What’s Happening in Washington?
Like many states looking to protect their citizens' privacy, the state of Washington has been working diligently to prepare bipartisan legislation to create its own privacy laws. The most well-known U.S. state privacy law is the California Consumer Privacy Act or CCPA which was passed in 2018, but became fully effective as of January, 2020. Enterprises and corporations all across the United States have been scrambling to get their data policies and processes up to par before the upcoming deadline in July, 2020, when the state will begin enacting penalties against those who fail to protect their data.
Washington, on the other hand, will be implementing the new Washington Privacy Act (WPA) which was recently released for the public, corporations and other government officials to read. Washington has not only met the standards provided by the CCPA but has upped the ante for all future privacy legislation to come. The bill is so comprehensive that it may lead as an example for more upcoming changes in proposed federal legislation, and other state legislations across the country.
Set Your Standards High
Why does this matter? Even if your business is not in California or Washington, their privacy laws matter if you expect to do any business with the residents who live there. This is regardless of where your headquarters is located on the globe. The state attorney generals have the power to enforce the legislations, impose fines and penalties, and in the end, ruin the business reputation of companies who fail to comply. It matters to your business if you want to succeed.
Laying Down the Law
Washington state is putting forth the most comprehensive privacy bill yet generated to protect consumer privacy. While it is modeled after the CCPA and the GDPR, Washington is going above and beyond in protecting its citizens and laying down the law. One area that it includes that the others do not is a detailed section targeted on facial recognition technologies. While the bill is expected to pass with bipartisan agreement, there may be some additional changes prior to its final vote. Here’s what you can expect to see coming:
Broadening of Consumer Rights
While both the CCPA and GDPR allow for access and deletion of personal information, the WPA takes it one step further. It allows both access and deletion as well as the ability for consumers to have control over their personal information and have it corrected.
It also has widened the ‘opt-out’ abilities for consumers. Washington citizens will have the option of opting out of using their personal information for targeted advertising. Consumers can choose to not be included in using their personal information to ‘profile’ them when it comes to any significant decisions made on their behalf, on their accounts or consumer opportunities provided to them. And while the CCPA does allow for consumers to refuse allowing the sale of their personal information to 3rd parties, the WPA broadens the scope by allowing consumers more control.
Expanded Responsibilities of Controllers
Similar to the CCPA, the WPA requires controllers of information to provide privacy notices. Both privacy laws require privacy notices to include such information as to what personal information will be processed, the purpose of data collection, and what corporate categories 3rd parties belong to which any personal data will be shared.
The WPA has moved to strengthen these requirements. It requires all controllers to “clearly and conspicuously disclose’ if any consumer’s personal data will be used for targeted advertising. They must also provide an appeals process for consumers to follow if their rights are being denied.
The state of Washington has pushed even further to ensure consumer’s rights will be protected. Controllers are subject to state reviews and data minimization regulations. At any time, they can be subject to data protection assessments regarding any of their processing policies. All assessments must be weighed toward the protection of consumer privacy over the sale or distribution of information. Controllers are subject to review of these assessments which must be provided to the Washington State Attorney General’s office on demand.
Much like the GDPR, consent requirements must be included for processing “sensitive data.” Sensitive data can include personal information in health records, or ethnicity and citizenship status, and even precise geolocation data which has an accuracy of better than 1,750 feet. With the additional requirements and the penalties involved for misuse, the WPA is more narrowly defined.
Processor Responsibilities Intensified
The WPA wants to be sure that companies have security around those who handle their data processing. Similar to the GDPR, both controllers and processors must be required to follow strict guidelines and be responsible for having contracts of confidentiality. These confidentiality agreements with processors are far more rigid than those that are required under the CCPA.
In addition, processors are required to assist in privacy assessments. They must provide controllers with all necessary data to perform the assessments and also allow for regular reviews of their own policies and practices.
Consumers Denied Private Right of Action
This is one area where the WPA differs from the other privacy regulations. Individual consumers cannot file suit for having their privacy rights violated or for fault under data breaches. The CCPA allows for some limited liability.
