Data Protection Policy Analysis

Washington Privacy Act, S. 5376 (2019)

March 2019
92
/100 score
Clear Terms Specific Harms Helpful Processes Not Retroactive Not Harmful Free Speech Simple Consents International Commerce Fair Enforcement Small Enterprises 9/10 9/10 8/10 9/10 10/10 10/10 9/10 9/10 10/10 9/10

Summary

The Washington Privacy Act (the “Act”), modeled in part on the EU’s General Data Protection Regulation (“GDPR”), is well-crafted and balances the need to address specific harms with businesses’ need for data to operate. For the most part it sets out organizations’ compliance obligations clearly and includes exceptions that provide necessary flexibility.

The Act adopts some of the most useful parts of the GDPR – in particular, providing consumers with more access to data, deletion rights, and transparency into corporate practices. But it also replaces some of the most vexing parts of GDPR – like a confusing and impractical “consent” requirement – with a set of incentives for companies to manage and safeguard data in responsible and consumer-protective ways.

The Act receives a very high grade of 92.

Details

The Act is an effective and practical bill. It adopts the expansive consumer rights and transparency obligations of the GDPR while adeptly side-stepping the most onerous or confusing aspects of both the GDPR and the California Consumer Privacy Act. The Act strikes the right balance between providing consumers with control and transparency, while strongly incentivizing companies to collect, use and share data in responsible ways.

For instance:

  • Consumers are provided with wide rights to access and delete their personal information that organizations hold. Although there are exceptions to deletion rights (e.g., companies can retain data for public interest and legal reasons), these new rights are a very significant step for consumers.
  • The Act also requires consumer-friendly transparency that responsible companies already provide – posting of privacy policies that describe how personal information is collected, used, and shared, and the rights consumers have to delete and (with this new Act) access information about themselves.

Yet at the same time, the Act promotes balance and flexibility in several ways:

    • It adopts the GDPR “consent” requirement but exempts companies if they perform and their practices conform with – and are willing to share with the Attorney General – a detailed risk assessment of data collection and safeguards.
    • It encourages companies to “de-identify” data by removing de-identified data from the definition of personal information, and it provides a reasonable standard for when personal information is de-identified.
    • Its definitions (e.g., of “sale” and “personal information”) are reasonable and intuitive, and, thus, unlikely to cause significant disruption.
    • The Act exempts small businesses based on amount of data and/or revenue collected.
    • The Act wisely places enforcement responsibilities on the State Attorney General, rather than permitting private lawsuits and class actions which can bankrupt small businesses and are often more focused on easy settlements rather than remedying actual harm.

There are certain aspects that would benefit from more guidelines, such as when a business can reasonably doubt a consumer’s identity, or what a risk assessment should precisely evaluate. But we are confident that reasonable standards will emerge.

