On November 17, 2020, H.R. 1668, the “Internet of Things Cybersecurity Improvement Act of 2020”, was unanimously passed by the Senate. The bill is now on its way to President Trump for signature or veto.

The bill would require the National Institute of Standards and Technology (“NIST”) and the Office of Management and Budget (“OMB”) to take certain steps to increase cybersecurity for Internet of Things (“IoT”) devices. IoT describes the extension of internet connectivity into physical devices and everyday objects. Examples of IoT devices include internet connected appliances, thermostats, locks, or smoke detectors, but they are now pervasive across virtually all types of retail products.

The bill would specifically require NIST to develop minimum or baseline IoT cybersecurity standards. The OMB would then be tasked with issuing guidelines to agencies in consultation with NIST.

Notably, the bill also requires federal agencies to only use devices that meet the NIST standards and expressly prohibits the government from entering into any contract that would prevent compliance with those standards. Because the bill would, in effect, prohibit the government from entering into any contracts with third parties that would result in the purchase or use of IoT devices that are not compliant with the NIST standards, it is likely that the bill will encourage manufacturers of such products to adopt the NIST standards.

On November 4, 2020, California voters approved of the ballot initiative Proposition 24, more commonly known as the California Privacy Rights Act (the “CPRA”).  The CPRA goes into effect on January 1, 2023, and will expand several of the existing protections in the California Consumer Privacy Act (the “CCPA”).

As background, the original CCPA emerged in 2018 as a compromise between legislators and the advocacy group, Californians for Consumer Privacy, which had secured a ballot measure vote for its proposed privacy law.  Californians for Consumer Privacy withdrew the ballot measure upon the passing of the CCPA.  However, the group became concerned that amendments to the CCPA resulted in diluted privacy protections, and it thereafter secured a spot on the 2020 ballot for California citizens to vote on the CPRA.

As mentioned in our prior posts, the CPRA creates some of the following new rights and requirements:

  • Right to restrict use of “sensitive personal information”;
  • Right to correct data;
  • Storage limitation: right to prevent companies from storing information longer than necessary and right to know the length of time a business intends to retain each category of personal information;
  • Data minimization: right to prevent companies from collecting more information than necessary;
  • Right to opt out of advertisers using precise geolocation (< than 1/3 mile);
  • Penalties if email address and email password are stolen due to negligence;
  • Restrictions on onward transfers of personal information;
  • Establishes California Privacy Protection Agency to protect consumers;
  • Requires high risk data processors to perform regular cybersecurity audits and risk assessments; and
  • Requires the appointment of a chief auditor with power to audit businesses’ data practices.

The CPRA mandates a minimum of $10 million in annual funding to the newly created Privacy Protection Agency.  The Privacy Protection Agency has the power to draft additional regulations, which may provide further clarity or raise new questions on the CPRA’s scope.  Businesses will therefore need to stay apprised of changes over the coming months and years in order to fully understand their compliance obligations.

The Cybersecurity Infrastructure Security Agency, Federal Bureau of Investigation, and Department of Health and Human Services have jointly posted an advisory to warn hospitals and other health care providers about the threat of malicious attacks on their information systems.  At least six hospitals across the United States were recently victimized by attacks using Trickbot malware within a 24-hour period.  These attacks have led to requests for ransom to release data, data theft, and the disruption of services.

The advisory describes how the malware works, identifies indicators that a system may have been infected with the malware, and sets forth measures that health care providers may take to prevent and minimize damage from an attack and to respond to an attack if one occurs.  With the surge in coronavirus hospitalizations, the disruptions that such threats may cause raise more and more serious concerns, and health care providers should be on heightened alert.

Assaults on Section 230 of the Communications Decency Act (the “CDA”)—which shields online platforms from civil liability for third party content on their services—are abundant these days.  On October 15, 2020, FCC Chairman Ajit Pai announced that his agency, at the request of President Trump, will draft rules explaining when platforms’ efforts to moderate user-posted content will leave them exposed to potential liability.  Two days earlier, Justice Thomas issued a scathing critique of the Court’s current interpretation of Section 230, arguing for a much more limited interpretation that would drastically narrow the liability shield.

