her), but not to “facial analysis,” which is designed to record and analyze faces, but not to identify a specific person (or persons). Obtaining the consent of individuals would be required for any use of facial recognition technology.
And there is one more feature of the Washington data privacy act that critics have pointed out, and that is the fact that it does not include a private right to action. Consumers cannot bring legal cases against corporations (even when they meet guidelines describing information related to an identified individual). Instead, they must turn to the Washington State Attorney General, who would be empowered to bring law enforcement cases against companies that have breached the data privacy of residents. The maximum fine stipulated by the Washington data privacy act is $2,500 per violation (and $7,500 in cases where the violations are intentional). Thus, nobody is going to become rich by suing a company for data privacy violations – but enough of these cases, in the aggregate, could have a very real impact on how companies do business.
Implications for a national data privacy act
Now that California and Washington State have started to generate momentum around very comprehensive data privacy acts that emulate the GPDR model, it’s perhaps no surprise that many people are now expecting some sort of federal privacy law that will extend to all 50 states and would come under the purview of the United States Supreme Court.
That’s where things get interesting, though, because the biggest tech companies in the U.S. are now pushing for a watered-down federal data privacy act that would not force them to radically change the way they do business at the state or federal level. So it will be interesting to watch as privacy advocates and big tech companies square off in 2019, each side fighting for its own vision of what data privacy should look like in coming years.