Washington State ‘People’s Privacy Act’ Bill Ups the Ante for Privacy Compliance

February 8, 2021Alerts

"Under no circumstances shall an individual's interaction with a covered entity's product or service when the covered entity has a terms of service or a privacy policy, including the short-form privacy notice, in and of itself constitute freely given, specific, informed, and unambiguous consent" (Section 5(2)(e)).

This statement is not taken from an European Data Protection Board guideline or an enforcement action by the French data protection authority CNIL, but rather from the People's Privacy Act (HB1433), a competing bill to the thrice-revived Washington Privacy Act, submitted by Washington State Rep. Shelley Kloba.

Key Points From the Bill

Scope

  • The act applies to entities that "conduct business in Washington" which "means to produce, solicit, or offer for use or sale any information, product, or service in a manner that intentionally targets, or may reasonably be expected to contact natural persons located in Washington state, whether or not for profit" and meet an annual revenue of $10 million through 300 or more transactions or processes personal information of 1,000 or more individuals in a year.
  • An individual is a person who is a Washington state resident with the location of a person in Washington state creating a presumption of residency.

Some Game Changers

  • Processing or changing personal information is prohibited without opt-in consent.
  • Duty of reasonable standard of care in using personal information.
  • Notice and opt-in consent requirement for surveillance/monitoring.
  • Private right of action and statutory damages including punitive damages and Attorney General enforcement.

Some 'Upgrades' on CCPA Concepts

  • The definitions of "personal information" and "deidentified" track those of CCPA.
  • Consumer rights: to know, to access information, to correct inaccurate information and to require deletion, but also to refuse nonessential processing of information.
  • Layered approach for notices: The bill requires both short form (not more than 500 words) and long form privacy notices. Disclosure is similar to CCPA but includes retention period and a listing of third parties with whom information is shared, by name.
  • A uniform short form notice and a uniform logo or button are being contemplated.
  • Duty of contractual requirements for data protection downstream plus requirement to exercise reasonable oversight and audits of the data security and processing activities of service providers and third parties with whom information is shared.
  • Obligations re: use of biometric information.
  • Prohibitions on discrimination.

Odia Kagan is a partner in the firm's Privacy & Data Security Practice and Chair of the firm's GDPR Compliance & International Privacy Practice. For questions about compliance with CCPA and other state data privacy laws, she can be reached at 215.444.7313 or [email protected].