Federal. The Federal Trade Commission (FTC) has been the chief federal agency on privacy policy and enforcement since the 1970s when it began enforcing the Fair Credit Reporting Act, one of the first federal privacy laws. The FTC has broad authority to prohibit unfair and deceptive practices. In general, the FTC enforces sector-specific privacy regulations.
California. In 2018, California enacted the California Consumer Privacy Act (CCPA), which took effect in 2020. The CCPA regulates the collection, use, and sharing of personal information and provides California residents with certain rights such as access and opt out of the sale of personal information to third parties. In November 2020, California residents approved a ballot initiative titled the California Privacy Rights Act (CPRA), which amends many provisions of the CCPA. For example, CPRA expands the opt out right to include the sharing of personal information and establishes a new agency to be the regulatory and enforcement entity for privacy protections. CPRA takes effect in January 2023.
Washington State. Privacy Regulations in General. Personal information and privacy interests are protected under various provisions of state law, such as biometric identifiers and personal information–notice of security breaches. The Washington State Constitution provides that no person is disturbed in their private affairs without authority of law.
State Privacy Office. The Office of Privacy and Data Protection (OPDP) serves as a central point of contact for state agencies on policy matters involving data privacy and data protection. The OPDP also serves as a resource to local governments and the public on data privacy and protection concerns.
Washington Consumer Protections. The Consumer Protection Act (CPA) prohibits unfair methods of competition or unfair or deceptive practices in the conduct of any trade or commerce. The attorney general (AG) is authorized to investigate and prosecute claims under the CPA on behalf of the state or individuals in the state. A person injured by a violation of the CPA may bring a civil action for injunctive relief, recovery of actual damages, and reasonable attorneys' fees. The courts may increase awarded damages up to three times the actual damages sustained.
Contact Tracing. Local health departments, with the support of the Department of Health (DOH) and its partners, perform case investigations and contact tracing to help slow and prevent the spread of infectious diseases like COVID-19.
In December 2020, DOH launched exposure notifications technology known as WA Notify. This is a new tool that works through smartphones, without sharing any personal information, to notify users if they may have been exposed to COVID-19. Notifications have a link to information about what to do next to protect themselves and others. Notifications do not contain any information about who tested positive or where the exposure may have happened.
Consumer Personal Data–Private Sector. Rights. A consumer has the following rights regarding their personal data:
Consumers may exercise these rights at any time. In the case of processing of personal data of a known child or a consumer subject to protective arrangements, the parent or legal guardian of the known child or the conservator of the consumer shall exercise these rights on their behalf.
Jurisdictional Scope. This act applies to legal entities conducting business in Washington or producing products or services targeted to Washington residents, and:
This act does not apply to state agencies, legislative agencies, the judicial branch, local governments, tribes, municipal corporations, air carriers, personal data regulated by certain federal and state laws, or data maintained for employment records purposes.
Responding to Consumer Requests. A controller must comply with a request to opt out of processing no later than 15 days of receipt of the request.
A controller must inform a consumer of any action, including an extension, taken on a request to access, delete, correct, or obtain data in a portable format within 45 days of receipt of the request. This timeframe may be extended once for an additional 45 days. Controllers must establish an internal process for consumers to appeal a refusal to take action.
Responsibility According to Role. Controllers and processors are responsible for meeting set obligations. Processors must adhere to instructions of the controller and assist controllers in meeting set obligations. Processing by a processor is governed by a contract between the controller and the processor that is binding on both parties. Contractual requirements are specified.
Responsibilities of Controllers. Controller responsibilities are specified including transparency, data minimization, purpose specification, avoiding secondary use, nondiscrimination, and antiretaliation. In general, controllers must obtain consumer consent to process sensitive data.
Processing Deidentified Data or Pseudonymous Data. Controllers or processors are not required to take certain actions in order to comply with this act, such as reidentifying deidentified data. The consumer rights identified in this act do not apply to pseudonymous data if the controller can demonstrate that it is unable to identify the consumer.
Data Protection Assessments. Controllers must conduct a data protection assessment (assessment) for certain activities involving personal data such as any processing activities that present a heightened risk of harm to consumers. The AG may request, in writing, that a controller disclose any assessment relevant to an investigation conducted by the AG. Assessments are confidential and exempt from public inspection.
Limitations and Applicability. Several exemptions to the obligations imposed on controllers or processors are specified such as complying with federal, state, or local laws; providing a service specifically requested by a consumer; or engaging in research that adheres to privacy laws and is monitored by an independent oversight entity.
If a controller processes personal data pursuant to a specified exemption, the controller bears the burden of demonstrating such processing qualifies for the exemption and complies with specified requirements.
Private Right of Action. A violation of this chapter may not serve as the basis for a private right of action under this chapter or any other law. Rights possessed by consumers as of July 1, 2020, under the CPA or other laws are not altered.
Enforcement. This chapter may be enforced solely by the AG under the CPA. Prior to filing a complaint, the AG must provide the controller or processor with a warning letter identifying the specific provisions of this chapter the AG alleges have been or are being violated. If, after 30 days of issuing the letter, the AG believes the controller or processor has failed to cure any alleged violation, the AG may bring an action.
A controller or processor found in violation of this chapter is subject to a civil penalty up to $7,500 for each violation. The civil penalties shall be exclusively assessed and recovered in any action brought by the AG.