Criteria

Clear Terms: Terminology should be clear to avoid confusion, inconsistency and disputes. [Score: 9/10]
Key terms are defined clearly in ways that conspicuously avoid difficulties. For instance:
  • “Personal data” is defined more clearly than in many other statutes, and reasonably excludes “deidentified” publicly available information.
  • “Deidentified” data is also defined in a reasonable and practical way.
  • “Sale” is defined intuitively – as an exchange of data for “monetary consideration” for purposes of licensing/selling personal data.
  • “Targeted Advertising” and “Data Broker” – two terms that can easily be confusing – are defined reasonably intuitively, and more importantly involve reasonable compliance requirements (e.g., regarding transparency and choice).
  • The terms “Processor” and “Controller” invariably lead to confusion for some business models, e.g., where organizations partner and share data. However, there is a growing body of European law to draw on regarding that distinction.
Specific Harms: Legislation should focus on specific harms and outcomes. [Score: 9/10]
The Act focuses on specific objectives (e.g., lack of transparency, potential misuse of data) while recognizing that organizations require data to operate. But its true inventiveness is in being process-oriented as much as substance-oriented: it encourages organizations to perform detailed risk assessments and incentivizes safeguards, de-identification, and managing consumer “expectations” through transparency. By managing data governance well companies avoid the requirement of consumer “consent.”
Although risk assessments are by nature subjective, they can be reviewed by the Attorney General, which encourages organizations to make reasonable assessments and impose responsible safeguards and data protocols – or risk severe consequences.
Helpful Processes: Required processes and notices should be clearly defined and helpful. [Score: 8/10]
Most of the processes in the Act are well-defined, though some (e.g., the data access right and the risk assessment requirement) are open to interpretation. Regulatory guidance will be helpful in clarifying these ambiguities.
Not Retroactive: Legislation should not be retroactive – new rules should not apply to previously lawfully collected data. [Score: 9/10]
The Act would take effect on July 31, 2021. Thus, while negative risk assessments could impact previously collected data, this is a substantial implementation period (similar to GDPR) which we believe will be sufficient for businesses to implement the necessary protocols.
Not Harmful: Legislation should not inhibit beneficial data models and uses. [Score: 10/10]
The Act significantly enhances transparency and consumer rights – which is vital -- while avoiding wholesale prohibitions or unintended consequences such as those that arise from inflexible “consent” requirements under other statutes. For instance, while companies must take into account and perform risk assessments related to their processing of “sensitive” information, companies are not per se restricted from processing that information, such as regarding political or health-related information, so long as they have mitigated risk and instituted appropriate safeguards.
Free Speech: Legislation should not inhibit freedom of expression or government transparency. [Score: 10/10]
The Act exempts from deletion requirements situations where deleting information would interfere with “the right of free speech.” While this is somewhat of a catch-all, it appears intended to prevent widespread “right to be forgotten” requests (as have occasionally occurred in Europe) that may impact availability of information that is in the public interest.
The Act also wisely recognizes deletion exemptions for data that support scientific or historical research, or for the establishment, exercise or defense of legal claims.
Simple Consents: Consent standards should be clear for organizations and promote clarity for consumers. [Score: 9/10]
The definition of consent as “specific, informed and unambiguous” is borrowed from the GDPR. However, the WPA uses this consent requirement – often criticized as onerous or annoying to consumers – as a carrot rather than as a stick. If a company performs a thorough risk assessment documenting how it mitigates risks, and has complied with transparency and choice obligations, it may collect and use even sensitive data without explicit consent.
On the other hand, the Act requires implied consent – obtained through posting of signage and an opportunity to opt-out – for collection of facial recognition information.
International Commerce: International commerce and cooperation should not be inhibited. [Score: 9/10]
The Act purports to apply to organizations that “intentionally target” Washington residents, so theoretically, even organizations outside of the United States may be covered. However, given principles of international comity, and in particular the fact that key portions of the Act are modeled on the GDPR, we believe international conflicts (in particular with European entities) will be minimal.
Fair Enforcement: Enforcement provisions should be responsible and trustworthy; not chilling or anti-competitive. [Score: 10/10]
The State Attorney General has enforcement authority and can issue regulations under the law. Businesses then have opportunity to cure violations within 30 days of notice (assuming the violation is curable). This remedial standard is preferable to private lawsuits. By creating a specialized office of privacy and data protection to be a “central point of contact for state agencies,” the Act promotes government-wide consistency which benefits consumers and organizations.
Small Enterprises: Small organizations should not be prejudiced by impractical or anti-competitive burdens. [Score: 9/10]
The Act is limited to businesses that (1) control or process data of at least 100,000 (not de-identified) customers, or (2) who derive 50% of their gross revenue from the sale of personal information and control personal data of at least 25,000 customers. These are relatively low thresholds, though businesses can de-identify more data in order to modify their organization’s exemption.

“9-10” means the legislation thoughtfully accounts for the concern.

“7-8” means that, with adjustments, it can likely account for the concern.

“5-6” means it is neutral on the matter, or that any concerns can be readily cured or mitigated.

“3-4” means that causes confusion or concern, but not in as widespread a manner as a “1” rating.

“1-2” means that it is poorly drafted or considered, and likely generates more confusion or problems than it cures.