H-2702.1
SUBSTITUTE HOUSE BILL 2200
| | |
State of Washington | 65th Legislature | 2017 Regular Session |
By House Technology & Economic Development (originally sponsored by Representatives Hansen, Taylor, Smith, Buys, Harmsworth, Graves, Maycumber, J. Walsh, Kraft, Haler, Condotta, Nealey, Bergquist, Steele, Van Werven, Stonier, Macri, Farrell, Cody, Slatter, Tarleton, Senn, Kagi, Pollet, Frame, Chapman, Dye, Hudgins, Stanford, Reeves, Dent, Hayes, Ryu, Peterson, Sells, Kloba, Santos, Johnson, Fitzgibbon, Holy, Ormsby, Caldier, Sawyer, Wylie, Hargrove, Kilduff, Blake, Orcutt, Gregerson, Young, Appleton, Shea, Koster, Morris, Tharinger, Irwin, Muri, Schmick, Volz, Goodman, Clibborn, McCaslin, Pellicciotti, Doglio, Jinkins, Dolan, Kirby, Sullivan, Lytton, Kretz, Riccelli, Rodne, McBride, McCabe, and Pettigrew)
READ FIRST TIME 04/17/17.
AN ACT Relating to protecting the privacy and security of internet users; adding a new chapter to Title
19 RCW; and providing an effective date.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:
NEW SECTION. Sec. 1. The definitions in this section apply throughout this chapter unless the context clearly requires otherwise.
(1) "Broadband internet access service" or "BIAS" means a mass market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all internet endpoints, including any capabilities that are incidental to and enable the operation of the communications service, but excluding dial-up internet access service. This term also encompasses any service that the federal communications commission finds to be providing a functional equivalent of the service described in this subsection.
(2) "Broadband internet access service provider" or "BIAS provider" means a person engaged in the provision of BIAS.
(3) "Customer" means: (a) A current or former subscriber to a BIAS; or (b) an applicant for a BIAS.
(4) "Customer proprietary information" means any of the following a BIAS provider acquires in connection with its provision of BIAS:
(a) Personally identifiable information, which consists of any information that is linked or reasonably linkable to an individual or device;
(b) Content of communication;
(c) Financial information;
(d) Health information;
(e) Information pertaining to children;
(f) Social security numbers;
(g) Precise geolocation information;
(h) Call detail information;
(i) Web browsing history, application usage history, and the functional equivalents of either; and
(j) Biometric identifiers, which consists of data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual. Biometric identifier does not include a physical or digital photograph, video or audio recording or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under the federal health insurance portability and accountability act of 1996.
(5) "Opt-in approval" means a method for obtaining customer consent to use, disclose, or permit access to the customer's proprietary information. This approval method requires that the BIAS provider obtain from the customer affirmative, express consent allowing the sale of the customer proprietary information after the customer is provided appropriate notification of the BIAS provider's request consistent with the requirements set forth in this chapter.
NEW SECTION. Sec. 2. (1) Except with the opt-in approval of the customer, a BIAS provider may not:
(a) Sell or transfer customer proprietary information; or
(b) Send or display to a customer an advertisement selected to be sent or displayed based on the customer's proprietary information.
(2) A BIAS provider must solicit the approval required under subsection (1) of this section at the point of sale. A BIAS provider must obtain new approval for any changes in the sale or transfer of a customer's proprietary information if those changes are inconsistent with the terms or conditions provided at the time of prior customer approval.
(3) A BIAS provider must provide access to a mechanism that is reasonably designed to be readily available and understandable for a customer to grant, deny, or withdraw approval for the BIAS provider to sell their customer proprietary information. The exact notice and mechanism to obtain opt-in approval or to deny or withdraw that approval is context dependent.
NEW SECTION. Sec. 3. (1) A BIAS provider must not condition, or effectively condition, provision of BIAS on a customer's agreement to waive privacy rights guaranteed by law or rule, including this chapter. A BIAS provider must not terminate service or otherwise refuse to provide BIAS as a direct or indirect consequence of a customer's refusal to waive any such privacy rights.
(2) A BIAS provider that offers a financial incentive in exchange for any customer approvals described in section 2(1) of this act must provide the customer with the terms and conditions of the use of the customer proprietary information, including the type of information sought, the purposes of its use, and the categories of entities to which the information may be disclosed.
(3) For any customer that has agreed to participate in a financial incentive program as described in subsection (2) of this section, a BIAS provider must provide access to a mechanism for customers to withdraw participation from such a program at any time.
NEW SECTION. Sec. 4. The utilities and transportation commission is authorized to adopt rules, consistent with the purposes of this chapter, that do either or both of the following:
(1) Further define the definitions in section 1 of this act; and
(2) Prescribe appropriate notice and the form of such a notice to be provided to customers under sections 2 and 3 of this act.
NEW SECTION. Sec. 5. The legislature finds that the practices covered by this chapter are matters vitally affecting the public interest for the purpose of applying the consumer protection act, chapter 19.86 RCW. A violation of this chapter is not reasonable in relation to the development and preservation of business and is an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the consumer protection act, chapter
19.86 RCW.
NEW SECTION. Sec. 6. The consumer privacy and security account is created in the state treasury. All receipts from recoveries by the office of the attorney general for lawsuits related to the consumer protection act under the provisions of this chapter, or otherwise designated to this account, must be deposited into the account. Moneys in the account may be spent only after appropriation. Expenditures from the account may be used only for costs incurred by the office of the attorney general in the administration and enforcement of this chapter.
NEW SECTION. Sec. 7. Sections 1 through 6 of this act take effect July 1, 2018.
NEW SECTION. Sec. 8. Sections 1 through 7 of this act constitute a new chapter in Title 19 RCW. --- END ---