California has been getting most of the attention lately for the California Consumer Privacy Act, but Washington may be following closely behind with its own bold new privacy statute. Senate Bill 5376 has been approved by the state's Senate and is currently before the House (in the Environment, Energy & Technology Committee as of the date of this post). The current version can be viewed here.
"Washingtonians cherish privacy as an element of their individual freedom..." the bill begins (somewhat awkwardly), and takes off from there. Briefly, here are some highlights:
- Jurisdiction resembles the CCPA. It applies to entities that conduct business in Washington or intentionally target residents if they (a) processes personal data of 100,000 consumers; or(b) derives over fifty percent of gross revenue from the sale of personal data and process personal data of 25,000 consumers.
- The controller/processor paradigm is clearly set out, reflecting the influence of HIPAA and international laws. Controllers and processors share liability under a "comparative fault" framework.
- Access, correction, and deletion rights are all specifically conferred (not unlike CCPA and GDPR). These are each subject to "verification" of the request.
- Consumers have a right to information regarding a controller's sharing of their data (by category) with processors, and processors must cooperate with controllers to fulfill opt-out, correction, and deletion requests from consumers.
- Consumers are given the specific right to opt out of "targeted advertising" by controllers, and third-party processors must honor the request.
- Consumer requests should be fulfilled within 30 days, but the timeline can be extended by 60 days if necessary.
- Risk assessments (similar to privacy impact assessments) are mandated for all new processing of personal information or material changes. This is not limited to processing of sensitive data. If the risks are substantial, consumer consent is required. The AG may inspect risk assessments, but otherwise they are confidential.
- There are healthcare carve-outs; it doesn't appear to be intended to overlap with HIPAA.
- The use of facial recognition (a) for decision-making with "significant effects" or (b) by the government is specifically restricted.
- There is no private right of action created by the statute.
- The AG will enforce the statute, but there is a 30 day cure period.
- An "office of privacy and data protection" is created, and (all of) the civil penalties extracted from violators by the AG will be used to fund it.