What Companies Need To Know About Washington State Privacy Laws
Data security and privacy are a relatively new area in the legal field, which is why cybersecurity and privacy legislation is constantly developing and changing. Considering that most companies/institutions maintain databases and backlogs of personal data of their clients, customers, students, and medical patients, there is a mounting outcry for systematic regulatory protections of this vulnerable information. After all, customers deserve privacy of their personal data and companies ought to maintain their credibility by taking consumer protection seriously.
As cybersecurity/privacy legislation continues to be in flux, it is imperative for Washington state companies to understand the concerns driving these changes, as well as to stay updated with new legal developments and data security employee requirements for staying compliant.
Before turning to Washington state regulations, let's briefly review what functions are served by data privacy legislation.
If you need help becoming compliant with Washington's laws, try EasyLlama's data security and privacy training. We'll help educate you and your employees to follow all of the regulations in Washington.
Get An Instant Free Course Preview
Try our best-in-class, interactive, and engaging courses for free!
What Do Privacy Laws Protect?
Data/information privacy law is concerned with enforcing data protection regulations. Those laws are focused on ensuring the proper handling of personal data: how it's collected, stored, managed, and shared -- and for what purposes.
"Personal Information" is defined as information about an individual that is readily identifiable to that specific person such as name, address, and telephone number (domain names and IP addresses are not included in this definition).
The umbrella rubric of "data protection" oversees two main areas:
- Security (encryption, network impermeability, access control, activity monitoring, breach response, etc.)
- Privacy (discovery & classification, consents, policies, data removal, 3rd-party management, etc.)
The "privacy" part of data protection law is focused on the rights of the individual, to ensure that people have a say over how their personal data are used.
This data privacy component concerns itself the following elements:
- Protecting an individual's right to be left in peace to control what happens to their personal data
- Setting measures for appropriate collecting/processing / sharing of sensitive data with 3rd parties
- Assuring compliance with data protection regulations
Why Are Data Privacy Laws Important?
Legislation on keeping personal data privacy is important for consumer protection. In the modern world, everyone is a consumer. Being a modern consumer, it is virtually impossible not to give up one's personal data on the daily basis: from signing up for apps to shopping online to having food delivered by the local diner. And when we engage with medical facilities and insurance companies, we give them access to extra sensitive data about ourselves (personal health information that, if leaked into the wrong hands, could be used for discriminatory or harassing purposes against an individual.)
These data that we innocently give away left and right are routinely harvested and resold to third parties who resell them to fourth parties, and on and on until your phone is ringing off the hook all with telemarketing robocalls wanting to chat about your car's extended warranty...
Over the years, innumerable companies have been able to get away with reselling customer data as if it were their property to sell (it is actually only borrowed and should always remain within the control of the customer!)
However, the sale of personal data and annoying telemarketers are just the tip of the iceberg: leaked confidential information that leads to public humiliation, stolen identities, financial scams targeted at specific age categories, etc. -- there are many sinister ways to misuse unsuspecting people's information for a wide array of unlawful and fraudulent activities that can create problems for targeted individuals for years to come.
What Is Being Done?
Because the explosion of information technology and media is a relatively new phenomenon, US legislation is still lagging in comprehensive, country-wide standards and practices that can be applied to all organizations handling the personal data of customers. Different strides and progress have been made with individual state laws, but it is fair to say that cybersecurity/privacy regulations are still in the early stages of development in the USA and that numerous bills are in the process of being drafted to bring more order and consumer data protections to the current "Wild West" situation.
Let's take a look at how data privacy has been handled so far in the state of Washington.
The Current State Of Privacy Legislation In Washington
In Washington, personal data remain unregulated on the state level (though several decentralized laws exist on the federal level). Efforts have been made in the last few years to pass the Washington Privacy Act (bill 2SSB 5062) which would grant consumers the right to access, edit, transfer, and delete their personal data with companies, including monolithic enterprises such as Google and Facebook who have been known to take liberties with user data.
