SB 5062
As Reported by Senate Committee On:
Environment, Energy & Technology, January 21, 2021
Title: An act relating to the management, oversight, and use of data.
Brief Description: Concerning the management, oversight, and use of data.
Sponsors: Senators Carlyle, Nguyen, Billig, Darneille, Das, Dhingra, Holy, Hunt, Lovelett, Mullet, Pedersen, Salomon, Sheldon, Wellman and Wilson, C..
Brief History:
Environment, Energy & Technology: 1/14/21, 1/21/21 [DPS-WM, DNP].
Brief Summary of First Substitute Bill
  • Provides Washington residents with the consumer personal data rights of access, correction, deletion, data portability, and opt out of the processing of personal data for specified purposes.
  • Specifies the thresholds a legal entity must satisfy for the requirements set forth in this act to apply.
  • Identifies controller responsibilities such as transparency, purpose specification, and data minimization.
  • Requires controllers to conduct data protection assessments under certain conditions.
  • Authorizes sole attorney general enforcement under the Consumer Protection Act.
  • Regulates the processing of data collected for certain contact tracing purposes.
Majority Report: That Substitute Senate Bill No. 5062 be substituted therefor, and the substitute bill do pass and be referred to Committee on Ways & Means.
Signed by Senators Carlyle, Chair; Lovelett, Vice Chair; Brown, Das, Fortunato, Hobbs, Liias, Nguyen, Sheldon, Short, Stanford and Wellman.
Minority Report: Do not pass.
Signed by Senator Ericksen, Ranking Member.
Staff: Angela Kleis (786-7469)

Federal.  The Federal Trade Commission (FTC) has been the chief federal agency on privacy policy and enforcement since the 1970s when it began enforcing the Fair Credit Reporting Act, one of the first federal privacy laws.  The FTC has broad authority to prohibit unfair and deceptive practices.  In general, the FTC enforces sector-specific privacy regulations.


California.  In 2018, California enacted the California Consumer Privacy Act (CCPA), which took effect in 2020.  The CCPA regulates the collection, use, and sharing of personal information and provides California residents with certain rights such as access and opt out of the sale of personal information to third parties.  In November 2020, California residents approved a ballot initiative titled the California Privacy Rights Act (CPRA), which amends many provisions of the CCPA.  For example, CPRA expands the opt out right to include the sharing of personal information and establishes a new agency to be the regulatory and enforcement entity for privacy protections.  CPRA takes effect in January 2023.


Washington State.  Privacy Regulations in General.  Personal information and privacy interests are protected under various provisions of state law, such as biometric identifiers and personal information–notice of security breaches.  The Washington State Constitution provides that no person is disturbed in their private affairs without authority of law.


State Privacy Office.  The Office of Privacy and Data Protection (OPDP) serves as a central point of contact for state agencies on policy matters involving data privacy and data protection.  The OPDP also serves as a resource to local governments and the public on data privacy and protection concerns.


Washington Consumer Protections.  The Consumer Protection Act (CPA) prohibits unfair methods of competition or unfair or deceptive practices in the conduct of any trade or commerce.  The attorney general (AG) is authorized to investigate and prosecute claims under the CPA on behalf of the state or individuals in the state.  A person injured by a violation of the CPA may bring a civil action for injunctive relief, recovery of actual damages, and reasonable attorneys' fees.  The courts may increase awarded damages up to three times the actual damages sustained. 


Contact Tracing.  Local health departments, with the support of the Department of Health (DOH) and its partners, perform case investigations and contact tracing to help slow and prevent the spread of infectious diseases like COVID-19.


In December 2020, DOH launched exposure notifications technology known as WA Notify.  This is a new tool that works through smartphones, without sharing any personal information, to notify users if they may have been exposed to COVID-19. Notifications have a link to information about what to do next to protect themselves and others.  Notifications do not contain any information about who tested positive or where the exposure may have happened.

Summary of Bill (First Substitute):

Consumer Personal Data–Private Sector.  Rights.  A consumer has the following rights regarding their personal data:

  • access;
  • correction;
  • deletion;
  • obtaining personal data they provided to the controller in a portable format; and
  • opt out of the processing of their personal data for purposes of (1) targeted advertising, (2) the sale of personal data, or (3) profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer.


Consumers may exercise these rights at any time.  In the case of processing of personal data concerning a known child or a consumer subject to protective arrangements, the parent or legal guardian of the known child or the conservator of the consumer shall exercise these rights on their behalf.


Jurisdictional Scope.  This act applies to legal entities conducting business in Washington or producing products or services targeted to Washington residents, and:

  • controlling or processing personal data of 100,000 or more consumers during a calendar year; or
  • deriving 25 percent of gross revenue from the sale of personal data and processing or controlling personal data of 25,000 or more consumers.


