On March 6th, 2019, the Washington Senate passed a bill concerning consumer data privacy and protection with an overwhelming 46-1 vote. After passing through the Senate, the bill now heads to the House. If passed, the bill could cross Governor Jay Inslee’s desk in the near future and be signed into law.
The bill, Senate Bill 5376, reminds privacy experts and activists of similar regulation — including Europe’s GDPR and California’s Consumer Privacy Act. Last month, Brad Smith, Chief Legal Officer at Microsoft addressed potential privacy regulation in Washington, stating:
“At Microsoft, we believe privacy is a fundamental human right, and we support efforts by lawmakers in Olympia to protect the data and privacy of Washington consumers in a manner that allows innovation to continue and is also sensitive to the needs of the state’s small businesses”.
The bill addresses prevalent privacy issues that consumers face in Washington. Here’s a quick summary of some of the requirements for businesses:
Privacy Rundown: Consumer Rights and Business Obligations
The bill is set to institute consumer rights similar to the CCPA and GDPR . Here’s what controllers will face with the law:
- Controllers must be capable of facilitating privacy requests from consumers, including the following types:
- Access
- Correction
- Deletion
- Restriction on processing
- Data portability
- Objection for targeted advertising
If the bill is enacted, the following would be set forth to determine which businesses are held accountable:
Any legal entity that conducts business in Washington State and:
- Controls or processes data of 100,000 or more consumers; or
- Derives 50 percent of gross revenue from the sale of personal information and process or controls personal information of 25,000 or more consumers.
The bill’s enforcement is run by the Attorney General of Washington, and fines will run up to $7,500 for each violation.
Transparency
In terms of transparency, the bill mandates that controllers provide a privacy notice for users they collect data on. Additionally, the privacy notices must include what categories of personal data are collected, how data is used, and if it’s shared with third parties. In the case of selling or processing data for targeted advertising, controllers must disclose what is sold or processed and inform consumers of their right to object to such actions.
Risk Assessments
Risk assessments under the bill relate to processing, consent, and a balancing test. Further, they’re required any time a business changes the processing of user data that could increase the risk to the consumer. Assessments must identify and weigh the benefits of processing versus security and privacy risks associated with the data. In the case that the risks outweigh benefits, controllers must obtain express consent from the consumer to process their data.
What This Means for the Future
Washington’s new bill could have a significant impact on many businesses operating both within the state as well as businesses across the country. Similar to the CCPA, the bill requires any firm that does business within Washington to process requests from any of its users. At the national level, there’s been a moving urge from tech firms to create federal privacy laws, with inspiration from the CCPA.
If Washington passes this bill, the national government could be pressed to create a sweeping federal law to govern all states and businesses. While big tech will receive its fair share of subject access requests (SARs), other types of businesses — from retail stores to backend data brokers and sub-processors — will be affected.
Senator Reuven Carlyle, the bill’s primary sponsor in Washington compared the bill to how credit reports work, claiming that it aims to provide users with more information about how their data is used and aims to increase accountability for businesses. Carlyle stated, “This bill carefully, responsibly takes the best practices from Europe, California and other states to build a data privacy regulatory framework that will help set a standard and lead the nation in bringing our data privacy laws into the 21st century,” according to Washington State Wire.
The bill is headed to Washington House of Representatives for review and approval — after which — the governor can sign it into law. If passed, the Washington Privacy Act will go into effect on December 31st, 2020.
Expect to hear more about this bill as it moves through Washington’s Congress and look out for the introduction of similar bills in other states following California’s approved act and Washington’s new bill.