Washington State Takes Center Stage for Privacy Legislation
As the 2020 legislative session begins, Washington State looks like Ground Zero for privacy bills.
Most prominent, of course, is Senate Bill 6281, the "Washington Privacy Act." This bill is a comprehensive consumer privacy statute, modeled generally on the GDPR (and, to some extent, on the CCPA). This bill deserves its own deep-dive blog post, which will be forthcoming as the legislative session proceeds.
At a very high level, however, this bill would:
- Give consumers rights of access, correction, deletion, and data portability, as well as the right to opt out of the processing of their information;
- Impose on businesses (data "controllers") obligations to minimize the data they collect, to specify the purposes for which they collect data, to avoid secondary uses beyond the specified purposes, and to conduct periodic "data protection assessments;"
- Define "deidentified" and "pseudonymized" data, with separate (more relaxed) rules about how businesses can use such data;
- Exclude from its scope a range of data covered by other federal and state laws, such as health-related data, financial data, and educational data;
- Impose a range of restrictions and requirements on the use of facial recognition technology; and
- Vest enforcement in the Attorney General, explicitly denying any private right of action.
The Washington Privacy Act will clearly be the focus of a great deal of lobbying and legislative activity in the coming weeks.
That said, a range of more focused privacy bills has been introduced as well. While the prospects of these bills vary, it’s worth reviewing them briefly, both to get a sense of the issues of concern to legislators and because any of them could at least potentially be enacted, either as a stand-alone bill or added as an amendment to the broader legislation.
Washington State Privacy Legislation
Here’s a quick look at the bills that would regulate commercial entities:
- House Bill 2364 is a shorter and less detailed version of a comprehensive privacy bill. It "declares, in plain language, the new baseline norms and expectations for the protection of personal data by businesses and enacts a lasting charter of personal data rights." These new rights and obligations would include:
- A consumer’s right to know what data a business collects and processes about the consumer; the right to access that data and have it available in a readily usable format; the right to object to and opt out of selling or licensing the data to third parties; the right to correct erroneous information; and the right to delete any information collected or processed by the business.
- A business’s obligation to provide clear notice of what information is collected and what the business does with it; to minimize data collection to that reasonably necessary to provide services requested by an individual; to avoid secondary uses; to keep personal data secure; to not discriminate against individuals who exercise their rights under the law; and to manage and supervise third parties engaged to store or process data on behalf of the business.
In addition, consumers would not be permitted to waive their rights under the law; and violations of those rights (or failure to fulfill a business’s obligations) are declared to be unfair deceptive practices and unfair methods of competition, subject to individual actions by consumers and actions by the Attorney General. The only specified exemption relates to a business collecting data regarding job applicants, employees, or contractors.
- House Bill 2363 would declare that people have an "exclusive ownership interest" in their biometric identifiers (broadly defined). This bill would require the Attorney General to convene a task force, comprised mostly of advocates for civil liberties, consumer protection, and privacy rights, which would recommend legislation to "provide justice to those whose ownership rights in biometric identifiers are violated."
At a high level, this bill would apply the logic of intellectual property (copyrights and patents) to the question of individual control over their own biometric identifiers. While conceptually interesting, it seems evident that there would be a range of practical issues in adopting this approach – which is probably why the bill calls for a report and recommendations rather than actually proposing any new substantive obligations.
- House Bill 2365 would require the design and deployment, by January 1, 2022, of stickers for connected devices that disclose that the device transmits consumer information to the device manufacturer and/or third parties. It would ban the sale of any connected device without the appropriate accompanying sticker.
- House Bill 2396 would regulate bots in a variety of contexts:
- First, the bill would make it unlawful (and an unfair or deceptive practice and an unfair method of competition) to use a bot to mislead any person about the bot’s artificial identity, but with no liability if the bot’s role in making the communication is adequately disclosed;
- Second, the bill would require online platforms to investigate reports by users of suspected misleading bot activity;
- Third, the bill would make it unlawful to use a bot for misleading online political advertising, again unless the bot’s role in making the communication is adequately disclosed.
- House Bill 2399 addresses connected devices with voice recognition capability. It would require manufacturers of devices with voice recognition capability, at "initial setup or installation," to prominently and separately advise consumers of that capability and that it may be used to process and retain recordings and transcripts of spoken words.
In the absence of express written consent, recordings and transcripts (a) could not be used for any advertising purpose; (b) could not be disclosed to any third party; and (c) could not be retained anywhere other than the device itself, unless affirmatively consented to by the user. Even if consent is given, the user would have to be able to delete any transcripts or recordings at any time, and could withdraw any consent given at any time.
Failure to comply with the new requirements is deemed to be an unfair and deceptive act and an unfair method of competition.
- Finally, House Bill 2401 addresses the use of artificial intelligence to process video recordings of job interviews. Employers would be required to:
- Notify the applicant that AI may be used to process the interview recording before the interview;
- Provide the applicant with information about how the AI works and what types of characteristics it uses to evaluate applicants;
- Obtain consent from the applicant to have the AI perform those functions; and
- Delete recordings of video interviews upon request of the applicant.
- Using AI to evaluate applicants who have not consented to it;
- Sharing applicant videos beyond those people needed to evaluate the applicant; or
- Rejecting an applicant solely based on refusal to consent to the use of AI to analyze the interview.
In addition, employers would be barred from:
Washington State Public Sector Privacy Bills
In addition to the foregoing, the legislature has introduced the following bills which would address privacy issues in the public sector:
- Senate Bill 6280 imposes a wide range of limitations and restrictions on the use of facial recognition technology by state and local government agencies. These include:
- Preparation of a detailed "accountability report" prior to deploying the technology;
- Preparation of an annual report on the extent of use of the technology, an assessment of compliance with the accountability report, and disclosure of any apparent violations of the report;
- Meaningful human review of any decisions having significant effects on consumers made using facial recognition technology , such as decisions about housing, education, or criminal justice;
- The obligation to test facial recognition technology before it is deployed and to require system providers to allow third-party testing for potential bias;
- The obligation to train users of the system regarding its capabilities and limitations, as well as the requirement of meaningful human review;
- Limitations on the use of facial recognition technology by law enforcement, including a warrant requirement before using the technology for ongoing surveillance; and
- The obligation to disclose to criminal defendants in a timely manner prior to trial the use of the technology .
- House Bill 2366 would make the state's Chief Privacy Officer an elected position.
- House Bill 2400 would require the state Office of Data Privacy and Protection to annually survey state agencies regarding their data collection, use and sharing, and their data security practices.
* * * * *
We’ll provide periodic updates on the progress of these bills through the Washington legislature as developments warrant.