Washington Foundational Data Privacy Act (HB 1850)

The Washington Foundational Data Privacy Act (also known as HB 1850 or FDPA) is one of three comprehensive privacy bills proposed in the state of Washington to protect and enforce the data privacy rights of its residents.

The Washington Foundational Data Privacy Act was introduced by representatives Vandana Slatter and April Berg in January 2022 to possibly become Washington's comprehensive privacy law, much like California's Consumer Privacy Act (CCPA) and Virginia's Consumer Data Protection Act (VCDPA).

With the absence of a comprehensive privacy law at the federal level, it's no surprise that more and more states are contemplating state-level privacy laws to protect the personal data of their residents.

In short, the Washington Foundational Data Privacy Act features:

• The creation of the Washington State Consumer Data Privacy Commission
• Several privacy rights for Washingtonians that businesses must observe
• An annual registration requirement for companies under its scope
• A private right of action for consumers
• The prohibition of targeted advertising based on protected attributes like race, sex, and ethnicity

This article will take a deeper look at the Washington Foundational Data Privacy Act and discuss who it applies to, what it requires, and how you can comply with its provisions if the act is passed.

What is the Purpose of the Washington Foundational Data Privacy Act?

In today's technology-driven world, the risks presented by the sheer volume and type of personal data being generated have triggered a rapidly growing awareness of digital privacy as a fundamental right.

To address this phenomenon, governments all over the world have taken decisive measures by drafting privacy laws to regulate the use of personal data and protect the digital privacy rights of consumers.

This trend is especially prevalent in the U.S. as several states, including California, Virginia, and Colorado, have followed in the EU's footsteps and drafted comprehensive privacy laws (similar to the GDPR) to safeguard the data privacy rights of their residents.

Currently, several more states in the U.S. have multiple privacy bills under consideration, and the state of Washington is no exception.

In fact, this year marks Washington's fourth attempt at passing a comprehensive law to protect and enforce the foundational data privacy rights of Washingtonians.

The Washington Foundational Data Privacy Act aims to satisfy this requirement by:

• Protecting the digital privacy of consumers
• Giving consumers more control over their data, and
• Holding companies to a higher standard in their use of personal data

According to the original text of the act:

"With this act, the legislature intends to: Provide a modern privacy regulatory framework with data privacy guardrails to protect individual privacy; establish mechanisms for consumers to exercise control over their data; and require companies to be responsible custodians of data as technological innovations emerge."

Lastly, the FDPA was introduced to establish a new privacy commission that regulates how companies control and process the personal data of Washingtonians.

Now that we know what the FDPA intends to accomplish, let's take a look at who has to comply and how certain terms are defined under the act.

Who the Washington Foundational Data Privacy Act Applies to

The FDPA applies to companies that do business in Washington or produce products or services that target the residents of Washington and also meet either of the following thresholds:

• Controls or processes the personal data of at least 100,000 consumers in a calendar year, or
• Controls or processes the personal data of at least 25,000 consumers and derives over 25 percent of gross revenue from sharing personal data

Personal Data Under the Washington Foundational Data Privacy Act

According to the FDPA, personal data is defined as:

"any information, including pseudonymous data, that is linked or reasonably linkable to an identified or identifiable natural person, household, or consumer device. Personal data does not include de-identified data or publicly available information."

There are two key terms to take note of in this definition. First, pseudonymous data refers to any data that cannot be linked to a specific individual without obtaining additional information.

Moreover, such additional information must be kept separate and subject to reasonable technical and organizational measures.

Secondly, de-identified data refers to any data that you cannot reasonably use to deduce information about or link to an individual.

Additionally, before you can classify any data as "de-identified" under the FDPA, you must do the following:

• Take reasonable steps to ensure that the data cannot be linked to a natural person, household, or device
• Make a public commitment to maintain and use the data only in a de-identified form and not try to re-identify it, and
• Ensure that any recipient of the data is contractually obligated to comply with the provisions listed above

A Consumer Under the Washington Foundational Data Privacy Act

The FDPA defines a consumer as:

"a natural person who is a Washington resident acting only in an individual or household context. It does not include a natural person acting in a commercial or employment context."

To better clarify, an employee or business partner at your company is not considered a consumer under the FDPA.

Consent and Sensitive Data Under the Washington Foundational Data Privacy Act

The FDPA requires companies to obtain consent from consumers before processing their sensitive data.

According to the act, consent means:

"any freely given, specific, informed, and unambiguous indication of the consumer's wishes by which the consumer signifies agreement to the processing of personal data relating to the consumer for a narrowly defined particular purpose."

