SENATE BILL REPORT

                 2ESSB 6513

               As Passed Senate, March 14, 2000

 

Title:  An act relating to the privacy of personal information in commercial transactions involving financial institutions and others who maintain and transfer information.

 

Brief Description:  Protecting privacy of personal information in commercial transactions.

 

Sponsors:  Senate Committee on Commerce, Trade, Housing & Financial Institutions (originally sponsored by Senators Prentice, McCaslin, Kline, Gardner, Winsley, Kohl‑Welles, Spanel and Costa; by request of Attorney General).

 

Brief History:

Committee Activity:  Commerce, Trade, Housing & Financial Institutions:  1/25/2000, 2/3/2000 [DPS].

Passed Senate, 2/15/2000, 41-6.

First Special Session:  Passed Senate, 3/14/2000, 39-6.

 

SENATE COMMITTEE ON COMMERCE, TRADE, HOUSING & FINANCIAL INSTITUTIONS

 

Majority Report:  That Substitute Senate Bill No. 6513 be substituted therefor, and the substitute bill do pass.

  Signed by Senators Prentice, Chair; Shin, Vice Chair; Gardner, Hale, Rasmussen, T. Sheldon and Winsley.

 

Staff:  Dave Cheal (786-7576)

 

Background:  Information technology has greatly facilitated the collection, analysis and dissemination of vast amounts of personal data.  The result is that personal data has become a marketable commodity.  Another result is that consumers are increasingly privacy conscious and alarmed about whether they have control over highly personal and private information.  The concerns range from annoyance due to a barrage of mail, phone calls, and e-mail, to the horror of identity theft.

 

Consolidation of diverse financial services into single companies or affiliated companies, facilitated by recent federal legislation, is described by the industry as an opportunity to provide better products and services more efficiently to consumers. This consolidation has also raised concerns about increased sharing of personal information.  In fact, news of certain personal depositor information sharing practices by some institutions, and the lack of protec­tion in current law, stalled the progress of this legislation, and eventually led to the inclusion of some degree of privacy protection.  The federal act expressly leaves room for state action.

 

Locally, news of certain information sharing practices of some business last summer was followed by a large number of alarmed calls to the Department of Financial Institutions and the Attorney General=s Office.  This committee held a hearing on the issue last July.  The Attorney General formed a work group representing a wide array of interests, including representatives of retailers and banks, victims of identity theft, the technology industry and legislators.  The goal of the work group was to develop legislation that could return a measure of control over personal information to consumers, and provide protection against the worst abuses of information access.  This bill is the result.

 

Summary of Bill:  Privacy and control of personal information in a commercial context are addressed.  Commercial entities affected are Ainformation custodians,@ defined as all entities that maintain data containing personal or sensitive information, who transfer that information to non-affiliated third parties for purposes other than those requested by the customer or purposes other than a functional business purpose.  Information custodians must adopt a privacy policy containing certain prescribed elements, and disseminate it to current, new, and prospective consumers according to the schedule provided.  AMarketers@ are defined as businesses that gather and maintain personal information but do not share, sell or transfer to affiliates or third parties, but do use the information to market to their own customers.  Marketers must notify their customers that they have the right to not receive the marketing information.  Small businesses of 50 or fewer employees are exempt from the bill, except they must honor requests to not send marketing material.

 

Information about individuals is divided into two categories: Apersonal information@ and Asensitive information.@  APersonal information@ is information provided in a commercial context that facilitates profiling and targeting, such as buying practices, business relationships, assets, demographic information, name, address, telephone number, or e-mail address, and current or historical balances.  ASensitive information@ means information obtained in a commercial context such as account numbers, access codes, Social Security numbers, or information held for the purpose of account access or transaction initiation.

 

Sensitive information can be transferred to third parties only upon a positive authorization of the consumer following provision of full information about the exact information to be transferred, the purpose of the transfer, and the expiration date of the authorization.

 

Several exceptions are made:  disclosure required by law, court order, or search warrant, disclosure to debt collectors, disclosure to consumer reporting agencies as defined by the federal Fair Credit Reporting Act, and disclosure to protect against fraud.

 

Personal information can be transferred to non-affiliated third parties unless the consumer positively objects to the transfer after being given full information of their rights and having been provided with the privacy policy of the business.  If the consumer chooses not to have their personal information shared, time deadlines for compliance with this choice are provided.  Exceptions similar to those for sensitive information are listed.

 

Personal or sensitive information can be transferred to third parties if the transfer is reasonably necessary to complete a transaction requested by the consumer, or a functional business purpose.

 

Before transferring either sensitive or personal information, information custodians must obtain agreements from transferees that they will keep the information confidential, and use it only for the purpose for which it was originally shared.

 

A violation of the act is a violation of the Consumer Protection Act.  Damages for more serious violations are $500 or actual damages, whichever is greater.  If the violation is found to be willful, recovery may be up to $1,500 or three times actual damages, whichever is greater.  Damages for less serious violations are limited to actual damages.  Class action damages are limited to the smaller of $1,000,000 or 1 percent of the net assets of the defendant.  Persons who file specious lawsuits are subject to sanctions including attorney fees.

 

Persons or business entities who have information relating to violations of the identity theft act who may have done business with the identity thief must provide, upon request of the victim, copies of all relevant information. Providers of this information may request reimbursement for actual expenses, and are provided immunity from criminal prosecution or civil action for good faith provision of information to law enforcement or other entities for the purposes of identification and prosecution of violators.

 

If a victim of identity theft notifies a collection agency that a series of checks or similar instruments have been stolen and a police report has been filed, the collection agency cannot recontact the victim regarding any checks or similar instruments in that series.

 

Appropriation:  None.

 

Fiscal Note:  Available.

 

Effective Date:  June 1, 2001.

 

Testimony For:  Consumers need to regain control of their personal information, which, as a result of technology is ever easier to transfer, sell, analyze, and abuse.  While these capabilities also result in desirable commercial efficiencies, a balance needs to be realigned with more attention given to privacy interests.

 

Testimony Against:  (Concerns) Restrictions on sharing information with affiliates would harm our business and raise our costs.  Some definitions are unclear and seem to overlap.  Provisions relating to developing and disseminating privacy policies are unclear.  Some of the identity theft provisions appear to be subject to abuse.

 

Testified:  Philip Gissberg, American Express (concerns); Debbie Maybel, Judy Warnick, WA Collectors Assn.; Fred Hellberg, Governor=s Office (pro); Scott Freeman, Judy Runquist, Jeanne Rickey, Linda Collins, Frank Dunlap, citizens (pro); Cliff Webster, Eric Ellman, Associated Credit Bureaus (concerns); Jim Pishue, WA Ind. Community Bankers Assn.; Jan Gee, WA Retail Assn., WA Food Industry (concerns); Deanne Kopkas, Basil Badley, National Assn. of Ind. Insurers (concerns); Mike Kapphahn, Farmers Ins. (concerns); Clark Sitzes, Professional Ins. Agents of WA (concerns).