What is the Washington Foundational Data Privacy Act (HB 1850)?

Background

Washington has been striving to enact its comprehensive privacy law for several years. Despite being one of the early states to consider such legislation, it has faced hurdles in finalizing a bill. In 2021, Washington was on track to become the third state with a comprehensive privacy law, but disagreements within the legislature prevented its passage. As of early 2022, the state introduced four privacy bills, with HB 1850 emerging as a frontrunner.

Bill History

You can get more information here such as the bill’s detailed history, available documents, amendments, and more.

Key Features

• A. Creation of the Washington State Consumer Data Privacy Commission
  A significant component of HB 1850 is the establishment of the Washington State Consumer Data Privacy Commission. This body would oversee the enforcement of the Act, similar to the role of the California Privacy Protection Agency under the California Privacy Rights Act (CPRA).
• B. Consumer Privacy Rights
  The Act grants several privacy rights to Washington residents, including the right to access, correct, and delete personal data, as well as the right to data portability and to opt out of data processing for targeted advertising.
• C. Annual Registration Requirement
  Businesses that fall under the scope of the Act must register annually with the Washington State Consumer Data Privacy Commission, providing details about their data processing activities and paying a registration fee.
• D. Private Right of Action
  The Act allows consumers to take legal action against businesses that violate their data privacy rights, enabling them to seek damages and other remedies.
• E. Prohibition of Targeted Advertising Based on Protected Attributes
  The Act prohibits targeted advertising based on protected characteristics such as race, sex, and ethnicity, aiming to prevent discrimination and protect consumer privacy.

Scope & Applicability

Who It Applies To

The Act applies to businesses that operate in Washington or target Washington residents and meet one of the following thresholds:

• • i. Control or process the personal data of at least 100,000 consumers annually.
  • ii. Control or process the personal data of at least 25,000 consumers and derive over 25% of gross revenue from the sale of personal data.

Definition of Personal Data

Under the Act, personal data includes any information linked or reasonably linkable to an identified or identifiable person, excluding de-identified data and publicly available information.

Exemptions:

The Act exempts certain entities and categories of data, including:

1. 1. Governmental organizations in Washington
   2. Municipal corporations
   3. Air carriers
   4. Non-profit organizations
   5. Regulatory insurance agencies
   6. Personal health information regulated by HIPAA
   7. Personal data under the Gramm-Leach-Bliley Act, Driver’s Privacy Protection Act, FERPA, and COPPA

Consumer Rights

The Act provides several key rights to consumers:

• • a. Right to Access: Consumers can confirm whether their data is being processed and access that data.
  • b. Right to Correct: Consumers can correct inaccurate data.
  • c. Right to Delete: Consumers can request the deletion of their data.
  • d. Right to Data Portability: Consumers can obtain their data in a usable format to transfer to another entity.
  • e. Right to Opt Out: Consumers can opt out of data processing for targeted advertising, data sales, and profiling.

Compliance Requirements for Businesses

Privacy Policy

Businesses must develop and maintain a clear, accessible Privacy Policy that outlines:

• • Categories of personal data processed
  • Purposes of data processing
  • Consumer rights and how to exercise them
  • Data sharing practices

Consumer Consent

Consent is crucial under the Act. Businesses must obtain explicit consent from consumers before processing sensitive data or using data for purposes beyond the initial scope.

Data Protection Assessments

Businesses must conduct data protection assessments for high-risk processing activities, such as targeted advertising and processing sensitive data.

Security Measures

The Act mandates reasonable administrative, technical, and physical security measures to protect personal data.

Enforcement & Penalties

One of the most significant provisions of the Washington Foundational Data Privacy Act (FDPA) is the establishment of the Washington State Consumer Data Privacy Commission and the introduction of a private right of action for consumers.

The Act states that the Commission is “created and vested with administrative powers and rule-making and administrative enforcement authority” to implement and enforce the FDPA and its associated regulations.

Washington State Consumer Data Privacy Commission

The Washington State Consumer Data Privacy Commission will consist of three commissioners appointed by the governor and confirmed by the Senate. It will function similarly to California’s Privacy Protection Agency, with the following responsibilities:

• • i. Assessing and Investigating Complaints: The Commission will evaluate and investigate consumer complaints and alleged violations of the FDPA.
  • ii. Rule-Making: It will have the authority to adopt, revise, and rescind rules to ensure compliance with the Act.
  • iii. Enforcement: The Commission will implement and enforce compliance through administrative actions, including issuing cease-and-desist orders.
  • iv. Consumer Guidance: It will provide guidance to consumers on how to exercise their data privacy rights.
  • v. Legislative Advice: The Commission will offer technical assistance and advice to the legislature on privacy-related matters.
  • vi. Additional Functions: It will perform other functions necessary to uphold the Act.

In terms of enforcement, the Commission has the authority to impose administrative fines of up to $2,500 per violation. For intentional violations or those involving children’s personal data, fines can go up to $7,500 per violation. This robust enforcement mechanism ensures that businesses comply with the stringent data privacy standards set forth by the FDPA.

Frequently Asked Questions (FAQs)

1. What is the Washington Foundational Data Privacy Act?
   The Act is a comprehensive privacy law proposed to protect the personal data of Washington residents, granting them rights and setting compliance requirements for businesses.
2. Who needs to comply with the Act?
   Businesses that operate in Washington or target Washington residents and meet certain data processing thresholds must comply.
3. What rights do consumers have under the Act?
   Consumers have the right to access, correct, delete, and port their data, as well as opt out of certain data processing activities.
4. What is considered personal data under the Act?
   Personal data includes any information linked or linkable to an identifiable person, excluding de-identified and publicly available data.
5. Are there any exemptions under the Act?
   Yes, certain entities and data categories, such as governmental organizations and data regulated by HIPAA, are exempt.
6. What are the security requirements for businesses?
   Businesses must implement reasonable security measures to protect personal data.
7. How does the Act handle consumer consent?
   Businesses must obtain explicit consumer consent for processing sensitive data and for processing beyond the initial purpose.
8. What is the role of the Washington State Consumer Data Privacy Commission?
   The Commission will enforce the Act, investigate complaints, issue fines, and provide guidance on compliance.
9. What are the penalties for non-compliance?
   Penalties can reach up to $2,500 per violation, or $7,500 for intentional violations or those involving children’s data.
10. How does the Act address targeted advertising?
    The Act prohibits targeted advertising based on protected characteristics and requires businesses to provide opt-out options for consumers.

Wrapping Up

The Washington Foundational Data Privacy Act (FDPA) is a significant step forward in protecting the digital privacy of Washington residents. Building on previous laws like the CCPA, CPRA, and VCDPA, the FDPA aims to provide comprehensive privacy protections and greater control over personal data. The creation of the Washington State Consumer Data Privacy Commission, introduces stricter consent requirements, robust consumer rights, and strong enforcement mechanisms.

The FDPA sets a high standard that could influence future legislation in other states, underscoring the growing importance of strong data privacy protections nationwide. Proactively addressing these requirements benefits both businesses and consumers, gaining better protection online. The FDPA is poised to make a significant impact on data privacy practices. Understanding and adhering to its provisions will benefit everyone, promoting transparency, accountability, and respect for personal data.