The FDPA is very clear on what constitutes consent and what doesn't. For instance, the act stipulates that accepting a general Terms and Conditions agreement (or a similar agreement) that describes personal data along with other unrelated information does not constitute consent.

Furthermore, the act states that:

"hovering over, muting, pausing, or closing a given piece of content does not constitute consent. Likewise, agreement obtained through dark patterns does not constitute consent."

On the other hand, sensitive data refers to a distinct form of personal data that reveals any of the following:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnosis or condition
• Sexual orientation
• Citizenship or immigration status
• Genetic or biometric data that identifies an individual
• Information about a known child
• Specific geolocation data

Who the Washington Foundational Data Privacy Act Doesn't Apply to

As expected, not all businesses and data types are subject to the FDPA. Below are the organizations and categories of personal data exempted from coverage.

Excluded Entities

The following organizations are exempt from having to comply with the Washington Foundational Data Privacy Act:

• Governmental organizations in Washington
• Municipal corporations
• Air carriers
• Non-profit organizations
• Regulatory insurance agencies

Exempted Categories of Data

The Washington Foundational Data Privacy Act excludes the following categories of information:

• De-identified information
• Personal health information under the Health Insurance Portability and Accountability Act (HIPAA)
• Personal data collected, processed, or disclosed under the federal Gramm-Leach-Bliley Act
• Personal data collected, processed, or disclosed under the federal Driver's Privacy Protection Act (DPPA)
• Personal data regulated by the federal Family Education Rights and Privacy Act (FERPA)
• Personal data regulated by the student user privacy in the Education Rights Act
• Personal data collected, processed, or disclosed under the federal Farm Credit Act (FCA) of 1971
• Personal data relating to employment

Finally, organizations already in compliance with the Children's Online Privacy Protection Act (COPPA) are exempted from the FDPA parental consent obligation.

Next, we will cover what the act requires of companies that fall under its scope and what steps can be taken to comply.

Requirements and Best Practices for Compliance with the Washington Foundational Data Privacy Act

If passed into law, the FDPA will require businesses that target residents of Washington to assess their data processing practices and take certain steps to comply with its provisions.

Without further ado, let's take a look at the requirements and go over what steps you can take to comply.

Have a Detailed Privacy Policy

The Washington Foundational Data Privacy Act requires you as a data controller (i.e., any individual or entity that decides the purposes and means of processing personal data) to publish a reasonably accessible, straightforward, and meaningful Privacy Policy.

Your Privacy Policy must clearly and prominently explain the following information:

• The categories of personal data you control or process
• The purposes for which you control or process personal data
• How and where consumers may exercise their data privacy rights
• How consumers may appeal your action regarding their requests
• The categories of personal data you share with third parties (if any)
• The categories of third parties (if any) with whom your share personal data
• How you share personal data with third parties or process personal data for targeted advertising
• How consumers may exercise the right to opt out of the processing of their personal data

Finally, the FDPA states that your Privacy Policy must be written in a "clear and simple language" and must be understandable to the "least sophisticated consumer."

For example, here's how the payment provider Stripe discloses this information in the introduction of its Privacy Policy:

Enhance Consumer Data Privacy Rights

The Washington Foundational Data Privacy Act grants consumers five data privacy rights that must be observed by organizations under its scope.

In short, consumers' rights under the FDPA are as follows:

1. The right to confirm whether or not a controller is processing their data and the right to access the data being processed
2. The right to correct any inaccurate details in their personal data
3. The right to delete their personal data, including data from all parts of a controller or processor's network and backup systems
4. The right to obtain their data in a portable and readily usable form that allows the transmission of data to another controller without hindrance

5. The right to opt out of the processing of personal data for the purposes of:

   • Targeted advertising
   • The sharing of personal data
   • Profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer

It is crucial to note that according to the act:

"A controller may not discriminate against a consumer for exercising any of the rights contained in this chapter, including denying goods or services to the consumer, charging different prices or rates for goods or services, and providing a different level of quality of goods and services to the consumer."

Here's how Tesla presents these rights in its Customer Privacy Notice:

Obtain Consumer Consent

Consent is an essential component of the Washington Foundational Data Privacy Act. As a data controller, you are required to obtain a consumer's consent before processing personal data for purposes that are not reasonably necessary to, or compatible with, pre-established purposes.

Additionally, you must obtain consent before processing a consumer's sensitive data and provide an effective mechanism that allows consumers to easily withdraw consent.

