Washington Privacy Act, S. 5376 (2019)March 2019
The Washington Privacy Act (the “Act”), modeled in part on the EU’s General Data Protection Regulation (“GDPR”), is well-crafted and balances the need to address specific harms with businesses’ need for data to operate. For the most part it sets out organizations’ compliance obligations clearly and includes exceptions that provide necessary flexibility.
The Act adopts some of the most useful parts of the GDPR – in particular, providing consumers with more access to data, deletion rights, and transparency into corporate practices. But it also replaces some of the most vexing parts of GDPR – like a confusing and impractical “consent” requirement – with a set of incentives for companies to manage and safeguard data in responsible and consumer-protective ways.
The Act receives a very high grade of 92.
The Act is an effective and practical bill. It adopts the expansive consumer rights and transparency obligations of the GDPR while adeptly side-stepping the most onerous or confusing aspects of both the GDPR and the California Consumer Privacy Act. The Act strikes the right balance between providing consumers with control and transparency, while strongly incentivizing companies to collect, use and share data in responsible ways.
- Consumers are provided with wide rights to access and delete their personal information that organizations hold. Although there are exceptions to deletion rights (e.g., companies can retain data for public interest and legal reasons), these new rights are a very significant step for consumers.
- The Act also requires consumer-friendly transparency that responsible companies already provide – posting of privacy policies that describe how personal information is collected, used, and shared, and the rights consumers have to delete and (with this new Act) access information about themselves.
Yet at the same time, the Act promotes balance and flexibility in several ways:
- It adopts the GDPR “consent” requirement but exempts companies if they perform and their practices conform with – and are willing to share with the Attorney General – a detailed risk assessment of data collection and safeguards.
- It encourages companies to “de-identify” data by removing de-identified data from the definition of personal information, and it provides a reasonable standard for when personal information is de-identified.
- Its definitions (e.g., of “sale” and “personal information”) are reasonable and intuitive, and, thus, unlikely to cause significant disruption.
- The Act exempts small businesses based on amount of data and/or revenue collected.
- The Act wisely places enforcement responsibilities on the State Attorney General, rather than permitting private lawsuits and class actions which can bankrupt small businesses and are often more focused on easy settlements rather than remedying actual harm.
There are certain aspects that would benefit from more guidelines, such as when a business can reasonably doubt a consumer’s identity, or what a risk assessment should precisely evaluate. But we are confident that reasonable standards will emerge.
Clear Terms: Terminology should be clear to avoid confusion, inconsistency and disputes. [Score: 9/10]
- “Personal data” is defined more clearly than in many other statutes, and reasonably excludes “deidentified” publicly available information.
- “Deidentified” data is also defined in a reasonable and practical way.
- “Sale” is defined intuitively – as an exchange of data for “monetary consideration” for purposes of licensing/selling personal data.
- “Targeted Advertising” and “Data Broker” – two terms that can easily be confusing – are defined reasonably intuitively, and more importantly involve reasonable compliance requirements (e.g., regarding transparency and choice).
- The terms “Processor” and “Controller” invariably lead to confusion for some business models, e.g., where organizations partner and share data. However, there is a growing body of European law to draw on regarding that distinction.
Specific Harms: Legislation should focus on specific harms and outcomes. [Score: 9/10]
Although risk assessments are by nature subjective, they can be reviewed by the Attorney General, which encourages organizations to make reasonable assessments and impose responsible safeguards and data protocols – or risk severe consequences.
Helpful Processes: Required processes and notices should be clearly defined and helpful. [Score: 8/10]
Not Retroactive: Legislation should not be retroactive – new rules should not apply to previously lawfully collected data. [Score: 9/10]
Not Harmful: Legislation should not inhibit beneficial data models and uses. [Score: 10/10]
Free Speech: Legislation should not inhibit freedom of expression or government transparency. [Score: 10/10]
The Act also wisely recognizes deletion exemptions for data that support scientific or historical research, or for the establishment, exercise or defense of legal claims.
Simple Consents: Consent standards should be clear for organizations and promote clarity for consumers. [Score: 9/10]
On the other hand, the Act requires implied consent – obtained through posting of signage and an opportunity to opt-out – for collection of facial recognition information.
International Commerce: International commerce and cooperation should not be inhibited. [Score: 9/10]
Fair Enforcement: Enforcement provisions should be responsible and trustworthy; not chilling or anti-competitive. [Score: 10/10]
Small Enterprises: Small organizations should not be prejudiced by impractical or anti-competitive burdens. [Score: 9/10]
“9-10” means the legislation thoughtfully accounts for the concern.
“7-8” means that, with adjustments, it can likely account for the concern.
“5-6” means it is neutral on the matter, or that any concerns can be readily cured or mitigated.
“3-4” means that causes confusion or concern, but not in as widespread a manner as a “1” rating.
“1-2” means that it is poorly drafted or considered, and likely generates more confusion or problems than it cures.