Consumer Privacy Account. The Consumer Privacy Account is created. All receipts from the imposition of civil penalties, except for the recovery of costs and attorneys' fees accrued during enforcement, must be deposited into the Consumer Privacy Account. Expenditures from the account may only be used for the purposes of the OPDP.
Preemption. This act preempts laws or the equivalent adopted by any local entity regarding the processing of personal data by controllers or processors, expect those adopted prior to July 1, 2020.
Severability Clause. If any provision of this act is held invalid, the remainder of the act is not affected.
Privacy Office Report. The OPDP, in collaboration with the Office of the Attorney General, shall research existing analysis on the development of technology, such as a browser or global device setting, indicating a consumer's affirmative choice to opt out of certain processing, and the effectiveness of allowing a consumer to designate a third party to exercise a consumer right on their behalf.
Review. The Joint Legislative Audit and Review Committee (JLARC) must review the efficacy of the AG providing controllers and processors with warning letters and 30 days to cure alleged violations and report its findings to the Governor and the appropriate committees of the Legislature. The report must include specified information such as the number of warning letters sent and a recommendation on whether the AG should continue providing warning letters, or should the process be changed or stopped, and if so, when. The report is due by December 1, 2025.
Data Processed for Contact Tracing Purposes–Private Sector. Prohibitions. It is unlawful for a controller or processor to:
Rights. A consumer has the following rights regarding the processing of covered data for a covered purpose: opt out, access, correction, and deletion.
Responsibilities of Controllers. Controller responsibilities are specified including transparency, data minimization, purpose specification, and nondiscrimination. Controllers must delete or deidentify covered data when it is no longer being used for the covered purpose.
Limitations and Applicability. The obligations imposed on controllers or processors under this chapter do restrict their ability to comply with federal, state, or local laws. This chapter does not apply to certain data governed by federal or state law or employment records.
Provisions Similar to Consumer Personal Data–Private Sector. Several provisions related to consumer personal data also apply to the processing of covered data processed for a covered purpose including exercising consumer rights, responding to requests, responsibilities according to role, private right of action, enforcement, preemption, and severability clause. Data type terminology is different in order to reflect applicable definitions.
Data Process for Contact Tracing Purposes–Public Sector. Prohibitions. It is unlawful for a controller or processor to:
Responsibilities of Controllers. Controller responsibilities are specified including transparency, data minimization, purpose specification, and nondiscrimination. Controllers must delete or deidentify covered data when it is no longer being used for the covered purpose.
Limitations and Applicability. The obligations imposed on controllers or processors under this chapter do restrict their ability to comply with federal, state, or local laws.
Enforcement. Any individual injured by a violation of this chapter may institute a civil action to recover damages. Any controller that violates, proposes to violate, or has violated this chapter may be enjoined.
Expiration. The provisions related to data processed for public sector contact tracing purposes expire June 30, 2024.
The committee recommended a different version of the bill than what was heard. PRO: Consumers only have rights that are granted to them by businesses. The bill provides new rights and gives consumers more control over the handling of their data. By providing a regulatory framework for the processing of data, consumers are provided data protections, businesses may advance services and operate with increased predictability, and public confidence and trust will be fostered. Contact tracing provisions are needed to build public confidence in using tools to help stop the spread of COVID-19.
CON: This bill does not provide meaningful consumer protection regulations. People need to be able to bring a private right of action, which this bill explicitly prohibits, in order to protect their privacy rights and hold businesses accountable. This approach protects businesses rather than consumers by providing several exemptions. Financial information should be included. This bill fails to protect sensitive data shared by children in schools. The bill should include protections for teenagers. Contact tracing provisions should be addressed in a separate bill. An opt-in framework provides better protections than the opt-in provisions of the bill. Major platforms are carved out of the bill. Local jurisdictions should be able to enact stronger privacy laws.
OTHER: This bill reflects all of the hard work that has gone into this issue over several years and represents a compromise amongst various stakeholders. We are concerned that the definition of targeted advertising is confusing. We recommend a couple of measures that will help consumers exercise their rights such as recognizing global opt out mechanisms and authorizing delegated authority. With regards to enforcement, we have concerns with the cure period. This bill provides tools needed for enforcement. Compliance is burdensome; nonprofits should be exempt from these requirements just as they are in California. We have concerns that the provisions regarding loyalty programs might invalidate some partnerships.
The committee recommended a different version of the bill than what was heard. PRO: This bill includes enforcement as requested by the Attorney General's Office (AGO). Goal is to protect data. We think this legislation is a thoughtful approach. It provides consumers with rights to control their data. The bill will provide robust enforcement. The AGO has the ability to enforce under the Consumer Protection Act. The bill has a right to cure.
CON: This is a weak, industry backed bill. This is not effectively enforceable, and will require more investment. Other countries spend 16 times more money. This needs to allow a private right of action. Concern that this bill defers cost of a strong privacy bill. Fails to allocate enough money for enforcement. Ireland has $23 million compared to the AGO costs identified in this bill.
OTHER: This bill should be strengthened. It is largely based on an opt-out model. Steps should be taken to be more like California's model. Strong enforcement is important. Concerns over applicability to non-profit organizations. California and Virginia models exempt non-profits. A sunset date is needed to right to cure. A private right of action is needed.