Washington state is re-introducing the Washington Privacy Act in a bid to help Washington state residents catch up to Europe’s GDPR privacy laws.
Europe’s General Data Protection Regulation (GDPR) is proving to be a game-changer in terms of personal privacy. The law was passed in June of 2018. Initially, opinion was split on whether this is a way forward for privacy laws. After all, plenty about it was largely untested at the time. This permitted negative speculation to circulate at least among American observers.
Ever since then, GDPR has been a runaway success story. It’s just been success story after success story after success story after success story ever since. In fact, the law is so successful, people in other countries including Canada and the United States can only look on in envy of these laws as they can only wish they had such great laws in their own countries.
For the US, there hasn’t been much movement on this file for the last few years. This is largely thanks to the fact that, optimistically, the US has been effectively leaderless since President Barack Obama left office. Currently US leadership has been reduced down to a never-ending stream of whining and complaining over the most trivial things on Twitter. What steps are taken has led to well-earned corruption investigations as impeached president Donald Trump tries to use the powers o the office in a quest to enrich himself rather than looking out for what’s in the best interest in the country. Really, its no surprise that there has been pretty much no movement on the privacy file at the federal level.
However, just because there is no movement or leadership at the federal level doesn’t necessarily mean that there is no movement at the state level. In fact, this isn’t the first time the leadership vacuum has caused governments at the state level to step in and try to fill the void. In 2017, when the Federal Communications Commission eliminated the network neutrality consumer protections, governments at the state level stepped up to the plate and tried to fill the void left behind by this destructive move.
Now, it seems that governments at the state level are trying to fill the technological leadership void again with respect to privacy laws. Washington State has re-introduced the Washington Privacy Act (WPA). Already, observers are comparing it to GDPR laws. From the National Law Review:
Washington legislators recently introduced the Washington Privacy Act (WPA). This legislation is a consumer-focused privacy law similar to the California Consumer Privacy Act (CCPA) but it also has some EU General Data Protection Regulation (GDPR)-like concepts. The WPA protects personal data in much the same way as CCPA, but with some significant differences. The WPA applies to legal entities that conduct business in Washington or produce products or services that are targeted to residents of Washington, and that satisfy one or more of the following thresholds:
(a) Controls or processes personal data of one hundred thousand consumers or more; or
(b) Derives over fifty percent of gross revenue from the sale of personal data and processes or controls personal data of twenty-five thousand consumers or more.
The WPA applies only to consumers and, as drafted, the legislation states that the definition of consumer does not include a person acting in a commercial or employment context. The WPA also does not apply to protected health information under the Health Insurance Portability and Accountability Act (HIPAA), activities governed by the Fair Credit Reporting Act, personal data collected pursuant to the federal Gramm-Leach-Bliley Act, the federal driver’s privacy protection act, several other federal and state laws, and data maintained for employment records purposes.
Lexology, for its part, published a comprehensive review of the legislation. This includes the following:
The WPA would apply to companies that conduct business in the State of Washington, or produce products or services targeted to Washington residents, and satisfy one or more of the following:
- Controls or processes personal data of 100,000 or more consumers; or
- Derives greater than 50% of gross revenue from the sale of personal data, and processes or controls personal data of 25,000 or more consumers.
The WPA would give consumers the following rights with respect to their personal data:
- Right of access: Consumers would have the right to confirm whether or not a controller is processing their personal data, and the right to access such personal data.
- Right to correction: Consumers would have the right to correct their data.
- Right to deletion: Consumers would have the right to request that their data be deleted.
- Right to data portability: When exercising their right to access personal data, consumers would have the right to obtain personal data concerning them in a portable and, to the extent technically feasible, readily usable format.
- Right to opt out: Consumers would have the right to opt out of the processing of their personal data for purposes of targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or significant effects on the consumer.
The Attorney General would have exclusive authority to enforce the WPA, and could seek penalties of up to $7,500 per violation.
The WPA does not create a private right of action.
A couple of questions can be raised here. One question is whether “per violation” can apply to each individual. If 100 people have their information incorrectly disclosed (or whatever way would violate these laws), does that mean a fine could theoretically come to $750,000, or does this apply to a single incident at large (thus, meaning 100 people having their information compromised would simply mean a $7,500 fine)?
Both scenario’s have their own set of issues. In the former scenario, this might cause the laws to favour larger web services. After all, a $750 million fine doesn’t really mean a whole lot to the largest tech giants. Meanwhile, a $75 million fine for a smaller player pretty much means instant bankruptcy. Since so many compare these privacy laws to GDPR, this is where GDPR actually excels. The fines for violations are a percentage of global annual turnover. This means that the fines scale to the size of the company in question. Each fine will sting just as much to any company found guilty under such privacy laws.
If we are to take the latter scenario, then this really amounts to pocket change for a vast majority of companies that would fall under these laws (those who house 100,000 accounts or more).
So, with questions in hand, we attempted to ask for comment from the Electronic Frontier Foundation (EFF). Unfortunately, the EFF did not respond to our request for comment by the time of publication.
What is quite striking in all of this is the effect GDPR has had in the world of privacy. It has ultimately left other governments around the world far behind and scrambling to find a way to try and catch up. The process is, unfortunately, slow, but we are seeing movement in this file. How long it will take before countries outside of Europe adopt laws that at least puts their citizens in the same ballpark as Europe remains to be seen. Still, it has taken 2 years so far, but there is certainly motivation to try and match Europe in the first place. That’s certainly a positive sign to say the least.