2021 Washington Privacy Act Released
Update Applicable to:
Employers operating within Washington State.
The Washington State Legislature is once again working on passing a complete version of the Washington Privacy Act (WPA), that will impact all employers operating in the state.
What are the details?
The WPA will put several new requirements on businesses that utilize any form of consumer or employee data. Few exemptions are created for business, mostly only exempting state agencies and other forms of data related to health concerns, like HIPAA personal health information.
The WPA would provide consumers (i.e., Washington state residents) with the right to request that controllers (1) correct inaccurate personal data, (2) delete personal data, (3)confirm whether they are processing personal data about a consumer and, if so, allow the consumer to access the categories of personal data, (4) provide the personal data that a consumer previously provided to the controller in a portable and usable format, and (5)permit consumers to opt out of the processing of personal data that is processed for the purposes of targeted advertising, sold to third parties, or used for certain types of profiling decisions. Controllers would have 15 days to process opt out requests and 45 days to process other requests.
The WPA will also, much like other privacy related legislation, regulates the relationship between data processors and controllers. This will require them to enter into written agreements with each other that “set out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties.”
As most employers can expect, the WPA will also include a Privacy Notice requirement. The notice will identify, among other things, the categories of personal data the controller processes, the purposes for which the personal data are processed, how and where consumers may exercise their rights, the categories of third parties, if any, with whom the controller shares personal data, and whether the controller sells personal data or uses it for profiling. Additionally, controllers of personal data will be prohibited from processing sensitive personal data without consent
Should the WPA pass, it currently has an effective date set for July 31, 2022.
You can read more about the legislation here.
The bill may be read here in its entirety.
What do employers need to do?
Washington State businesses should keep a close eye on this legislation, as it will include large administrative costs for companies who handle personal information.