Note that once consent is withdrawn, you must stop all processing activities as soon as practicable, in at most 15 days.

Also, if you already comply with COPPA, you are exempt from the FDPA's parental consent obligation.

To obtain consent, it's highly recommended that you use an unticked clickwrap checkbox to ensure that consumers have read, understand, and agree to let you process their data like IntelliWHiTE does here:

Implement Reasonable Security Measures

The FDPA also calls for businesses to "establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data."

Moreover, the data security practices implemented must be suitable to the volume and type of personal data being processed.

Here's a good example from Luxoft:

Conduct Data Protection Assessments

According to the Washington Foundational Data Privacy Act, businesses must conduct and document a data protection assessment for processing activities that involve the following:

1. Targeted advertising
2. The sharing of personal data

3. Profiling, where such profiling presents a reasonable risk of:

   • Unfair or misleading treatment of consumers
   • Financial, physical, or reputational injury or intrusions to consumers, or
   • Other significant injuries to consumers
4. Sensitive data
5. Personal data that "presents a heightened risk of harm to consumers"

These assessments help identify and weigh the benefits to be derived, either directly or indirectly, from data processing activities against the potential risks to consumers' rights (lessened by security safeguards).

It's also important to note that data protection assessments conducted by a controller to comply with other laws are acceptable under the FDPA as long as they have similar scope or effect.

Observe the Prohibition of Processing Based on Protected Characteristics

A distinctive stipulation in the Washington Foundational Data Privacy Act is the ban placed on data processing activities and targeted advertising based on a consumer's "race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, lawful source of income, or disability."

This is intended to help curb unlawful discriminations against a consumer, especially in regard to the provision of:

• Housing
• Employment
• Credit
• Education
• The products, services, facilities, privileges, benefits, or accommodations of any place of public accommodation

Annual Registration Requirement

The Washington Foundational Data Privacy Act mandates businesses to observe the annual registration requirements entrenched in its provisions.

This generally includes:

• Filling out a digital application
• Providing information such as a controller's personal details, data processing models and methods, and annual gross revenue
• Paying a registration fee, the sum of which depends on a company's annual gross revenue

It should be noted that the FDPA imposes fines on businesses that fail to comply with these requirements or provide inaccurate or incomplete information.

Washington Foundational Data Privacy Act Enforcement and Penalties

Perhaps the most noteworthy provision in the FDPA is the creation of the Washington State Consumer Data Privacy Commission and a private right of action for consumers.

According to the act, the commission is "created and vested with administrative powers and rule-making and administrative enforcement authority" to implement and enforce the FDPA and the regulations adopted by the commission.

Washington's new privacy commission will be composed of three commissioners appointed by the governor, with the agreement of the senate, and will operate in a similar manner to California's Privacy Protection Agency.

The commission will carry out several duties including:

• Assessing and investigating consumer complaints and alleged violations
• Adopting, revising, and rescinding certain rules
• Implementing, and enforcing compliance through administrative actions
• Providing guidance for consumers to exercise their rights
• Providing technical aid and advice to the legislature concerning privacy-related matters
• Performing other similar functions

In addition to enforcing the provisions of the act, the commission will be responsible for punishing violators by requiring a cease and desist of any violation or an administrative fine of up to $2,500 for each violation.

The commission may also claim a fine of up to $7,500 for each intentional violation and each violation involving the personal data of a child.

Summary

Below are the key takeaways from this article that can help your business comply with the Washington Foundational Data Privacy Act:

• The FDPA is a digital privacy act that was created in order to protect and enforce the foundational privacy rights of Washingtonians.
• The act may apply to businesses that operate in Washington or produce goods or services that target Washingtonians if other criteria are met.
• The act requires businesses to develop and maintain a clear and transparent Privacy Policy to disclose relevant information to consumers.
• The data privacy rights laid out in the act must be observed and businesses must help exercise them at a consumer's request.
• Using a clickwrap method to obtain consent where applicable is considered a best practice and helps you avoid legal issues.
• The act requires businesses to provide a mechanism that allows consumers to easily opt out of the processing of their data as well as withdraw consent anytime they wish.
• The act requires businesses to set up appropriate safeguards to protect personal data.
• The act prohibits processing activities and targeted advertising based on protected features like race, gender, and ethnicity that discriminate between consumers.
• The act requires the annual registration of businesses that fall under its scope.
• The act requires you to frequently conduct data protection assessments when necessary.
• Finally, the act imposes fines and other penalties on violators.