Federal. The Federal Trade Commission (FTC) has been the chief federal agency on privacy policy and enforcement since the 1970s when it began enforcing the Fair Credit Reporting Act, one of the first federal privacy laws. The FTC has broad authority to prohibit unfair and deceptive practices. In general, the FTC enforces sector-specific privacy regulations.
California. In 2018, California enacted the California Consumer Privacy Act (CCPA), which took effect in 2020. The CCPA regulates the collection, use, and sharing of personal information and provides California residents with certain rights such as access and opt out of the sale of personal information to third parties. In November 2020, California residents approved a ballot initiative titled the California Privacy Rights Act (CPRA), which amends many provisions of the CCPA. For example, CPRA expands the opt out right to include the sharing of personal information and establishes a new agency to be the regulatory and enforcement entity for privacy protections. CPRA takes effect in January 2023.
Washington State. Privacy Regulations in General. Personal information and privacy interests are protected under various provisions of state law, such as biometric identifiers and personal information–notice of security breaches. The Washington State Constitution provides that no person is disturbed in their private affairs without authority of law.
State Privacy Office. The Office of the Chief Information Officer (OCIO) has primary duties related to information technology for state government, which include establishing statewide enterprise architecture and standards for consistent and efficient operation. Within the OCIO, the Office of Privacy and Data Protection (OPDP) serves as a central point of contact for state agencies on policy matters involving data privacy and data protection. The OPDP also serves as a resource to local governments and the public on data privacy and protection concerns.
Washington Consumer Protections. The Consumer Protection Act (CPA) prohibits unfair methods of competition or unfair or deceptive practices in the conduct of any trade or commerce. The attorney general (AG) is authorized to investigate and prosecute claims under the CPA on behalf of the state or individuals in the state. A person injured by a violation of the CPA may bring a civil action for injunctive relief, recovery of actual damages, and reasonable attorneys' fees. The courts may increase awarded damages up to three times the actual damages sustained.
Contact Tracing. Local health departments, with the support of the Department of Health (DOH) and its partners, perform case investigations and contact tracing to help slow and prevent the spread of infectious diseases like COVID-19. These practices have been used for decades and entail an interviewer reaching out to persons who have tested positive for infectious disease, asking them pre-approved questions, entering information into secure systems, and connecting people with appropriate resources. Information collected during these interviews is only used by public health agencies.
In December 2020, DOH launched exposure notifications technology known as WA Notify. This is a new tool that works through smartphones, without sharing any personal information, to notify users if they may have been exposed to COVID-19. It is private and does not know or track the identity of an individual or where they go. Notifications have a link to information about what to do next to protect themselves and others. Notifications do not contain any information about who tested positive or where the exposure may have happened.
Consumer Personal Data–Private Sector. Rights. A consumer has the following rights regarding their personal data:
Consumers may exercise these rights at any time. In the case of processing of personal data concerning a known child or a consumer subject to protective arrangements, the parent or legal guardian of the known child or the conservator of the consumer shall exercise these rights on their behalf.
Jurisdictional Scope. This act applies to legal entities conducting business in Washington or producing products or services targeted to Washington residents, and:
This act does not apply to state agencies, legislative agencies, local governments, tribes, municipal corporations, personal data regulated by certain federal and state laws, or data maintained for employment records purposes.
Responding to Consumer Requests. A controller must comply with a request to opt out of processing no later than 15 days of receipt of the request.
A controller must inform a consumer of any action, including an extension, taken on a request to access, delete, correct, or obtain data in a portable format within 45 days of receipt of the request. This timeframe may be extended once for an additional 45 days. If a controller does not take action on a request, the controller must inform the consumer within 45 days of receipt of the request with the reasons for not taking action and instructions on how to appeal the decision with the controller. Controllers must establish an internal process for consumers to appeal a refusal to take action.
The controller must provide information free of charge, up to twice annually, to the consumer. When requests from a consumer are manifestly unfounded or excessive, the controllers may either charge a reasonable administrative fee or refuse to act on the request. A controller is not required to comply with a request to exercise a consumer personal data right if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request additional information.
Responsibility According to Role. Controllers and processors are responsible for meeting set obligations. Processors must adhere to instructions of the controller and assist controllers in meeting set obligations. Notwithstanding the instructions of the controller, a processor must ensure the confidentiality of the processing of personal data and engage with a subcontractor only after certain requirements are met.
Processing by a processor is governed by a contract between the controller and the processor that is binding on both parties. Contractual requirements are specified.
Responsibilities of Controllers. Controller responsibilities are specified including transparency, data minimization, purpose specification, avoiding secondary use, nondiscrimination, and antiretaliation. Controllers must obtain consumer consent to process sensitive data.
Processing Deidentified Data or Pseudonymous Data. Controllers or processors are not required to take certain actions in order to comply with this act, such as reidentifying deidentified data or maintaining data in an identified form. The consumer rights identified in this act do not apply to pseudonymous data in cases where the controller is able to demonstrate it is not in a position to identify the consumer. A controller or processor that uses deidentified data or pseudonymous data must monitor compliance with any contractual commitments.
Data Protection Assessments. Controllers must conduct and document a data protection assessment (assessment) of each of the following activities involving personal data:
The AG may request, in writing, that a controller disclose any assessment relevant to an investigation conducted by the AG. Assessments are confidential and exempt from public inspection.
