SENATE BILL REPORT

                   SB 6513

              As Reported By Senate Committee On:

Commerce, Trade, Housing & Financial Institutions, February 3, 2000

 

Title:  An act relating to the privacy of personal information in commercial transactions involving financial institutions and others who maintain and transfer information.

 

Brief Description:  Protecting privacy of personal information in commercial transactions.

 

Sponsors:  Senators Prentice, McCaslin, Kline, Gardner, Winsley, Kohl‑Welles, Spanel and Costa; by request of Attorney General.

 

Brief History:

Committee Activity:  Commerce, Trade, Housing & Financial Institutions:  1/25/2000, 2/3/2000 [DPS].

 

SENATE COMMITTEE ON COMMERCE, TRADE, HOUSING & FINANCIAL INSTITUTIONS

 

Majority Report:  That Substitute Senate Bill No. 6513 be substituted therefor, and the substitute bill do pass.

  Signed by Senators Prentice, Chair; Shin, Vice Chair; Gardner, Hale, Rasmussen, T. Sheldon and Winsley.

 

Staff:  Dave Cheal (786-7576)

 

Background:  Information technology has greatly facilitated the collection, analysis and dissemination of vast amounts of personal data.  The result is that personal data has become a marketable commodity.  Another result is that consumers are increasingly privacy conscious and alarmed about whether they have control over highly personal and private information.  The concerns range from annoyance due to a barrage of mail, phone calls, and e-mail, to the horror of identity theft.

 

Consolidation of diverse financial services into single companies or affiliated companies, facilitated by recent federal legislation, is described by the industry as an opportunity to provide better products and services more efficiently to consumers. This consolidation has also raised concerns about increased sharing of personal information.  In fact, news of certain personal depositor information sharing practices by some institutions, and the lack of protec­tion in current law, stalled the progress of this legislation, and eventually led to the inclusion of some degree of privacy protection.  The federal act expressly leaves room for state action.

 

Locally, news of certain information sharing practices of some business last summer was followed by a large number of alarmed calls to the Department of Financial Institutions and the Attorney General=s Office.  This committee held a hearing on the issue last July.  The Attorney General formed a work group representing a wide array of interests, including representatives of retailers and banks, victims of identity theft, the technology industry and legislators.  The goal of the work group was to develop legislation that could return a measure of control over personal information to consumers, and provide protection against the worst abuses of information access.  This bill is the result.

 

Summary of Substitute Bill:  Privacy and control of personal information in a commercial context are addressed.  Commercial entities affected are Ainformation custodians,@ defined as all entities that maintain data containing personal or sensitive information, who transfer that information to others, including affiliates, for purposes other than those requested by the customer, or that use the information for marketing.  Information custodians must adopt a privacy policy containing certain prescribed elements, and disseminate it to current and prospective consumers according to the schedule provided.

 

Information about individuals is divided into two categories: Apersonal information@ and Asensitive information.@  APersonal information@ is information provided in a commercial context that facilitates profiling and targeting, such as buying practices, business relationships, assets, demographic information, name, address, telephone number, or e-mail address.  ASensitive information@ means information obtained in a commercial context such as account numbers, access codes, current or historical balances, Social Security numbers, or information held for the purpose of account access or transaction initiation.

 

Sensitive information can be transferred to third parties only upon a positive authorization of the consumer following provision of full information about the exact information to be transferred, the purpose of the transfer, and the expiration date of the authorization.  Several exceptions are made:  disclosure required by law, court order, or search warrant, disclosure to debt collectors, disclosure to consumer reporting agencies as defined by the federal Fair Credit Reporting Act, and disclosure to protect against fraud.

 

Personal information can be transferred to third parties or used for marketing unless the consumer positively objects to the transfer after being given full information of their rights and having been provided with the privacy policy of the business.  If the consumer chooses not to have their personal information shared or not to receive marketing information, time deadlines for compliance with this choice are provided.  Exceptions similar to those for sensitive information are listed.

 

Personal or sensitive information can be transferred to third parties if the transfer is reasonably necessary to complete a transaction requested by the consumer.

 

Before transferring either sensitive or personal information, information custodians must obtain agreements from transferees that they will keep the information confidential, and use it only for the purpose for which it was originally shared.

 

A violation of the act is a violation of the Consumer Protection Act.  Damages are limited to $500 or actual damages, whichever is greater.  If the violation is found to be willful, recovery may be up to $1,500 or three times actual damages, whichever is greater.  An action based on failure to stop marketing to the consumer as required may only be brought after the consumer notifies the violator and further violation occurs.

 

Persons or business entities who have information relating to violations of the identity theft act who may have done business with the identity thief must provide, upon request of the victim, copies of all relevant information. Providers of this information may request reimbursement for actual expenses, and are provided immunity from criminal prosecution or civil action for good faith provision of information to law enforcement or other entities for the purposes of identification and prosecution of violators.

 

If a victim of identity theft notifies a collection agency that a series of checks or similar instruments have been stolen and a police report has been filed, the collection agency cannot recontact the victim regarding any checks or similar instruments in that series.

 

Substitute Bill Compared to Original Bill:  The coverage of the bill is limited to financial institutions, as that term is defined by federal law.   Several definitions are expanded and clarified.  A definition of "marketer" is added.  "Cost-free" methods for consumers to "opt out" of having their personal information shared was required in the original bill.  This has been changed to "de minimus cost."  Disclosure of personal or sensitive information even absent consumer permission is allowed in certain excepted situations, such as disclosures required by law, and disclosures to debt collectors.  The list of these exceptions is expanded.  If a federal court or federal chartering agency declares any provision of the act invalid with respect to a federally chartered institution, that provision is also invalid, to the same extent, with respect to state chartered institutions.  The identity theft provisions are removed.

 

Appropriation:  None.

 

Fiscal Note:  Available.

 

Effective Date:  Ninety days after adjournment of session in which bill is passed.

 

Testimony For:  Consumers need to regain control of their personal information, which, as a result of technology is ever easier to transfer, sell, analyze, and abuse.  While these capabilities also result in desirable commercial efficiencies, a balance needs to be realigned with more attention given to privacy interests.

 

Testimony Against:  (Concerns) Restrictions on sharing information with affiliates would harm our business and raise our costs.  Some definitions are unclear and seem to overlap.  Provisions relating to developing and disseminating privacy policies are unclear.  Some of the identity theft provisions appear to be subject to abuse.

 

Testified:  Philip Gissberg, American Express (concerns); Debbie Maybel, Judy Warnick, WA Collectors Assn.; Fred Hellberg, Governor=s Office (pro); Scott Freeman, Judy Runquist, Jeanne Rickey, Linda Collins, Frank Dunlap, citizens (pro); Cliff Webster, Eric Ellman, Associated Credit Bureaus (concerns); Jim Pishue, WA Ind. Community Bankers Assn.; Jan Gee, WA Retail Assn., WA Food Industry (concerns); Deanne Kopkas, Basil Badley, National Assn. of Ind. Insurers (concerns); Mike Kapphahn, Farmers Ins. (concerns); Clark Sitzes, Professional Ins. Agents of WA (concerns).