Most of the discussion has focused on concerns relating to free speech, the spread of misinformation, and accusations of biases in moderation practices.  However, the case in which Justice Thomas issued his statement demonstrates another important issue at stake—the ability of platforms to use privacy and information security screening tools.

Subsection (c)(2)(A) protects decisions to remove “objectionable” content made in good faith, while Subsection (c)(2)(B) protects software providers who give internet users the technical means to screen or filter such content.  It is the latter provision that was at issue in Enigma Software Group USA, LLC v. Malwarebytes, Inc., which involved two companies that both provide software to enable individuals to filter unwanted or malicious content, such as malware.  Enigma sued Malwarebytes alleging that Malwarebytes engaged in anticompetitive conduct by configuring its product to make it difficult for consumers to download and use Enigma products.  In its defense, Malwarebytes invoked Section 230(c)(2)(B).

The Ninth Circuit had previously held in Zango, Inc. v. Kasperskey Lab, Inc., 568 F.3d 1169 (9th Cir. 2009), that providers of software filtering tools (like Enigma and Malwarebytes) were in fact protected by Section 230(c)(2) because those tools allowed users to block objectionable content, such as malware.  The Zango court did not, however, address whether there were limitations on the provider’s discretion to declare online content objectionable.

The Ninth Circuit rejected Malwarebytes’ defense under Section 230, finding that “filtering decisions that are driven by anticompetitive animus are not entitled to immunity under section 230(c)(2).”  946 F.3d 1040, 1047 (9th Cir. 2019).  The Ninth Circuit explained that, in passing the CDA, Congress wanted to encourage the development of filtration technologies, not to enable software developers to drive each other out of business.  Accordingly, the Ninth Circuit found that this filtering function was not protected.  The Supreme Court denied Malwarebytes’ petition for certiorari, in connection with which Justice Thomas wrote his statement advocating for narrowing the scope of Section 230.

The Ninth Circuit’s opinion and the Supreme Court’s denial of certiorari mark the first chip in the immunity armor for makers of malware software and other filters.  Indeed, various cybersecurity experts, technology think tanks, and law and computer science professors submitted amicus curiae briefs in connection with the certiorari petition arguing that leaving the Ninth Circuit’s opinion intact would open the door to litigation against malware screening tool producers—and not just for allegedly anticompetitive behavior.

The Ninth Circuit’s decision, now left intact by the Supreme Court, could have a chilling effect on innovation of malware detection and filtration systems.  Makers of these filtering and screening tools may now have to spend resources to assess litigation risks associated with developing software that identifies and quarantines threats.  To minimize the risks and costs associated with litigation, these companies may begin to take a more conservative approach in identifying threats that might plausibly claim to be a rival.  A more conservative approach that errs against classifying potential rival software as a threat is particularly problematic where malware already often actively disguises itself as legitimate software.

The data security implications could be significant.  Malware detection and filtration systems must constantly keep up with the evolution of malware itself.  These tools can alert users of certain potentially unwanted programs, which slow down the overall performance of the user’s computer and ultimately create additional access points for hackers.  Likewise, malware detection and filtration systems are vital to businesses, which use these tools to protect company and customer data from hacker attacks that utilize malware—for example, ransomware.  The privacy implications could also be significant as many individuals use filtration tools to help screen unwanted spam or content, the opening of which can lead to online tracking, placement of cookies, or other additional unwanted content.

While the recent assaults on the CDA’s liability shield widely focus on the First Amendment implications, as applied to actions by social media giants like Facebook and Twitter to filter and remove user content, an unintended consequence of these assaults could be an overall decrease in privacy and data security protections for us all.