The Saga Of The Washington Privacy Act
Using the European Union's General Data Protection Regulation (GDPR) as a model and trying to follow in the footsteps of the California Consumer Privacy Act (CCPA) passed into law in 2018, Senator Reuven Carlyle of Washington state-sponsored the Washington Privacy Act (WPA) for three years, with the hope to provide mandatory regulations and hold companies responsible for mishandling consumers' personal data. The bill would also allow consumers to understand how their personal data are captured and to be able to correct, delete, and opt-out of the use of those data for targeted advertisements to state residents and the sale of personal data.
For three years in a row, the bill garnered support from the Washington State Senate and the House of Representatives but failed to advance due to a lack of agreement about certain terms. Public policy representatives from Microsoft and the Washington Technology Industry Association had vouched for the bill at the most recent virtual public hearing in the Senate Committee on Environment, Energy & Technology held in January of 2021, while Amazon pledged its alliance in a letter to Sen. Carlyle. Nevertheless, the bill failed to get advanced by the April 11th deadline and was pronounced "dead" by the end of the month.
The latest incarnation of the WPA advanced by Sen. Carlyle in 2021, provided new rules, as they would apply to companies that do business in Washington or offer services targeted to Washington residents, whose operations fit into one or more of the following quotas:
- The company is controlling or processing personal data from 100,000+ consumers per year
- 25% or more of the business's gross revenue is generated by the sale of personal data, while the company is processing / controlling data from at least 25,000 consumers.
The Washington Privacy Act would not apply to government/state agencies, air carriers, and processors of protected health care information.
"Private sector" businesses that meet one or both of the above criteria, would be subject to the Washington Privacy Act as well as the latest amendments to its previous versions:
- The Attorney General's Office would have an increased technical and legal authority to exclusively enforce the bill.
- A new regulatory framework for how companies and governments deal with the processing of personal data in cases of public health crises (e.g. "contact tracing": the protocol for identifying, assessing, and managing individuals who have been exposed to disease to stop further transmission).
Further amendments had to be made to the bill before the House Civil Rights and Judiciary Committee (CRJC) let the bill pass to the Washington Legislature's 2021 session. Those amendments included:
- Permanent exemption for nonprofits that do not sell information for monetary value
- Redefinition of the age (13-16) at which a consumer is considered a "minor" whose consent for targeted advertising would be required.
- Adding new consumer rights that would a.) allow consumers to access their particular personal data, as opposed to just categories of personal data and b.) institute a time limit of 45 days for companies to respond to a right-to-access request from a consumer.
- Introducing an opt-out process for consumers in regards to disallowing companies that engage in processing personal data from using it for marketing purposes and selling it to third parties (in this particular amendment, specifically to allow the use of appointed authorized agents for consumer rights, as well as to mandate compliance with consumers' requests to opt out).
- Enforcement-wise, on request of Attorney General's Office, the "right to cure" violations would expire after one year after the Act going into effect; also the Attorney General would not enforce statutory penalties and the courts would be required to consider a company's good-faith efforts to be legally compliant before an enforcement action imposing a penalty gets filed.
Criticisms Of The Washington Privacy Act
The bill has been criticized for not doing enough to protect customer or student rights when it comes to keeping their information private as well as exempting too many institutions from being held responsible for data handling. Some proponents of consumer rights criticize the opt-out model, insisting that, when it comes to personal data, consumers should only ever have to opt-in because the opt-out approach is set up against consumer interests
On the other side, many corporate entities have been none too thrilled with the possibility of becoming increasingly exposed to litigation by consumers, made possible by the WPA bill.
Among the points of contention between different sides, the most disputed and complicated provision of the Washington Privacy Act -- one believed to be responsible for the bill's failure to advance into law -- is the Private Right of Action.
What Is A Private Right Of Action?
