Editor’s note: This post has been updated on March 3, following the passage of a strengthened version of the Washington Privacy Act (WPA) out of the House Committee.
Washington state could be the next state to pass a state-wide consumer privacy law in the absence of a federal mandate.
In January, a bipartisan group of legislators introduced the Washington Privacy Act (WPA), and Senator Reuven Carlyle, who sponsored the bill, discussed why the senators believe the bill is important: “It has never been more important for state governments to take bold and meaningful action in the arena of consumer data privacy. That’s what this legislation does.”
The WPA is, in some ways, similar to some of the most recognizable privacy acts, such as CCPA and GDPR. In fact, the bill borrows many practices from those same bills. However, it differs in some significant ways, and, if it passes, it will be the most comprehensive privacy law in the US.
What’s notable about the WPA is the ripple effects it could create down businesses’ supply chains: The WPA not only stipulates data protection responsibilities for organizations that determine the purposes and means of data processing (“controller”), it also requires these organizations to verify that their vendors (“data processor”) have sufficient data protection mechanisms in place to process personal data safely.
Regardless of whether or not this particular piece of legislation passes, it’s important for businesses to understand the WPA and what it represents: individual states are thinking about and passing legislation requiring businesses to address consumer privacy and data protection. As more states pass these kinds of laws, the burden on businesses to comply with them will continue to grow.
What Businesses Would Need to be WPA Compliant?
As it is written currently, the WPA would apply to two categories of companies that conduct business in or target consumers in Washington:
- Businesses that control or process the personal data of 100,000 or more consumers.
- Businesses that derive greater than 25% of gross revenue from the sale of personal data and process, and control or process the personal data of 25,000 or more consumers.
Notably, this means that the WPA would apply to some of the biggest businesses in the country, such as Amazon and Microsoft. But it would also apply to little-known data brokers and retail stores.
The WPA focuses on two groups: The first is controllers — businesses or individuals who decide how and for what purposes personal data is processed. For example, a business that collects data and uses it to send targeted ads or email marketing would be a controller.
The other group is processors — businesses or individuals that do not make decisions about how data is used and only process it as directed by the controller. A credit card processing company is a good example of a processor; they don’t collect or make decisions about the data, they just process it for the controller.
What Rights Does the WPA Give Consumers?
Under the WPA, consumers have certain rights when it comes to their personal data. These rights include:
Right of access: The right of a consumer to know if a controller is processing their personal data and to access that personal data.
Right to correction: The right of a consumer to correct their personal data.
Right to deletion: The right of a consumer to request that their data be deleted.
Right to data portability: The right of a consumer to obtain their personal data in a portable and, as much as technically feasible, readily usable format.
Right to opt-out: The right of a consumer to opt-out of having their personal data processed for targeted advertising, the sale of their personal data, or profiling in furtherance of decisions that produce legal or significant effects on the consumer.
Private right of action: Individuals would be able to bring claims against companies under the state Consumer Protection Act, which authorizes litigants to seek an injunction, actual damages, treble damages, costs of suit, and attorney’s fees.
Controller Requirements Under the WPA
In short, the WPA requires controllers to be more transparent about their data use and to only use consumer data for the purposes they specified when collecting the data. There are a few other specific requirements, but many of them flow into those core purposes.
The WPA creates these specific controller responsibilities:
Transparency: This would require controllers to provide a privacy notice to consumers that include what personal data is being processed, why it is being processed, how they can exercise their rights, what data is shared with third parties, and what categories of third parties controllers share their data with. Additionally, if the controller sells personal data, they have to “clearly and conspicuously” disclose this and explain how consumers can opt-out.
Purpose Specification: Controllers are limited to collecting data that is reasonably necessary for the express purpose of the data is being processed for.
Data Minimization: Data collection must be reasonably necessary for specific purposes.
Avoid Secondary Use: Processing personal data is prohibited for any purpose that isn’t necessary or compatible with the specified purpose of collecting or processing the data — unless the controller has the consumer’s consent.
Security: Controllers are required to put administrative, technical, and physical data security policies and processes in place to protect the confidentiality, integrity, and accessibility of the consumer data they are collecting or processing.
Nondiscrimination: Controllers are disallowed from processing personal data in a way that breaks anti-discrimination laws. It also forbids them from using data to discriminate against consumers for exercising their rights by denying them — or providing a different quality of — goods and services.
Sensitive Data: Processing sensitive data without a consumer’s consent is forbidden.
Minors and Children: Processing personal data of a child without obtaining consent from their parent or legal guardian is prohibited.
Non-waiver of Consumer Rights: Any contract or agreement that waived or limited a consumer’s WPA right is null and void.