The Regulations to the California Consumer Privacy Act (CCPA) continue to evolve, in confusing fashion. As background, the AG’s Office had previously issued proposed Regulations to the CCPA in October 2019. The AG’s Office then issued a revised set of proposed amendments to the Regulations in February 2020 and then again in March 2020. While most of the regulations were made effective on August 14, 2020, the California Department of Justice withdrew four (4) sections of the proposed Regulations from the review of the Office of Administration Law so that they could be adjusted at a later date. Adding to the confusion, the California Department of Justice just yesterday released a new third set, of proposed amendments to the Regulations. This new set of amendments corrects the four sections of the prior proposed regulations that were not originally submitted for review. The four sections include:

  • Proposed section 999.306, subd. (b)(3), which elaborates on how businesses that collect personal information in the course of interacting with consumers offline can provide the notice of right to opt-out of the sale of personal information through an offline method. The proposed language indicates that brick-and-mortar stores can offer paper notices or post signs in the area where personal information is collected. Businesses collecting personal information over the phone can provide the notice orally.
  • Proposed section 999.315, subd. (h), which provides guidance on how a business’s methods for submitting requests to opt-out should be easy and require minimal steps. The business’s process for submitting a request to opt-out shall not require more steps than that business’s process for a consumer to opt-in to the sale of personal information after having previously opted out, which is determined from the time the consumer clicks the “Do Not Sell My Personal Information” link. Also, businesses should not use confusing language to label the opt-out link, require the consumer to list why they are opting-out, require the consumer to provide personal information to perform the request, or require the consumer to search the privacy policy to find the link to the opt-out request page.
  • Proposed section 999.326, subd. (a), which clarifies that a business may require an authorized agent to provide proof that the consumer gave the agent signed permission to submit the request. Additionally a business may require a consumer to verify their own identity directly with the business or directly confirm with the business that they provided the authorized agent permission to submit the request.
  • Proposed section 999.332, subd. (a), which clarifies that for those businesses that sell personal information of consumers under the age of 13, sell the personal information of consumers ages 13 to 15, or sell both, are required to include a description of the processes to opt-in as set forth in sections 999.330 and 999.331 in their privacy policies.

The California Department of Justice will accept written comments regarding the proposed changes between Tuesday, October 13, 2020 and Wednesday, October 28, 2020.

 

October is National Cybersecurity Awareness Month, and the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) and Office of Foreign Assets Control (“OFAC”) kicked off the month by issuing two advisories that aim to increase cybersecurity awareness, assist financial institutions in detecting and reporting ransomware activity, and highlight potential sanctions risks for facilitating ransomware payments.

The FinCEN and OFAC advisories signal the seriousness with which the Department of Treasury treats the threat of cybercriminals and ransomware attacks. Both FinCEN and OFAC have now squarely placed an obligation on financial institutions and other payment intermediaries to put procedures in place to detect ransomware payments and to restrict payments to blocked individuals. It appears FinCEN and OFAC want to make sure cybercrime does not pay by cutting off cybercriminals’ access into the financial system.

While both FinCEN and OFAC have offered guidance to financial institutions formulating policies and procedures for deciding whether to process or report payment requests that may be connected to ransomware attacks, OFAC has also offered a warning: facilitating ransomware payments may lead to an enforcement action and civil penalties. Given the growing national security concerns associated with ransomware attacks, the advisories rightly encourage financial institutions and other payment intermediaries that facilitate ransomware payments to share information via Suspicious Activity Reports (“SARs”) and to fully cooperate with law enforcement during and after ransomware attacks.

FinCEN Advisory

The FinCEN advisory—entitled Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments—discusses four topics: (1) the role of financial intermediaries in ransomware payments, (2) ransomware trends and typologies, (3) ransomware-related financial red flags, and (4) reporting and sharing of information related to ransomware attacks.