Assessments conducted by a controller in compliance with other laws or regulations may qualify if they have a similar scope and effect.
Limitations and Applicability. Several exemptions to the obligations imposed on controllers or processors are specified such as complying with federal, state, or local laws; providing a service specifically requested by a consumer; or engaging in research that adheres to privacy laws and is monitored by an independent oversight entity.
If a controller processes personal data pursuant to a specified exemption, the controller bears the burden of demonstrating such processing qualifies for the exemption and complies with specified requirements. Personal data processed pursuant to an exemption may be processed solely to the extent that such processing is:
Private Right of Action. A violation of this chapter may not serve as the basis for a private right of action under this chapter or any other law. Rights possessed by consumers as of July 1, 2020, under the CPA or other laws are not altered.
Enforcement. This chapter may be enforced solely by the AG under the CPA. If a controller or processor violates this act, prior to filing a complaint, the AG must provide the controller or processor with a warning letter identifying the specific provisions of this chapter the AG alleges have been or are being violated. If, after 30 days of issuance of the warning letter, the AG believes the controller or processor has failed to cure any alleged violation, the AG may bring an action as provided under this chapter.
A controller or processor found in violation of this chapter is subject to a civil penalty up to $7,500 for each violation. In actions brought under this chapter, the state is entitled to recover, in addition to prescribed penalties, the costs of investigation, including reasonable attorneys' fees.
Consumer Privacy Account. The Consumer Privacy Account is created. All receipts from the imposition of civil penalties, except for the recovery of costs and attorneys' fees accrued during enforcement, must be deposited into the Consumer Privacy Account. Expenditures from the account may only be used for the purposes of the OPDP.
Preemption. This act supersedes and preempts laws or the equivalent adopted by any local entity regarding the processing of personal data by controllers or processors. Laws, ordinances, or regulations regarding the processing of personal data by controllers or processors adopted by any local entity prior to July 1, 2020, are not superseded or preempted.
Severability Clause. If any provision of this act or its application to any person or circumstance is held invalid, the remainder of the act or the application of the provision to the other persons or circumstances is not affected.
Privacy Office Report. The OPDP, in collaboration with the Office of the Attorney General, shall research and examine existing analysis on the development of technology, such as a browser or global device setting, indicating a consumer's affirmative, freely given, and unambiguous choice to opt out of certain processing. A contract study is not required. A report of findings and specific recommendations must be submitted to the Governor and the Legislature by December 1, 2022.
Data Processed for Contact Tracing Purposes–Private Sector. Prohibitions. It is unlawful for a controller or processor to:
Rights. A consumer has the following rights regarding the processing of covered data for a covered purpose:
Responsibilities of Controllers. Controller responsibilities are specified including transparency, data minimization, purpose specification, and nondiscrimination. Controllers must delete or deidentify covered data when it is no longer being used for the covered purpose.
Limitations and Applicability. The obligations imposed on controllers or processors under this chapter do restrict their ability to comply with federal, state, or local laws; or engage in research that adheres to privacy laws and is monitored by an independent oversight entity. This chapter does not apply to certain data governed by federal or state law or employment records.
Provisions Similar to Consumer Personal Data–Private Sector. Several provisions related to consumer personal data also apply to the processing of covered data processed for a covered purpose including exercising consumer rights, responding to requests, responsibilities according to role, private right of action, enforcement, preemption, and severability clause. Data type terminology is different in order to reflect applicable definitions.
Definitions. Covered data includes personal data and one or more of the following: specific geolocation data, proximity data, or personal health data.
Covered purpose means processing of covered data concerning a consumer for the purposes of detecting symptoms of an infectious disease, enabling the tracking of a consumer's contact with other consumers, or specific locations to identify, in an automated fashion, whom consumers have come into contact with, or digitally notifying, in an automated manner, a consumer who may have become exposed to an infectious disease, or other similar purposes directly related to a state of emergency declared by the Governor.
Data Process for Contact Tracing Purposes–Public Sector. Prohibitions. It is unlawful for a controller or processor to:
Responsibilities of Controllers. Controller responsibilities are specified including transparency, data minimization, purpose specification, and nondiscrimination. Controllers must delete or deidentify covered data when it is no longer being used for the covered purpose.
Limitations and Applicability. The obligations imposed on controllers or processors under this chapter do restrict their ability to comply with federal, state, or local laws; or engage in research that adheres to privacy laws and is monitored by an independent oversight entity.
Enforcement. Any individual injured by a violation of this chapter may institute a civil action to recover damages. Any controller that violates, proposes to violate, or has violated this chapter may be enjoined.
Liability. Where more than one controller or processor, or both a controller and a processor, involved in the same processing, is in violation of this chapter, the liability must be allocated among the parties according to principles of comparative fault.
Definitions. TACT means the use of a digital application or other electronic or digital platform capable of independently transmitting information and if offered to individuals for the purpose of notifying individuals who may have had contact with an infectious person through data collection and analysis as a means of controlling the spread of a communicable disease.
TACT information means any information, data, or metadata received through TACT.
Expiration. The provisions related to data processed for public sector contact tracing purposes expire June 30, 2024.