The WPA is taking a direct approach, much closer to the proposed federal Data Privacy Act that is being considered by the U.S. Senate. In the state of Washington companies will be held liable for data breaches and for individual privacy violations, however, all suits will be handled directly by the Attorney General’s office.
Responsibility Definitions for Facial Recognition Corporations
Much of the additional strengths of the WPA that go above and beyond other privacy legislations is its willingness to address is to regulate businesses that provide or use facial recognition software and services. With some extremely narrow exceptions, controllers most post notices in conspicuous places that facial recognition systems are being used.
These companies must also obtain consent. Prior to placing a consumer’s photo into a database, notification of privacy practices and policies must be provided to the consumer, and consent must be given. These companies must also allow consumers a way to appeal or challenge their insertion into such databases.
Much like other required data privacy assessments in the WPA, processors must allow controllers to test their facial recognition systems for accuracy. Controllers and 3rd party reviewers are to be allowed to conduct periodic testing. The accuracy testing should include diverse population subgroups and allow for the many differences in the human population for identity purposes. This testing group should include ranges for ethnicity, race, gender, skin tones, age groups, and disabilities.
Should any testing come with negative results, and the validity of that outcome is confirmed, then it is a mandatory requirement that the processor create, implement, retest, and resolve any discrepancies. Along with privacy policies and information on the use of personal data, processors must also include documentation on their systems regarding its capabilities and limitations. This documentation must be written in clear and easy to understand language. The documentation processors must provide controllers also includes a usage agreement that their services will not be used to discriminate against individuals by using their facial recognition systems.
The WPA is setting the bar high by including a new area of discussion within its legislation which is to allow consumers exclusive property rights of their own biometric data. With citizens owning their own biometric identifiers, it will help to limit any abuse or breaches based on data points.
Of course, there is so much more to the WPA that it bears extensive review by other states. It affects businesses on a global level that want to do business with consumers in the state of Washington. So even if your business is in Maine or Spain, you risk suit by the Washington State Attorney General if your business does not comply. Penalties, while still being set, will be severe as the Attorney General’s office will handle all lawsuits and penalties. A minor discretion will not go overlooked.
Set Your Sights High
All these new data privacy regulations can be quite confusing for many companies. Which privacy regulation do you follow? How do you know? As a company you rely on IT and the Internet to function, to reach consumers, to socialize with marketspaces. With any system that’s plugged in, there comes risks and consequences.
Today’s world is one where personal data is a valuable commodity. There will always be someone on the other side of a keyboard ready to make money from an opening left behind. The cyber world makes it an easy target as the thieves believe they are hidden, behind their own wall of cybersecurity, much like a bank robber wears a mask. A single data breach can cost a company its prized reputation that, in the end, can cost it its survival. This doesn’t even include legal fees or penalties.
Having your own privacy policies that have gone through a thorough assessment and planning can help. Using the most intelligent data redaction software system that can be incorporated in each step along the path of data collection, distribution, storage and destruction can help cut the risk to the privacy of your consumers as well as to your company’s bottom line. It can also help you sleep at night. CaseGuard has developed the top redaction software system on the market, that allows for all types of data including: documentation, pdfs, facial recognition, video, and voice. It also includes incredible automated technological features that can help with other forms of compliance including: transcription, translation, and captioning.
Still not sure which law to follow? Here is some smart, valuable advice from one of the world’s top privacy experts, Black & Veatch’s Global CISO James Waters, who had this to say about the many changing privacy rules and regulations, “As a Global CISO, the best advice I can give is don’t try to do something different for every part of the world. Pick and choose what you’re going to use from a policy and procedure standpoint. Generally, pick from a global perspective the most onerous and strict regulations you have to comply with and implement them globally.”
That is an amazingly smart view. You can’t jump through hoops and change your policies to fit every law. Instead, set your sights to the highest level for each area of privacy regulations. This way, you have covered all your bases, protected your consumers and your company’s data.