  1. Financial Intermediaries and Ransomware Payments – The financial sector plays a crucial role in the collection and payment of ransomware demands by malicious cyber actors. The complexity and prevalence of ransomware attacks, as the advisory observes, has led to the creation of specialized companies such as digital forensic and incident response companies (“DFIRs”) and cyber insurance companies (“CICs”) that provide protection and mitigation services for ransomware victims, including paying convertible virtual currency (“CVC”) such as Bitcoin. Some DFIRs and CICs facilitate ransomware payments to cybercriminals by directly receiving customers’ fiat funds, exchanging them for CVC, and then transferring the CVC to criminal-controlled accounts. Depending on the particular facts and circumstances, this activity could constitute money transmission, which requires registration with FinCEN as a money service business (“MSB”) subject to Bank Secrecy Act (“BSA”) obligations, including the filing of suspicious activity reports (“SARs”). Moreover, FinCEN warns that facilitating ransomware payments on behalf of ransomware victims may implicate OFAC-administered sanctions.
  2. Ransomware Trends and Typologies – FinCEN identifies trends and typologies of ransomware payments across various sectors. The advisory notes that cbyercriminals are increasingly engaging in sophisticated ransomware operations such as “big game hunting” schemes that target larger enterprises to demand bigger payouts, double extortion schemes that involve removing sensitive data from targeted networks and encrypting the system files and demanding ransom, and requiring anonymity-enhanced cryptocurrencies (“AECs”) to reduce transparency. FinCEN recommends proactive prevention through effective cyber hygiene, cybersecurity controls, and business continuity resiliency as a best defense against ransomware attacks.
  3. Financial Red Flags – The advisory highlights 10 financial red flags that evidence potential ransomware-related payments. Red flags include, among other things, a customer disclosing payment is being made as a result of ransomware, a DFIR or CIC receiving or sending funds, or a customer with little or no experience with CVC suddenly initiating a transaction with a CVC exchange. And financial institutions should not only be on the lookout for red flags associated with potential ransomware-related payments coming from victims. FinCEN also warns financial institutions that rapid trades between CVCs with no apparent purpose, especially if the CVC is an AEC, could be a red flag of a cybercriminal receiving and masking a ransomware payment. While no single red flag is determinative of ransomware activity, FinCEN states that each should be considered in the context of the facts and circumstances of a transaction.
  4. Reporting Suspicious Activity – To assist in reporting ransomware attacks, FinCEN “strongly encourages” information sharing among financial institutions pursuant to section 314(b) of the USA PATRIOT Act where a transaction is suspected of involving terrorist financing or money laundering, and urges financial institutions to file SARs in order to protect the U.S. financial system from ransomware threats. To that end, FinCEN has asked financial institutions who believe a transaction relates to ransomware to include a note, “CYBER-FIN-2020-A006,” so that FinCEN can better track SARs reporting ransomware transactions.

OFAC Advisory

The OFAC advisory—entitled Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments— highlights the threat that ransomware poses to U.S. national security interests and details the sanctions risks associated with facilitating ransomware payments. The International Emergency Economic Powers Act (“IEEPA”) and the Trading with the Enemy Act (“TWEA”) generally prohibit U.S. persons from engaging in transactions with persons on OFAC’s Specially Designated Nationals and Blocked Persons List (“SDN List”), other blocked persons, and persons covered by comprehensive country or region embargoes. The OFAC advisory makes clear that sanctions laws extend to financial institutions as well as companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services businesses).” In other words, financial institutions, CICs, and DFIRs may be subject to civil penalties if they facilitate payments to blocked persons, whether on the SDN list or covered by an embargo. Although OFAC notes that it will consider licensing for ransomware payments on a case-by-case basis, but it reviews those requests “with a presumption of denial.”
Takeaways

The FinCEN and OFAC advisories signal the seriousness with which the Department of Treasury treats the threat of cybercriminals and ransomware attacks. Both FinCEN and OFAC have now squarely placed an obligation on financial institutions and other payment intermediaries to put procedures in place to detect ransomware payments and to restrict payments to blocked individuals. It appears FinCEN and OFAC want to make sure cybercrime does not pay by cutting off cybercriminals’ access into the financial system.

