On September 9, 2020, Washington Senator Reuven Carlyle, D-Seattle, announced via Twitter that the third version of the draft Washington Privacy Act 2021 (“WPA”) was available for public review and comment. The recently released version of the WPA is the latest attempt by the Washington legislature to pass a comprehensive privacy bill. An earlier 2020 version failed to pass Washington’s House of Representatives due to disagreement over whether the act should contain a private right of action or be limited to enforcement by the state’s attorney general.
Of note, the revised bill:
- Broadens (slightly) the jurisdictional scope. The WPA applies to legal entities that conduct business in Washington or that produce products or services that are targeted to Washington residents and (i) either control or process personal data of more than 100,000 consumers during a calendar year or (ii) derive over 25% of gross revenue from the sale of personal data and process or control the personal data of over 25,000 consumers. The 50% threshold for gross revenue generated from the sale of personal data is a change from the 2020 version’s 25% threshold. The WPA also adds exemptions for institutions of higher education and nonprofit organizations.
- Has similar controller responsibilities as the 2020 bill. The WPA includes provisions aimed at specifying controller (i.e., local governments, state agencies, or institutions of higher education that process personal data) responsibilities that generally mirror the prior version. These include provisions aimed at enhancing transparency around the reasons for collecting personal data; limiting collection to what is adequate, relevant, and reasonably necessary; avoiding secondary use, implementing reasonable security measures; obtaining consumers’ consent before processing sensitive data; and nondiscrimination, anti-retaliation and non-waiver of consumer rights provisions.
- Adds an additional exemption for local regulations already in effect. Under the WPA, local regulations in effect as of July 1, 2020 are preempted from the new regulations regarding the processing of personal data by controllers or processors (i.e., natural or legal persons who process personal data on behalf of a controller).
- Incorporates a cure period for penalties. The WPA provides for sole Attorney General enforcement under the Consumer Protection Act (CPA) and adds a 30-day cure period, with penalties of up to $7,500 per violation if the violation continues after notifying a consumer of a cure.
- Includes new sections for data privacy during public health emergencies. Unlike the 2020 version, the WPA adds new provisions that address recent privacy-related issues that have arisen regarding automated contact tracing in public health emergencies. These new provisions appear to strike a balance between personal data collection during a declared state of emergency and the individual’s privacy rights under the WPA. In general, these new provisions limit how personal data (including specific geolocation data, proximity data, or personal health data) may be processed for automated contract tracing purposes during a public health emergency, such as that seen with the COVID-19 pandemic, in the public and private sectors. Notice and consent is required and the selling or sharing of such data with law enforcement is prohibited. Individuals may seek civil remedies for violations of the WPA that occur in the public sector.
It remains to be seen whether this latest version has what it takes to survive the comment period and pass both branches of Washington’s legislature. Given, however, the recent awareness around privacy issues during a global pandemic, Washington may be one step closer to passing its long-awaited and much debated comprehensive privacy act. Further, the WPA’s broad definition of personal data likely includes IP addresses and persistent identifiers, which may bring many out-of-state businesses with websites that reach Washington residents within the scope of the WPA.