Logo
Media Centre

Washington State Introduces New Privacy Act Bill

Ariel Yosefi

29 January 2020

29/01/2020
Technology & Regulation in the Spotlight

Washington State Senator Carlyle has introduced a new version of the Washington Privacy Act bill (“WPA“). The proposed holistic version of the WPA is designed to provide a comprehensive data protection framework for the residents of Washington, which will go beyond the scope of the California Consumer Privacy Act (CCPA) and in some cases, even beyond the scope of the European General Data Protection Regulation (GDPR). If adopted by the legislators, the WPA will enter into effect on 31 July 2021.

Similar to the CCPA, the WPA would not apply to any company that collects or processes personal information of a Washington resident. In this regard, the WPA would only apply to entities which: (i) conduct business in Washington; or (ii) produce products or services targeted to Washington residents; and (a) process personal data of at least 100,000 consumers; or (b) derive 50% of gross revenue from the sale of personal data and process or control personal data of at least 25,000 consumers.

The WPA will grant consumers basic privacy individual rights such as the right to access, amend, delete or transfer personal data. Entities that are subject to the WPA, will also be required to allow consumer to opt-out of the processing of their personal data, for the purposes of targeted advertising; the sale of personal data; and of automated decision making that gives rise to legal consequences. As with the CCPA, the WPA will also prohibit companies from discriminating against consumers from exercising their rights. Companies, which process pseudonymous personal data, will not be required to comply with the individual rights if they are not in a position to identify the consumer.

In addition, the WPA requires companies to provide an accessible privacy policy to data subjects, disclosing the categories of personal data that has been processed, their purpose, consumer rights and data sharing practices. The proposed act would also set additional obligations that align with the GDPR, such as data minimization and reasonable security standards.

The WPA distinguishes between controllers and processors and sets obligations for each. For example, processors will be required to comply with controller’s instructions and provide controllers with an opportunity to object before engaging with a subcontractor.

The WPA would also require companies to conduct data protection assessments any time where there is a change in the processing activities that might materially increase the risks to consumers. If the potential risks of harm occurring to the privacy rights of consumers will outweigh other interests, then controllers will be required to obtain the consumers’ affirmative consent before processing.

Unlike other data protection laws, the WPA specifically addresses the issues regarding the commercial uses of facial recognition technologies. The WPA would require companies to obtain an affirmative “opt-in” consent from consumers before using facial recognition. The WPA also places a heightened obligation on both controllers and processors of commercial facial recognition services. Providers of facial recognition services for commercial uses will in addition, be obliged to provide APIs that will allow controllers and other third parties to evaluate the fairness and accuracy of the service. Controller will also need to take affirmative steps and post notices in public spaces, where facial recognition services are deployed.

In addition to the WPA, the legislators in Washington have introduced nine additional privacy and consumer protection related bills, including a bill against the use of deceptive bots for commercial purposes; a bill requiring written consent before retaining voice information; and a bill providing consumers with exclusive proprietary rights on their biometric identifiers.

**********************************************

Feel free to contact us with any further question or comments regarding the update and subjects detailed above.

Kind regards,

Ariel Yosefi, Partner

Head of Technology & eCommerce Regulation

Herzog Fox & Neeman

Related Practice Areas

Related Lawyers

More news

Nebraska is the 17th US State to Adopt Comprehensive Data Protection Legislation
Maryland is the 16th US State to Pass Comprehensive Consumer Privacy Legislation
Kentucky is the 15th US State to Adopt Comprehensive Data Protection Legislation
JOIN OUR
Newsletter

    © 2020, All rights reserved, Herzog Law
    Site by Gootte

    The information contained in this web site is provided for informational purposes only and should not be construed as legal advice on any subject matter and should not be relied upon as such. Herzog accepts no responsibility for any consequences whatsoever arising from use of the information contained in this web site. The accessing of information contained in this web site shall under no circumstances be considered as creating an attorney-client relationship between Herzog and any party accessing this web site. Contacting through email any lawyer named in this web site or sending information without prior agreement of Herzog shall not be construed as automatically creating an attorney-client relationship between Herzog and the party sending an email or information. The material contained in this web site has been created by and remains the property of Herzog. No reproduction, transmission, publication or any other form of dissemination shall be permitted unless the prior written consent of Herzog has been obtained. This web site may contain links to other web sites operated by third parties. Herzog does not sponsor, approve or endorse the content of any such web site and is not responsible for the materials appearing in such sites.

    Search by
    Search by +

    Search