Washington: People's Privacy Act introduces "significant shift" on consumer interaction
The American Civil Liberties Union announced, on 28 January 2021, that Washington State Representative Shelley Kloba had introduced the House Bill ('HB') 1433 for the People's Privacy Act, a bill designed to protect individual personal data both online and offline.
In particular, HB 1433 seeks to implement requirements for covered entities to provide clear and accessible data privacy policies and for affirmative, opt-in consent for the collection and use of personal information, among other things.
HB 1433 provides users with the ability to give their consent via opt-in, noting that a covered entity must not, without freely given, specific, informed, and unambiguous opt-in consent from an individual, engage in the following, among others:
- process the individual's captured personal information; or
- make any changes in the processing of the individual's captured personal information that would necessitate a change to the information required to be provided under Section 5(1)(c) of HB 1433.
Moreover, HB 1433 notes that for continuing interactions, whether by automatic renewal or non-time-limited interactions, the opt-in consent required must be renewed not less than annually, and if not so renewed must be deemed to have been withdrawn. HB 1433 further notes that a covered entity requesting consent must ensure that the option to withhold consent is presented as clearly and prominently as the option to provide consent. In addition, a covered entity must provide a mechanism for an individual to withdraw previously given consent at any time. The individual must be notified when the withdrawal of consent is complete, and it must be as easy for an individual to withdraw their consent as it is to provide their consent.
Rachel R. Marmor, Partner at Davis Wright Tremaine LLP, told OneTrust DataGuidance that, "HB 1433 would require opt-in consent for any collection of personal information (unless necessary to execute a specific transaction). This is a significant shift and would require businesses to establish technical processes at any place where they interact with consumers (e.g. website, mobile app, through a product, at a retail store) to collect that consent. It would also result in a drastic change for the consumer experience, as they will be deluged with information, pop ups, check boxes, and other forms of requests to consent. An 'opt-in consent' standard is a significant shift in how businesses operate and a stricter standard than the lawful basis requirement of the [General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')], which allows for multiple bases for processing, including the legitimate interest of the business."
Comparing HB 1433 and the Washington Privacy Act
Senate Bill ('SB') 5062 for the Washington Privacy Act ('WPA') was introduced, on 5 January 2021, to the Washington State Senate for the third time, following its failure to pass in 2020. Similar to the WPA, HB 1433 would provide individuals with various rights such as the right to access, rectification, and withdrawal of consent.
Marmor noted that, "There does seem to be agreement among advocates on both sides that consumers should have certain rights (that we also see in the [California Privacy Rights Act of 2020] and several other draft privacy bills): right to transparency about a business's practices generally, right to access information held about the consumer, right to correct that information, and right to request deletion—though there are nuances in scope in all these bills. Both [the WPA] and HB 1433 exclude employee and business to business ('B2B') data from the scope of personal information covered."
However, if passed, HB 1433 would prohibit companies from refusing to serve, or charge higher prices to, customers who choose not to allow the use of their personal data. HB 1433 would also make it unlawful for companies and government agencies to use individuals' personal information to discriminate against them.
Marmor outlined that, "HB 1433 applies to a lot more entities/data sets than [the WPA]—the threshold for number of individuals whose [personal information] processed is much lower in HB 1433, and the exceptions for data sets covered by federal privacy laws are much smaller (limited to situations where there is a direct conflict of obligations). The enforcement mechanisms are also different—this is one of the issues that legislators split on in the past; in addition to enforcement by the Attorney General ('AG'), HB 1433 contains a private right of action that would allow consumers to sue for $10,000 in statutory damages for violations of the law. [The WPA] would have the AG be the sole enforcer of the law."
The WPA and HB 1433 were introduced on 5 January 2021 and 1 February 2021, respectively, with the WPA being sent to the Washington Senate Committee on Ways & Means for an executive session and HB 1433 being referred to the Washington House Committee on Civil Rights & Judiciary.
Marmor concluded that, "Washington's legislative session ends early 25 April 2021, so discussions about these bills will need to move quickly."
Alexander Fetani Privacy Analyst
Comments provided by:
Rachel R. Marmor Partner
Davis Wright Tremaine LLP, New York