While both FinCEN and OFAC have offered guidance to financial institutions formulating policies and procedures for deciding whether to process or report payment requests that may be connected to ransomware attacks, OFAC has also offered a warning: facilitating ransomware payments may lead to an enforcement action and civil penalties. Given the growing national security concerns associated with ransomware attacks, the advisories rightly encourage financial institutions and other payment intermediaries that facilitate ransomware payments to share information via SARs and to fully cooperate with law enforcement during and after ransomware attacks.

OFAC encourages financial institutions and companies that engage with ransomware victims to adopt risk-based sanctions compliance programs that account for the risk that a ransomware payment may involve an SDN or blocked person, a comprehensively embargoed jurisdiction, or nation-state actors that have a nexus to U.S. sanctions, such as Russia or North Korea. Finally, OFAC encourages companies to provide law enforcement with a “self-initiated, timely, and complete report of a ransomware attack” and to fully cooperate with law enforcement during and after a ransomware attack. These steps not only help financial institutions, CICs, and DFIRs avoid unlawful payments, but—if a violation occurs—will also be considered favorably in OFAC’s determination of a “possible enforcement outcome.”

OFAC’s cyber-related sanctions program has been used to identify malicious cyber actors, including perpetrators of ransomware attacks. U.S. persons, including financial institutions, that facilitate payment of ransomware demands to sanctioned cyber actors are in violation of U.S. sanctions and may be subject to OFAC enforcement action. Non-U.S. persons facilitating such payments through the U.S. financial system may also be exposed to OFAC enforcement action.

Takeaways

The FinCEN and OFAC advisories signal the seriousness with which the Department of Treasury treats the threat of cybercriminals and ransomware attacks. Both FinCEN and OFAC have now squarely placed an obligation on financial institutions and other payment intermediaries to put procedures in place to detect ransomware payments and to restrict payments to blocked individuals. It appears FinCEN and OFAC want to make sure cybercrime does not pay by cutting off cybercriminals’ access into the financial system.

While both FinCEN and OFAC have offered guidance to financial institutions formulating policies and procedures for deciding whether to process or report payment requests that may be connected to ransomware attacks, OFAC has also offered a warning: facilitating ransomware payments may lead to an enforcement action and civil penalties. Given the growing national security concerns associated with ransomware attacks, the advisories rightly encourage financial institutions and other payment intermediaries that facilitate ransomware payments to share information via SARs and to fully cooperate with law enforcement during and after ransomware attacks.

 

Last week, California Governor Gavin Newsom signed into law two amendments to the California Consumer Privacy Act (CCPA) that would impact various CCPA exemptions. One amendment, A.B. 1281 would extend two exemptions that were set to expire later this year: the employee exemption and the business (B2B) exemption. Both of these exemptions will now remain in effect until at least January 1, 2022. The other amendment, A.B. 713, would clarify the exemption relating to de-identified personal information. This amendment went into immediate effect and imposing additional disclosure requirements and contract restrictions on the sale or disclosure of such information by businesses subject to the Health Insurance Portability and Accountability Act (HIPAA), California’s Confidentiality of Medical Information Act (CMIA), and other laws relating to medical privacy and human subject research.

Following a very quiet start to HIPAA settlement activity in 2020, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced eight settlements with covered entities and business associates.

The most recent of these announcements involves the second-largest HIPAA settlement amount in OCR’s history, amounting to $6.85 million. This settlement with Premera Blue Cross (PBC) pertains to an incident that occurred in May 2014 when hackers installed malware to access PBC’s IT system. The cyberattack went undetected until January 2015 and resulted in the disclosure of electronic Protected Health Information (ePHI) for more than 10.4 million individuals, including names, addresses, dates of birth, Social Security numbers, bank account information, and health plan clinical information. After PBC discovered and reported the breach, the OCR conducted an investigation and found potential violations, including failures to:

  • conduct a thorough assessment of the potential risks and vulnerabilities surrounding ePHI;
  • implement sufficient security measures to reduce risks and vulnerabilities and hardware, software and procedural mechanisms to record and examine activity; and
  • prevent unauthorized access to the ePHI of millions of individuals.

