Posted by Bryan Stanwood on February 25, 2020
Insurance companies operating in Washington state may soon have to comply with new consumer data privacy rules. The state Senate passed a bill known as the Washington Privacy Act on February 14 by a vote of 46 to 1. The bill now goes to the state House.
Although the bill is not yet law, we're following it because it could have a significant impact on insurance companies. Here, we'll provide you an overview of the act as passed by the Senate. If the bill becomes a law, we'll keep you informed and offer additional informational resources.
Whom would the Washington Privacy Act apply to?
The act applies to businesses operating in Washington or targeting Washington residents as customers that either:
- Control or process personal data of 100,000 or more consumers during a calendar year or
- Derive 50% of gross revenue from the sale of personal data and processing or controlling personal data of 25,000 or more consumers.
There are exceptions: the act doesn't apply to government agencies, Native American tribes or data maintained as part of employment records.
What are controllers and processors, and what are they responsible for?
A "controller" is defined as a person or group who "determines the purposes and means of the processing of personal data." A "processor" processes "personal data on behalf of a controller." In other words, a controller makes decisions about the data. A processor executes on those decisions.
Controllers' responsibilities: The act requires companies controlling consumers' data to:
- Provide consumers with meaningful privacy notices and instructions on how to exercise their consumer rights.
- Limit the collection and processing of personal data to specified purposes that are disclosed to the consumer.
- Establish and implement data security practices.
- Obtain consumer consent in order to process sensitive data.
- Conduct and document data protection assessments, which the attorney general may request as part of an investigation but are otherwise confidential.
Controllers may not try to evade the act by asking consumers to waive or limit their rights. Any provision of a contract or agreement of any kind that waives or limits the consumer's rights will be deemed void and unenforceable.
Processors' responsibilities: Processors must adhere to controllers' instructions and assist them in meeting their obligations under the act. Processors also have to implement security procedures and ensure people with access to personal data keep the data confidential. If a processor does something with data covered by the act other than follow a controller's instructions, the processor is considered a controller and must follow the rules that apply to controllers.
The Washington Privacy Act would give consumers the right to exert greater
control over how their personal data is used.
What rights would the Washington Privacy Act grant consumers?
The act gives consumers specific rights with respect to their personal data. Consumers have the right to:
- Confirm whether a controller is processing their data and access that data.
- Correct inaccurate data.
- Delete their personal data.
- Obtain their personal data in a format that allows them to transmit it to another controller.
- Opt out of the processing of their personal data for certain purposes.
One of the purposes consumers can opt out of having their personal data processed for is what the act calls "decisions that produce legal effects." Those decisions include decisions that "result in the provision or denial of financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services, or access to basic necessities, such as food and water." (We added the emphasis on insurance.)
What happens if a company violates the Washington Privacy Act?
The state attorney general has exclusive authority to enforce the act, and the maximum penalty for each violation is $7,500.
Because the penalty is for each violation, total penalties for cases of multiple compliance failures could total millions of dollars. In fact, Microsoft's chief privacy officer calls the enforcement provision "strong" in her blog post expressing Microsoft's support for the bill.
The Washington Privacy Act includes a provision governing how companies
may use facial recognition technology.
What about facial recognition technology?
The Washington Privacy Act includes several requirements that would apply to companies that provide facial recognition services. For example, in many instances, companies must provide consumers with notice and get their consent before adding their image to a service.
Companies must also make their service available for independent testing for accuracy across distinct sub-populations. If the testing shows the service is unfair, the company must take action.
The act also requires humans to review "decisions that produce legal effects" made by the facial recognition technology, which includes decisions related to providing insurance and employment opportunities. And, the act places restrictions on companies disclosing data obtained from the technology to law enforcement.
What's next for the bill?
As of today, the bill is scheduled to be part of executive sessions held this week by the Innovation, Technology & Economic Development committee in the state House. What will happen after that depends on many factors. We will keep you informed, and you can always get the latest information directly from the state and sign up for email updates at this link. There, you'll also find the House bill analysis and the text of the bill as passed by the Senate, both of which we used to prepare this post.
Bryan Stanwood, CPCU, ARM, AIDA is WSRB’s Vice President and COO. He has 30 years of property and casualty insurance experience and extensive expertise in managing high-performing insurance sales and underwriting departments.