A "private right of action" allows a private individual or company (as opposed to a state/government / public entity) to take action to enforce their legal rights without needing to rely on a single federal enforcement agency or the state or federal government to get involved. In the context of a data protection bill, a private right of action lets the customer sue a company for mishandling their data without needing to file a complaint with a state or federal consumer protection agency first.
After the last round of House-precipitated amendments, the Washington data privacy bill emerged with a limited private right of action added to its amendments. The proposed version of the private right of action contained two major concessions:
- Private lawsuits against companies would only be allowed for just two sections of the bill -- the "anti-discrimination" section and the "consumer rights" section (that grants the right to gain access to, correct, and delete one's data as well as to opt-out of data processing for targeted advertising, sales, and specified types of profiling) -- leaving all other sections out of being eligible for litigation.
- The provision also denies those consumers who wish to sue companies over data handling/privacy violations the right to collect damages, with available remedies being limited to injunctive relief and attorney's fees/costs.
Despite the compromises made over the Private Right of Action, Washington's privacy bill was not passed into law, as some legislators feared it encouraged a potential avalanche of consumer litigation.
What Other Legal Personal Data Protections Exist For US Consumers?
Compared to the European Union's GDPR, the United States is yet to create a federal-level general consumer law protecting the privacy of personal data -- but there do exist a handful of vertically-focused information protection/privacy laws worth reviewing:
US Privacy Act of 1974
This landmark bill was designed to regulate how the government handles the information of the individuals in their databases. According to this bill, US citizens can access, copy, and correct any information held by government agencies, whose officers' access to personal data is limited to a need-to-know basis.
Health Insurance Portability And Accountability Act (HIPAA)
HIPAA was passed in 1996 in order to bring regulation to the health insurance industry, with sections dedicated to keeping "protected health information" private and secure. While the bill allows the health care provider / "covered entity" to use medical patient information if it pertains to "treatment, payment, and health care operations" -- selling the same information, or using it for marketing purposes, is not lawful without express authorization by the patient.
Children's Online Privacy Protection Act (COPPA)
Passed at the turn of the 21st century, this bill was aimed at regulating information of personal nature collected from underage minors.
In recent years, COPPA broadened the reach of its rules as well as the score of protected information to include screen/video chat names, email addresses, audio recordings, photographs, and street-level geographical coordinates.
Gramm-Leach-Bliley Act (GLBA)
GLBA was a piece of legislation created in the 1990's, to regulate the banking / financial sector. The bill offered improved personal data security and privacy regulations of the nonpublic personal information (NPI) collected by financial institutions, letting patrons opt-out of sharing their information with "non-affiliated" third parties. However, when it comes to affiliated (i.e. "corporate family") third parties, customers of financial institutions have no say over how their NPI is distributed.
As mentioned, several US states have tried to pass their own privacy bills, with varying degrees of success, with California, Nevada, and Virginia passing the more comprehensive personal data protection legislation so far.
Data Privacy Training Is Key To Preventing Future Troubles
Enough high-profile security breaches have happened in the public eye over the recent decade to demonstrate how devastating a data leak can be to everyone involved: the consumers whose personal data has been compromised and the companies that let it happen and lost significant business and credibility as the result.
A breach in cybersecurity or data privacy can fairly be called a "disaster" for companies. And, as with any disaster, preventative measures are a company's best bet to keep trouble at bay. Through training employees on how to safely handle data is not yet mandatory in the state of Washington, it is only a matter of time before it will be. In the meanwhile, cyber-attacks and data leaks can strike at any time. The sooner you get your company's workforce on board with understanding the importance of safeguarding personal data and knowing how to handle and sensitive information, the sooner your company gets ahead of the curve.
Safeguard your customers' trust and protect your company from major legal and financial "fallout" with EasyLlama's high-quality, easy-to-use cybersecurity/data privacy training program! It's software and design reflect the latest technology and scientific developments, the training is simple and fun for the employees, and it comes with no contract required, no long-term commitment, and no setup fees.