This act does not apply to state agencies, legislative agencies, the judicial branch, local governments, tribes, municipal corporations, personal data regulated by certain federal and state laws, or data maintained for employment records purposes.


Responding to Consumer Requests.  A controller must comply with a request to opt out of processing no later than 15 days of receipt of the request.


A controller must inform a consumer of any action, including an extension, taken on a request to access, delete, correct, or obtain data in a portable format within 45 days of receipt of the request.  This timeframe may be extended once for an additional 45 days.  Controllers must establish an internal process for consumers to appeal a refusal to take action.


Responsibility According to Role.  Controllers and processors are responsible for meeting set obligations.  Processors must adhere to instructions of the controller and assist controllers in meeting set obligations. Processing by a processor is governed by a contract between the controller and the processor that is binding on both parties.  Contractual requirements are specified.


Responsibilities of Controllers.  Controller responsibilities are specified including transparency, data minimization, purpose specification, avoiding secondary use, nondiscrimination, and antiretaliation.  In general, controllers must obtain consumer consent to process sensitive data.

Processing Deidentified Data or Pseudonymous Data.  Controllers or processors are not required to take certain actions in order to comply with this act, such as reidentifying deidentified data.  The consumer rights identified in this act do not apply to pseudonymous data if the controller can demonstrate that it is unable to identify the consumer. 


Data Protection Assessments.  Controllers must conduct a data protection assessment (assessment) for certain activities involving personal data such as any processing activities that present a heightened risk of harm to consumers. The AG may request, in writing, that a controller disclose any assessment relevant to an investigation conducted by the AG.  Assessments are confidential and exempt from public inspection.


Limitations and Applicability.  Several exemptions to the obligations imposed on controllers or processors are specified such as complying with federal, state, or local laws; providing a service specifically requested by a consumer; or engaging in research that adheres to privacy laws and is monitored by an independent oversight entity.


If a controller processes personal data pursuant to a specified exemption, the controller bears the burden of demonstrating such processing qualifies for the exemption and complies with specified requirements. 


Private Right of Action.  A violation of this chapter may not serve as the basis for a private right of action under this chapter or any other law.  Rights possessed by consumers as of July 1, 2020, under the CPA or other laws are not altered.


Enforcement.  This chapter may be enforced solely by the AG under the CPA.  Prior to filing a complaint, the AG must provide the controller or processor with a warning letter identifying the specific provisions of this chapter the AG alleges have been or are being violated.  If, after 30 days of issuing the letter, the AG believes the controller or processor has failed to cure any alleged violation, the AG may bring an action.


A controller or processor found in violation of this chapter is subject to a civil penalty up to $7,500 for each violation.

Consumer Privacy Account.  The Consumer Privacy Account is created.  All receipts from the imposition of civil penalties, except for the recovery of costs and attorneys' fees accrued during enforcement, must be deposited into the Consumer Privacy Account.  Expenditures from the account may only be used for the purposes of the OPDP. 

Preemption.  This act preempts laws or the equivalent adopted by any local entity regarding the processing of personal data by controllers or processors, expect those adopted prior to July 1, 2020.


Severability Clause.  If any provision of this act is held invalid, the remainder of the act is not affected.

Privacy Office Report.  The OPDP, in collaboration with the Office of the Attorney General, shall research existing analysis on the development of technology, such as a browser or global device setting, indicating a consumer's affirmative choice to opt out of certain processing. 


Data Processed for Contact Tracing Purposes–Private Sector.  Prohibitions.  It is unlawful for a controller or processor to:

  • process covered data for a covered purpose unless they provide a consumer with the required privacy notice and obtain consumer consent;
  • disclose covered data to federal, state, or local law enforcement;
  • sell any covered data; or
  • share covered data with another controller, processor, or third party unless such sharing is covered by a contract.


Rights.  A consumer has the following rights regarding the processing of covered data for a covered purpose: opt out, access, correction, and deletion.

Responsibilities of Controllers.  Controller responsibilities are specified including transparency, data minimization, purpose specification, and nondiscrimination.  Controllers must delete or deidentify covered data when it is no longer being used for the covered purpose.


Limitations and Applicability.  The obligations imposed on controllers or processors under this chapter do restrict their ability to comply with federal, state, or local laws.  This chapter does not apply to certain data governed by federal or state law or employment records.


Provisions Similar to Consumer Personal Data–Private Sector.  Several provisions related to consumer personal data also apply to the processing of covered data processed for a covered purpose including exercising consumer rights, responding to requests, responsibilities according to role, private right of action, enforcement, preemption, and severability clause.  Data type terminology is different in order to reflect applicable definitions.


