The Washington Privacy Act (Senate Bill 5376) was introduced January 17, 2019
The Act represents a comprehensive effort to give consumers control over their personal data. In an economy driven by electronic storage of personal information it has become paramount to protect data from misuse and data breach. This Act, based on established legal principles and our state constitution, provides Washington State residents with tools to determine how their data is used and shared. It will go into effect December 31, 2020.
The Act will apply to companies that handle the data of over 100,000 Washington State residents or which possess data on 25,000 residents and derive 50% of their revenue from the sale of personal information.
The Act creates four basic rights for consumers: 1. The right to access their personal data—either by request or with access to an online site; 2. The right to update and correct that data; 3. Data portability and 4. The right to object to the use of that data in a way they did not originally intend. For example, if a person granted company X the right to use their data only to accomplish a particular transaction, the company would be required to obtain that person’s specific consent to use that data for the sale to an unrelated third party or for direct marketing purposes.
Personal data is defined broadly, but does not include data sets that are already regulated by Federal law, such as health care data (under HIPAA) or financial data.
Companies must also conduct risk assessments to determine if the security of personal information might be compromised by a particular practice or use. Many American companies are already required to do this for the data of European residents under the General Data Protection Regulation that went into effect in May of 2018.
Enforcement will be through the Attorney General, with specified penalties.
The Act also limits the way companies and law enforcement can use Facial Recognition technology, as the deployment of this relatively new technology poses special risks. Private sector companies must give notice of deployment and have humans review the results of facial profiling programs before making a decision that will have legal effects for the targeted individuals. This is intended to prevent unlawful discrimination based on deployment of this technology.
Law enforcement and state government may only use Facial Recognition as part of ongoing surveillance in the context of an investigation or in the event of emergency. The state’s privacy office will analyze deployment of this technology and report to the legislature by September 31, 2023.