How to Respond to the Proposed Washington State Privacy Act (WPA)
In today’s digital world, consumers share massive amounts of electronic data across various platforms on a daily basis.
With virtually no laws that control personal consumer data privacy, businesses have recklessly misused and monetized this data without fear of repercussions or penalties, but that is beginning to seriously change.
The WPA aims to significantly boost consumer privacy by giving consumers the right to access, correct and delete personal data held by businesses, and opt out of having personal information gathered, used or sold by companies that conduct business, or sell goods or services to consumers, in the State of Washington.
In addition, the WPA requires that companies safeguard consumer data and clearly inform consumers on how their data may be used, or face stiff legal action and severe penalties for non-compliance.
Who Does the WPA Protect?
The bill aims to protect the identifiable personal data of consumers who are residents of the State of Washington in their capacity as private individuals and households.
It does not extend to persons acting in a commercial or employment context.
Consumer Personal Data Rights
Under the proposed Washington data privacy law, a consumer is essentially recognized as the sole owner and right holder of his/her personal information, and has the following rights:
Right of Access: A consumer may ask a company if it possesses and/or processes said consumer’s personal data, and request access to all of his/her personal data.
Right to Correction: A consumer has the right to correct inaccurate personal information held by a company, and the company is obligated to allow and implement any such corrections across all of its databases.
Right to Deletion: A consumer has the right to request the deletion of any or all of his/her personal data, across all of the company’s data sources and repositories.
Right to Data Portability: As the owner of personal information, a consumer has the right to obtain his/her data from the company (which the company shall provide in a “technically feasible, readily usable format”), and may, without hindrance or explanation, share with or transmit this data to any other company or entity.
Right to Opt Out: Further, a consumer has the right to opt out of the processing or use of his/her personal data for targeted advertising, profiling, or sale to other entities by the company holding such data.
Private Right of Action: The House-version of the Washington State privacy bill further strengthens privacy rights by giving consumers the right to initiate legal action under the state’s Consumer Protection Act, and bring claims against violating companies to recover damages, including reasonable attorney’s fees.
What Businesses Need to become WPA Compliant?
This proposed Washington data privacy law applies to all legal entities that conduct business in, or sell goods or services to residents of, the State of Washington.
The proposed law only applies to companies that:
- Control or process 100,000 or more personal data records in any given calendar year, or
- Derive over 50% of their gross revenue from the sale of personal data, or process or control 25,000 or more personal data records.
The WPA privacy law does not apply to state, local or municipal governments, or tribes.
What Businesses Are Exempt?
Recognizing the importance of persistent consumer data for the healthcare industry, this proposed Washington State privacy law exempts personal data held as protected health information (PHI) under the federal Health Insurance Portability and Accountability Act (HIPAA).
Hence, WPA compliance requirements do not extend to hospitals and healthcare organizations provided the restrict their personal data gathering and processing to what is essential under HIPAA, and do not use such data for targeted advertising or resale.
Additionally, the proposed Washington State privacy bill does not apply to personal data held for credit reporting purposes.
Violators Face Heavy Penalties
The Senate’s version of SB 6281 gives the attorney general exclusive enforcement authority, with a maximum civil penalty of $7,500 per violation.
The House version of this bill allows Private Right of Action, giving a consumer the right to bring a civil lawsuit against violators, and recover actual damages and reasonable attorney’s fees, with damages of up to $25,000 per violation.
Responsibilities of Controllers
Under the WPA, a “controller” of consumer data must act responsibly in safeguarding that data from misuse.
For purposes of the Act, a controller is a company or business entity that holds consumers’ personal data, processes it, and decides how it may be used.
The Washington Privacy Act imposes the following requirements on controllers:
Transparency: Under the WPA, controllers must give consumers reasonably easy access to a clear and meaningful privacy notice. This notice must:
- Inform consumers on the categories of personal data held,
- Clearly explain how this data may be used, or sold to or shared with third parties, and
- Specify how consumers may submit requests to exercise their rights to this data under the WPA.
Purpose Specification: The Act requires that controllers limit the extent of consumer data collection to only what is reasonably necessary for the purposes of their transactions with the consumer.
Data Minimization: Further, when engaging with consumers, controllers must limit their collection of personal data to only what is adequate and relevant to the business-to-consumer transaction.
Avoid Secondary Use: Companies may not use collected consumer data for purposes other than the original transaction unless they obtain the consumer’s consent for every clearly-stated secondary data use. In other words, without the consumer’s explicit consent, companies may not surreptitiously use consumer personal data for secondary transactions.
Security: In keeping with its theme of consumer privacy and personal data protection, the WPA privacy bill requires that companies implement reasonable physical and administrative security measures to protect the confidentiality, integrity and accessibility of personal data, with a level of safety procedures that are deemed reasonably adequate for the volume of data held.
Nondiscrimination: The WPA requires that controllers not use a consumer’s personal data to discriminate against the consumer in any way, against state and federal laws. For instance, companies cannot deny goods/services, or offer different price or quality levels based on consumer profiling.
Sensitive Data: The Washington state privacy bill also requires that companies not process sensitive data without a consumer’s prior consent (or parent or lawful guardian’s consent for minors).
Sensitive data encompasses racial or ethnic origin, religious beliefs, sexual orientation, mental or physical health conditions, citizenship, immigration status, genetic or biometric data, personal data for minors, and specific geolocation data.
Nonwaiver of Consumer Rights: Finally, the WPA prohibits controllers from getting consumers to agree to any contract or agreement that waives or limits consumers’ rights under this Act. Such contracts will void, unenforceable, and deemed contrary to public policy.
Contact MatrixPoint for Assistance
The CCPA and the WPA are only the opening salvos in what is expected to be a barrage of consumer data protection laws that will hold companies accountable and liable across the United States and the world.
Companies can no longer afford to take data privacy lightly, and must proactively start shoring up their compliance technologies, processes and procedures, or risk serious consumer backlash, lawsuits, fines and penalties.
To review your compliance readiness against consumer protection laws, schedule a free consultation with MatrixPoint.
Call us at 800-683-6983, or simply fill out our contact form.