The Washington Privacy Act (SB 5376) (‘the Bill’) was introduced, on 17 January 2018, to the Washington State Senate. The Bill would establish four key rights for consumers, including the right of access, the right to update and correct personal data, the right to data portability, and the right to object to the use of data. Furthermore, it would apply to legal entities that conduct business in Washington or produce products or services that are intentionally targeted to Washington residents, and that handle the personal data of over 100,000 residents or which possess data on 25,000 residents and derive 50% of their revenue from the sale of personal information.
Rachel R. Marmor, Counsel at Davis Wright Tremaine LLP, told DataGuidance, “The Bill tries to follow the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) model by looking at the intake and ongoing use of data, and by requiring risk assessments similar to Data Protection Impact Assessments, though there are key differences between the Bill and the GDPR. [In addition,] the Bill includes the GDPR’s prohibition on subjecting individuals to decisions that are based solely on profiling […] However, the Bill adds a requirement to disclose all profiling at the time of data collection, and to ‘include meaningful information about the logic involved and the significance and envisaged consequences.’ This is a step beyond what the GDPR requires and would cover profiling for marketing and business development purposes.”
My advice to organisations is to build privacy compliance programmes around key principles such as Privacy by Design
The Bill specifies that it does not serve as the basis for a private right of action, and that it would be enforced by the Washington Attorney General. In addition, any data controller or data processor in violation of the Bill would be subject to an injunction and liable for a civil penalty of not more than $2,500 for each violation, or $7,500 for each intentional violation.
Marmor concluded, “Many organisations care deeply about the privacy of their customers but are lost as to how to achieve this without industry codes and authoritative guidance from regulators […] My advice to organisations is to build privacy compliance programmes around key principles such as Privacy by Design, intelligent data management and transparency, because it is a lot easier to create a new process to satisfy a particular state when the foundation for privacy has already been laid. Practically, though, I am concerned that the layering of many different state requirements for privacy disclosures on top of each other will result in privacy disclosures being even more difficult for consumers to understand.”
If approved, the Bill would enter into effect on 31 December 2020.
Bart van der Geest Privacy Analyst