This week, the Washington senate approved the Washington Privacy Act (WPA) to advance data privacy rules within the state. It follows in the footsteps of other wide-ranging privacy regulations introduced in recent years, such as the European Union’s General Data Protection Regulation (GDPR) and the state of California’s California Consumer Privacy Act (CCPA). It’s informed by a growing demand by consumers to assume control over how their personal data is stored, processed and used for profit by data-driven organizations.
The WPA, as well as other regulations of its ilk, find themselves walking a very fine line. On one hand, the ability to process large amounts of data is key to organizations innovating and improving our quality of life. On the other, there has been little transparency in how that data is used and sold for profit—a point that’s gained controversy in recent years following a number of discoveries uncovering how data collection and sales have altered the outcome of landmark elections around the world. The WPA is a clear effort to try and strike a balance between these two interests.
Like the CCPA, the WPA applies to residents of its state. However, we can expect its privacy regulations to inadvertently extend to consumers well beyond its borders as well. Like other privacy regulations, it will also affect companies operating outside of Washington State. By joining the fold of wide-ranging privacy regulation, the WPA is helping pave the way to data transparency normalcy. We are arriving at a point where it will be easier, and even expected, for enterprises to universally comply with general and specific data protection principles for all users by default.
Some interesting WPA highlights
Facial Recognition: unlike the CCPA, the WPA has a specific section dedicated to facial recognition. It instructs data processors to expose the Application Program Interfaces (APIs) that allow for algorithm accuracy testing and result in unfair performance facial recognition performance discrepancies across different subpopulations. With the WPA, companies operating facial recognition must provide documentation about its usage of facial recognition, explain its capabilities and limitations, and actively work to prevent discrimination based on facial recognition.
Right to correction: Under the act, consumers not only have the “right to be forgotten”, or “right to be deleted”, they also have the “right to correction”. This means that a consumer may request for companies to correct inaccurate personal details about them as well.
This could pose interesting technical challenges for enterprises down the line. In many cases, Big Data technologies are read-only. Deleting data about a consumer may cause a lot of data to be re-written. Updating that data may cause even more complications—instead of rewriting data for certain items, it could create a need to replace data with new input and validate that it doesn’t break anything.
Data protection & data assessment: The act strengthens the requisition of business compliance and accountability by requiring data protection assessments in the collection and use of personal data. These assessments can be obtained and evaluated by the Washington Attorney General.
These assessments weigh the balance between the benefit of controlling and processing consumer data (as in its benefits to the business, the consumer and the public) against the nature and sensitivity of the data. The assessments also account for the possibility of using de-identified information instead. In other words, even if certain data can be stored and processed by a company, it may still be advisable for them to mask identifiable items if they don’t need them to remain explicitly identifiable (i.e. when tracking sales trends).
Overall, the WPA offers a myriad of benefits to both the public and to data-driven enterprises. They’re achieving a great deal of clarity in what the appropriate balance should be between data-driven innovation and privacy rights. They’re also cutting our work out for us as we double down on ensuring that data-driven enterprises can continue to do what they do best with the highest tier of data access protection.
At Satori, we’re on a mission to help companies address the challenges business face in complying with expanding global privacy and data access requirements like the WPA. Together, we can help enterprise customers gain more control over their sensitive data and who accesses it while making sure that your business continues to push the boundaries of your data-driven strategies.
The WPA will take effect starting July 31, 2021.
You can find the full act here.