As 2021 unfolds, so does the data privacy regulatory landscape, with Washington state unveiling the Washington Privacy Act (WPA) (SB 5062). However, this is not the state's first attempt at comprehensive privacy legislation. January 11, 2021, marked the third time in three years that the state considers comprehensive data privacy law. If passed, the law will take effect on July 31, 2022. It will join Washington’s state biometric law and a growing number of technology-focused privacy laws that frame evolving privacy legislation in the US. While the WPA does not appear to generate the same buzz as the California Consumer Privacy Act (CCPA), it would nonetheless have similar data protection obligations.
Who is covered and why?
In line with comprehensive data frameworks, the definition of personal data is broad. Under the WPA, personal data is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” This definition excludes deidentified or publicly available information.
The law would apply to legal entities conducting business in the state or producing products or services targeting Washington residents. Such legal entities must also satisfy one or more of the following:
- Control or process the personal data of at least 100,000 Washington residents during a calendar year, or
- Derive over 25% of their gross revenue from the sale of personal data and control personal data of 25,000 or more Washington residents.
What are business obligations concerning consumer privacy rights?
Under the law, companies would be obligated to provide Washington residents with the privacy rights outlined below. The law, however, does not cover individuals in commercial or employment contexts. It only protects the personal data of Washington residents acting in an individual or household context.
Consumer Privacy Rights under WPA:
- Right of Access;
- Right of Rectification:
- Right of Deletion;
- Right of Portability;
- Right of Opt-Out;
Business Obligations under WPA:
- Notice/Transparency Requirements;
- Risk Assessments;
- Prohibition on Discrimination for exercising rights;
- Purpose Limitation;
- Processing Limitation
WPA is not unlike existing comprehensive privacy laws. Therefore, in addition to fulfilling consumer data privacy requests, WPA imposes staple provisions on business relating to third-party relationships, privacy notices, and data impact assessments. However, the law has a new requirement with specific coverage on technology-assisted contact tracing in light of the pandemic. For instance, Section 302 introduces prohibitions and conditions for the processing and disclosing technology-assisted contact tracing information. As the breadth of privacy laws expands and recognizes the impact of digital technologies, businesses should be prepared to respond to compliance obligations.
The Octillo team is monitoring the development of the WPA and other pending state data privacy laws going through state legislatures right now. Our team of data privacy and technology lawyers is here to assist your company with privacy compliance, develop relevant policies, and other privacy-related matters. A baseline privacy assessment is a great starting place to develop a data management framework that will help guide your business to compliance with future privacy regulations such as the WPA.
*Attorney advertising – prior results do not guarantee future outcomes.