Data Protection Assessments: Companies would also be required under the WPA to conduct confidential Data Protection Assessments for all processing activities involving personal data, and repeat the assessments any time there are processing changes that materially increase risks to consumers.
Data controllers must weigh the benefits of data processing against the risks. If the potential risks for privacy harm to consumers are substantial and outweigh the interests, then the controller would only be able to engage in processing with the explicit consent of the consumer.
Processor Requirements Under the WPA
Processors’ responsibilities are different than the controllers’ responsibilities, and while the bulk of the WPA is currently on the controller, it does require that processors have the following items in place:
- Technical and organizational processes for fulfilling controllers’ obligations to respond to consumer rights requests
- Breach notification requirements
- Reasonable processes and policies for protecting consumers’ personal data
- Confidentiality
- Controller ability to object to subcontractors
- The ability for controllers to conduct audits
Additionally, processors and controllers must have contracts in place with provisions regarding personal data processing. The required provisions are similar to the GDPR’s data processing requirements.
How Does the WPA Differ From the CCPA?
While the WPA borrowed heavily from the CCPA in some areas, there are some key differences that make the WPA more comprehensive.
For example, the WPA requires businesses to weigh the risks and benefits posed to the consumer before they process their data. Specifically, covered businesses must conduct data protection assessments for all processing activities involving personal data.
The WPA also prohibits businesses from exclusively relying on automated data processing to make decisions that could have a significant impact on consumers, which is not included in the CCPA.
Another significant difference is how the WPA addresses facial recognition software. The CCPA treats facial recognition and other biometric data the same as all other personal data, while the WPA has more specific requirements for how controllers and processors must treat facial recognition data.
Namely, the WPA specifies that, among other things, facial recognition technology must be tested for accuracy and potential bias, controllers must obtain consent for adding a consumer’s face to a database, consumers must be notified in public places where it is happening, and results must be verified by humans when making critical decisions utilizing facial recognition technology.
What Are the Consequences of Non-Compliance?
Similar to the CCPA, the WPA also allows individuals to bring action against companies that are non-compliant under Washington state’s Consumer Protection Act. The WPA also gives the Washington Attorney General authority to take legal action and enforce penalties of up to $7,500 per violation. This will add up quickly for businesses that have data breaches or are found to be out of compliance with the WPA.
Preparing for the WPA and beyond
Many businesses are already thinking about WPA compliance, and the most forward-thinking businesses are also considering what this means for the future of privacy laws. The WPA is receiving praise from advocate groups such as Consumer Reports as well as tech giants like Microsoft, and many are even calling for further improvements to the bill.
Even if the WPA does not come to pass, it is likely for other states to pass similar legislation regarding consumer data privacy. Either way, your organization needs to be prepared to operate in a world where data privacy issues will continue to be legislated and litigated.
Companies with already mature infosec and privacy practices will have a big head start when implementing WPA-compliant practices.
To prepare for the WPA and future privacy laws, start by understanding what’s required by the existing industry-agnostic data privacy regulations (e.g., CCPA, GDPR). You’ll need to ensure that your privacy policy, data handling practices, security protocols, and vendor contracts are compliant with these regulations. Doing so will help your organization be well prepared when new legislation like the WPA goes into effect.
To learn more about what your organization can do to readily meet common data privacy legislations, check out this article Understanding Data Privacy and Why It Needs to Be a Priority for Your Business.
Additionally, to help organizations strengthen their security posture and meet regulatory requirements, Hyperproof has published a suite of articles on cybersecurity controls, best practices, and standards. Here are a few of the most popular resources on our website:
- How to Conduct an Information Security Risk Assessment
- Internal Controls and Data Security: How to Develop Controls That Meet Your Needs
- A Guide to ISO 27001 Compliance
- SOC 2 Compliance: What You Need to Know and Need to Do
- 5 Things Businesses Can Do to Minimize Cyber Losses As Geopolitical Crises Like Iran Escalate
- How to Create a Cybersecurity Incident Response Plan
- What is ISO 27001 and the Benefits of Getting Certified
Hyperproof’s compliance operations software comes with pre-built frameworks to help you implement common cybersecurity and data privacy standards (e.g., GDPR, CCPA, SOC 2, ISO 27001) — so you can improve your data protection mechanisms and business processes to readily meet data privacy and data security regulations. Hyperproof not only provides guidance when you implement these compliance standards, but it also automates many compliance activities to save you time when adhering to multiple regulations and industry standards.
If you’d like to learn more about how Hyperproof can help you prepare to meet the WPA as well as existing data privacy laws, please contact us for a personalized demo.
Monthly Newsletter