The Washington Privacy Act, the CCPA and the GDPR
The Washington Privacy Act (WPA) has cleared the Senate (46-1) and now faces deliberation in the House, where it failed last year. This second WPA has considerable changes from the previous, however, and many say a better chance of becoming law. Sen. Reuven Carlyle (D-Seattle), the bill’s sponsor, has said the goal of this policy is to “take the best of the two global standards,” referring to the California Consumer Privacy Act (CCPA) and the EU General Data Protection Regulation (GDPR). The strong influences of both laws are apparent, however the WPA also has a few new takes we haven’t yet seen.
Consumer Rights under the WPA
While the GDPR and CCPA have certain rights in common, they don’t all map exactly and each has rights not included in the other. The WPA pulls in consumer rights from both laws and puts its own twist on some that you may already be familiar with.
Access: Access rights provided under both CCPA and GDPR and look fairly similar in both laws, and the WPA maps closely to them.
Deletion: While offered in both CCPA and GDPR, delete looks somewhat different in each. CCPA has a lot of exceptions where a business does not need to delete information, while in GDPR there are many fewer. The WPA seems to favor the European approach here, with fewer restrictions on the consumer’s right to have their personal data deleted.
Correction: The right to correction is not afforded Californians under the CCPA but is a provision of the GDPR – where it’s referred to as rectification. The WPA has adopted this right for Washingtonians, and looking at the upcoming California Rights and Enforcement Act 2020, it seems crafters of the CCPA recognize the need for such a protection for California as well.
Portability: The right to data portability is explicitly called out in GDPR and the law sets a higher bar for businesses (controllers) than CCPA. Both laws require that personal data be provided to a data subject (consumer) in a readable and portable way, however, portability is a separate provision in the GDPR and it gives data subjects the right to have their information ported directly from one controller to another where feasible. While the WPA puts more of an emphasis on portability than the CCPA in its structure, the provision maps to CCPA as opposed to GDPR.
Right to opt-out:The right to opt out of the sale of personal information maps to that of the to CCPA. And, much to the chagrin of businesses across the land, the definition of sale maps to that of the CCPA. However, there is no specified requirement for submission methods like those in CCPA, they just need to be “clear and conspicuous.” The WPA also includes a right to opt out of the processing of personal information for the purposes of targeted advertising.
Non-discrimination: The WPA’s right to non-discrimination comes directly from the CCPA; the GDPR does not include such a provision. The right is housed within the section on the responsibilities of controllers, however, and not consumer rights – unlike the CCPA where it is part of the section on consumer rights.
Also included in the section on responsibilities of controllers are common principles of data protection such as transparency, purpose specification, data minimization, and security that align closely with GDPR, and are provided for in one form or another in CCPA.
It is important to note, however, that the WPA is subject to certain exceptions. One of which states that the law will not restrict a business’s ability to “Conduct internal research to improve, repair, or develop products, services, or technology” (as well as some other exemptions.) This seems to go beyond any exceptions in CCPA, the closest of which (1798.105.(d)(7)) relates to deletion only and includes requirements that the use must be “reasonably aligned with the expectations of the consumer.”
Definition of child
Under the both the CCPA and GDPR, there are special rules around children’s personal data. The GDPR obligates EU member states to set an age for consent to processing between 13 and 16 years. The CCPA requires opt-in consent to sell the personal data of children under 16 years old. The WPA has chosen a different tack from both of those laws, setting the age of a “child” at under 13 years, which is in keeping with the U.S. federal law, the Children’s Online Privacy Protection Act, or COPPA. However, COPPA is currently under some scrutiny right now as to how well it protects children’s data, and one of the aspects being challenged is whether 13 is an adequate age at which to remove its protections. So, whether the WPA will end up being consistent with any of these laws remains to be seen.
Definition of consumer
The definition form Consumer in WPA tracks closer to that of CCPA than the definition of data subject in GDPR, as it’s tied to residency. The GDPR has no stipulation that a data subject be a resident of the EU to be protected by the law.
The WPA includes a subset of personal data called sensitive data that it affords a higher level of protections. This concept is an echo of the GDPR’s special categories of information. The CCPA does not include a special class of personal data, however, the California Privacy Rights and Enforcement Act to be voted on in the 2020 election does.
Data protection assessments
The WPA requires data protection assessments (DPAs) for any processing activities that involve personal data, full stop. It also requires additional assessments when a change in processing will materially increase risk to consumers. At first blush, this may sound like the GDPR’s data protection impact assessment (DPIA) requirement, however, the GDPR only requires DPIAs when the processing is “likely to result in a high risk to the rights and freedoms” of the data subject. Not so in the WPA. Additionally, if the DPA shows there’s a high risk to the consumer, organizations may only engage in the processing with the consumer’s consent (barring an alternative applicable exemption). In the GDPR, that same result from a DPIA would necessitate consultation from the supervisory authority prior to engaging in the processing.
Similar to the CCPA, the WPA establishes the state Attorney General as its sole enforcement body and allows for penalties of up to $7,500 per violation – CCPA also provides a lower cap of $2,500 on unintentional violations. Unlike CCPA, the WPA does not include a private right of action (neither does the GDPR), but it’s clear the figures for penalties, and the fact that they’re tied to the number of violations, comes from the CCPA.
It is important to note that there has been much debate over whether this law should include a private right of action. This is something that will surely need to be resolved before it's finalized.
Both the CCPA and GDPR provide for protection of biometric information within their covered information, but it’s worth noting that the WPA has a large section on the use of facial recognition technology by private businesses (use by public agencies is addressed a different bill) that includes very specific rules. This has lead to some controversy from privacy advocates who feel like facial recognition should be addressed in separate legislation.
Unlike both the CCPA and GDPR, which allow for local regulations that include protections beyond those offered in the respective overarching law, the WPA preempts local regulation. Meaning, for example, if Seattle would like to implement a facial recognition ban like that of San Francisco, the WPA would prohibit it.
As Carlyle indicated, much of the WPA was crafted by culling the provisions of the two most notorious comprehensive privacy and data protection laws that came before it, but the crafters have put a new spin on many provisions that look familiar on the surface.
It remains to be seen how this new version of the WPA will fare. What we do know is that if it passes, the patchwork of legislation grows and compliance becomes even more complicated. Job security, I guess.