Data Process for Contact Tracing Purposes–Public Sector.  Prohibitions.  It is unlawful for a controller or processor to:

  • process technology-assisted contact tracing (TACT) information unless they provide a consumer with the required privacy notice and obtain consumer consent;
  • disclose TACT information to federal, state, or local law enforcement;
  • sell any TACT information; or
  • share TACT information with another controller, processor, or third party unless such sharing is covered by a contract or data-sharing agreement.


Responsibilities of Controllers.  Controller responsibilities are specified including transparency, data minimization, purpose specification, and nondiscrimination.  Controllers must delete or deidentify covered data when it is no longer being used for the covered purpose.


Limitations and Applicability.  The obligations imposed on controllers or processors under this chapter do restrict their ability to comply with federal, state, or local laws.  


Enforcement.  Any individual injured by a violation of this chapter may institute a civil action to recover damages.  Any controller that violates, proposes to violate, or has violated this chapter may be enjoined.


Expiration.  The provisions related to data processed for public sector contact tracing purposes expire June 30, 2024.

  • Adds intent language encouraging the state privacy office to monitor the effectiveness of allowing a consumer to designate a third party to exercise a consumer right on their behalf.
  • Provides that air carriers and the judicial branch are exempt from the personal data privacy regulations.
  • Specifies that controllers and processors are responsible for only the measures allocated to them when meeting obligations related to security breach laws and data protection assessments.
  • Clarifies that the responsibility regarding sensitive data applies to the processing of sensitive data concerning a known child.
  • Makes technical corrections.
Appropriation: None.
Fiscal Note: Available.
Creates Committee/Commission/Task Force that includes Legislative members: No.
Effective Date: The bill contains several effective dates. Please refer to the bill.
Staff Summary of Public Testimony on Original Bill:

The committee recommended a different version of the bill than what was heard.  PRO:  Consumers only have rights that are granted to them by businesses.  The bill provides new rights and gives consumers more control over the handling of their data.  By providing a regulatory framework for the processing of data, consumers are provided data protections, businesses may advance services and operate with increased predictability, and public confidence and trust will be fostered.  Contact tracing provisions are needed to build public confidence in using tools to help stop the spread of COVID-19.


CON:  This bill does not provide meaningful consumer protection regulations.  People need to be able to bring a private right of action, which this bill explicitly prohibits, in order to protect their privacy rights and hold businesses accountable.  This approach protects businesses rather than consumers by providing several exemptions.  Financial information should be included.  This bill fails to protect sensitive data shared by children in schools.  The bill should include protections for teenagers.  Contact tracing provisions should be addressed in a separate bill.  An opt-in framework provides better protections than the opt-in provisions of the bill.  Major platforms are carved out of the bill.  Local jurisdictions should be able to enact stronger privacy laws.


OTHER:  This bill reflects all of the hard work that has gone into this issue over several years and represents a compromise amongst various stakeholders.  We are concerned that the definition of targeted advertising is confusing.  We recommend a couple of measures that will help consumers exercise their rights such as recognizing global opt out mechanisms and authorizing delegated authority.  With regards to enforcement, we have concerns with the cure period.  This bill provides tools needed for enforcement.  Compliance is burdensome; nonprofits should be exempt from these requirements just as they are in California.  We have concerns that the provisions regarding loyalty programs might invalidate some partnerships.

Persons Testifying: PRO: Senator Reuven Carlyle, Prime Sponsor; Molly Jones, Washington Technology Industry Association; Ryan Harkins, Microsoft Corporation; Derrick Morton, FlowPlay.
CON: Jennifer Lee, American Civil Liberties Union of Washington; Gregg Brown, citizen, Former Microsoft Privacy Standards; Brianna Auffrey, Council on American-Islamic Relations of Washington; Susan Grant, Consumer Federation of America; Emilie St-Pierre, Future Ada; Cynthia Spiess, citizen, Independent Security Expert; Jon Pincus, Indivisible+ Washington; Stephanie Hager, citizen; Cheri Kiesecker, Parent Coalition for Student Privacy.
OTHER: Mark Johnson, Washington Retail; Rose Feliciano, Internet Association; Maureen Mahoney, Consumer Reports; Joseph Jerome, Common Sense Media; Yasmin Trudeau, Washington State Office of the Attorney General; Kristen Knauf, American Heart Association; Robert Battles, Association of Washington Business; Julia Gorton, Washington Hospitality Association; Samantha Kersul, TechNet; Carolyn Logue, Washington Food Industry Association; Larry Shannon, Washington State Association for Justice; Ryan Tack-Hooper, Washington State Association for Justice.
Persons Signed In To Testify But Not Testifying: No one.