The large cash settlement is accompanied by a requirement that PBC follow a Corrective Action Plan, which will be monitored by the OCR for a period of two years. The Corrective Action Plan requires PBC to conduct a risk analysis and develop and implement a risk management plan, revise its privacy and security policies, make the policies available to its workforce, and provide an annual report to the OCR that identifies any additional reportable events related to material violations of the revised policies.

Earlier in the same week, the OCR announced that it reached settlements with Athens Orthopedic Clinic, PA (AOC), a clinic providing services to approximately 138,000 patients, and CHSPSC, LLC, a business associate providing IT and health information management services to hospitals and physicians.

The AOC settlement arises from a complaint alleging that AOC failed to prevent patient information from being posted online. AOC discovered the breach in June 2016 when a journalist notified it that a database of patient records was posted online for sale. Two days after AOC received this information, a hacker group emailed AOC to demand money in exchange for the return of the patient records. It was later discovered that the hacker group had access to AOC’s system for over a month through the use of a vendor’s credentials. The information posted online included patients’ names, dates of birth, medical procedures, Social Security numbers, test results, and health insurance information. In notifying the OCR of the breach, AOC reported that over 200,000 individuals were affected. The OCR investigated and found that AOC may have violated HIPAA by failing to:

  • provide appropriate training to employees;
  • enter into business associate agreements with certain business associates;
  • conduct a risk analysis;
  • implement risk management and audit controls; and
  • maintain HIPAA Policies and Procedures.

AOC entered into a Resolution Agreement and Correction Action Plan, agreeing to pay $1.5 million in penalties. The corrective action plan requires it to revise its business associate agreements as necessary, conduct a risk analysis, develop a risk management plan, revise its privacy, security, and breach notification policies, and provide training to its workforce on those policies. AOC’s compliance with the corrective action plan will be subject to monitoring by HHS for a period of two years.

The settlement agreement between the OCR and CHSPSC, LLC (CHSPSC) similarly involves hackers accessing ePHI maintained by the company, which in this case was a business associate handling data for a wide range of customers. In April 2014, the Federal Bureau of Investigation notified CHSPSC that hackers had accessed its information system. The hackers continued to access ePHI until August 2014 by relying on compromised administrative credentials. Ultimately, over 6 million individuals were affected, with Social Security numbers, names, ethnicities, and emergency contact information included in the information that was disclosed. The OCR’s investigation indicated that CHSPSC could potentially have violated HIPAA by failing to:

  • implement technical policies and procedures to limit access to its software programs and more generally prevent unauthorized access to ePHI on its network;
  • respond to a known security incident, mitigate its harmful effects, and document the incident and its outcome;
  • implement procedures to regularly review its information system activity; and
  • conduct accurate and thorough assessments of potential risks and vulnerabilities to the security of ePHI.

CHSPSC agreed to pay $2.3 million and entered into a Resolution Agreement and Corrective Action Plan. Similar to the corrective action plans discussed above, CHSPSC must develop a risk analysis and risk management plan, revise its policies and procedures regarding its security and network access, and provide training to its workforce with respect to these policies.

These settlements all relate to breaches from hackers who had access to ePHI over an extended period of time. Well-organized hacking groups have targeted entities in the health care and health benefit industries to gain access to sensitive data. The factual descriptions in the settlement agreements do not offer much detail, but the penalties and corrective action plans imposed by OCR demonstrate the importance of maintaining proper security safeguards to prevent inappropriate access to ePHI and responding promptly to incidents when they are discovered.

In addition to the settlements discussed above, the OCR announced this past month that it had entered into five settlements related to patients’ access to their own health records. Under the applicable HIPAA rules, health care providers generally must provide individuals with their medical records within 30 days of a request. Providers may charge only reasonable cost-based fees with respect to such requests. Last year, the OCR launched a Right of Access Initiative to enforce patients’ rights to receive copies of their medical records in a timely manner without excessive charges.

The five new settlements announced this month demonstrate the OCR’s ongoing commitment to this initiative. All five settlements involve a health care provider’s failure to provide a patient with his or her medical records in a timely manner after receiving a request from the patient or his or her personal representative. The settlement amounts range from $3,500 to $70,000 and require the organization to comply with a corrective action plan and monitoring by the OCR for a period of one-to-two years.

The recent settlement announcements are consistent with OCR’s past practice of announcing a majority of its settlements during the last few months of the year. We will continue monitoring OCR announcements in the event that there are more settlements announced before year-end.

 

On September 9, 2020, Washington Senator Reuven Carlyle, D-Seattle, announced via Twitter that the third version of the draft Washington Privacy Act 2021 (“WPA”) was available for public review and comment. The recently released version of the WPA is the latest attempt by the Washington legislature to pass a comprehensive privacy bill. An earlier 2020 version failed to pass Washington’s House of Representatives due to disagreement over whether the act should contain a private right of action or be limited to enforcement by the state’s attorney general.

Of note, the revised bill:

  1. Broadens (slightly) the jurisdictional scope. The WPA applies to legal entities that conduct business in Washington or that produce products or services that are targeted to Washington residents and (i) either control or process personal data of more than 100,000 consumers during a calendar year or (ii) derive over 25% of gross revenue from the sale of personal data and process or control the personal data of over 25,000 consumers. The 50% threshold for gross revenue generated from the sale of personal data is a change from the 2020 version’s 25% threshold. The WPA also adds exemptions for institutions of higher education and nonprofit organizations.
  2. Has similar controller responsibilities as the 2020 bill. The WPA includes provisions aimed at specifying controller (i.e., local governments, state agencies, or institutions of higher education that process personal data) responsibilities that generally mirror the prior version. These include provisions aimed at enhancing transparency around the reasons for collecting personal data; limiting collection to what is adequate, relevant, and reasonably necessary; avoiding secondary use, implementing reasonable security measures; obtaining consumers’ consent before processing sensitive data; and nondiscrimination, anti-retaliation and non-waiver of consumer rights provisions.
  3. Adds an additional exemption for local regulations already in effect. Under the WPA, local regulations in effect as of July 1, 2020 are preempted from the new regulations regarding the processing of personal data by controllers or processors (i.e., natural or legal persons who process personal data on behalf of a controller).
  4. Incorporates a cure period for penalties. The WPA provides for sole Attorney General enforcement under the Consumer Protection Act (CPA) and adds a 30-day cure period, with penalties of up to $7,500 per violation if the violation continues after notifying a consumer of a cure.
  5. Includes new sections for data privacy during public health emergencies. Unlike the 2020 version, the WPA adds new provisions that address recent privacy-related issues that have arisen regarding automated contact tracing in public health emergencies. These new provisions appear to strike a balance between personal data collection during a declared state of emergency and the individual’s privacy rights under the WPA. In general, these new provisions limit how personal data (including specific geolocation data, proximity data, or personal health data) may be processed for automated contract tracing purposes during a public health emergency, such as that seen with the COVID-19 pandemic, in the public and private sectors. Notice and consent is required and the selling or sharing of such data with law enforcement is prohibited. Individuals may seek civil remedies for violations of the WPA that occur in the public sector.

It remains to be seen whether this latest version has what it takes to survive the comment period and pass both branches of Washington’s legislature. Given, however, the recent awareness around privacy issues during a global pandemic, Washington may be one step closer to passing its long-awaited and much debated comprehensive privacy act. Further, the WPA’s broad definition of personal data likely includes IP addresses and persistent identifiers, which may bring many out-of-state businesses with websites that reach Washington residents within the scope of the WPA.