Federal.  The Federal Trade Commission (FTC) has been the chief federal agency on privacy policy and enforcement since the 1970s.  The Children's Online Privacy Protection Act (COPPA) imposes certain requirements on operators of online services directed to children under 13 years of age, and on operators of online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.  The FTC has the authority to enforce COPPA.

State Data Broker Laws.  Vermont and California require data brokers to register with the state and pay a registration.  Data brokers within the scope of California consumer privacy laws may also have to comply with certain requirements regarding the collection, processing, and security of consumer personal data.

Washington State Law.  Student User Privacy in Education Rights Act.  Personal information and privacy interests are protected under various provisions of state law, such as the Student User Privacy in Education Rights (SUPER) Act.  The SUPER Act requires school service providers to meet certain requirements with regards to the collection and use of student personal information.  School service means a web site, mobile application, or online service directed primarily for use in a K-12 school.

Washington Consumer Protections.  The Consumer Protection Act (CPA) prohibits unfair methods of competition or unfair or deceptive practices in the conduct of any trade or commerce.  The attorney general (AG) is authorized to investigate and prosecute claims under the CPA on behalf of the state or individuals in the state.

Part 1—Personal Data of Children and Adolescents.  Consent.  A business may not process the personal data or sensitive data of a known adolescent or a known child without obtaining consent from the adolescent or the child's parent or legal guardian.  A business may not process the personal data of a known adolescent for the purposes of targeted advertising or the sale of personal data without obtaining separate and express consent from the adolescent.

Rights.  An adolescent or a parent or legal guardian of a child has the right to access, delete, or correct personal data of the adolescent or the child.  An adult has the right to access, delete, or correct their personal data from when they were a child or adolescent.  A business must comply with a request to exercise a right within 30 days of receipt, which can be extended once by an additional 30 days.  A business is not required to comply if it is unable to authenticate the request.
 
Duties.  A business must fulfill specified duties such as being transparent about collection and processing practices, securing personal data, minimizing data collected, not processing personal data in any way that results in foreseeable harm, and retaining personal data for no longer than is necessary.

 
Data Protection Assessments.  A business must conduct a data protection assessment (DPA) for each of its processing activities involving the personal data of children and adolescents.  The AG may request disclosure of any DPA relevant to an AG investigation.  DPAs are not subject to disclosure under the Public Records Act.
 
Exemptions.  The obligations imposed on businesses or service providers do not restrict their ability to comply with current law or take immediate steps to protect the life of a natural person.  A business is not required to comply with a request to delete personal data if the business must maintain the personal data for specified circumstances such as to cooperate with law enforcement or to prevent fraud.  If a business processes personal data pursuant to an exemption, the processing must be limited to that specified purpose and the personal data must be secured.
 
Part 2—Data Brokers.  Registration and Penalties.  On or before January 31st following each year in which a business meets the definition of a data broker, the business must register with the Secretary of State (SOS) and pay a registration fee.  The SOS must create a web page where registration information is accessible to the public and may adopt rules to implement and enforce this chapter.  A data broker that fails to register is liable for prescribed penalties and fees.

 
Consent.  Unless a consumer provides consent to the data broker, the data broker may not process a consumer's sensitive data or personal data in furtherance of profiling or the sale of personal data.

 
Rights.  A consumer has the right to access, delete, or correct their personal data.
 
Prohibitions.  A person may not acquire brokered personal data through fraudulent means.  A person may not acquire or use brokered personal data in furtherance of stalking another person, committing fraud, or engaging in unlawful discrimination.
 
Security.  A data broker must implement administrative, technical, and physical data security practices to protect personal data.

 
Part 3—Do Not Track Mechanism.  Scope.  This chapter applies to legal entities that conduct business in Washington or produce products targeted to Washington residents and:

• control data of over 100,000 consumers in a calendar year; or
• derive over 25 percent of gross revenue from the sale of data and process personal data of over 25,000 consumers.

This chapter does not apply to specified government entities, tribes, or municipal corporations.

Right to Opt Out of Certain Processing.  Beginning July 1, 2024, a consumer has the right to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data.  A controller that processes personal data for such purposes must allow consumers to exercise the right to opt out through a user-selected do not track mechanism that meets the technical specifications established by the AG pursuant to rulemaking.

Rulemaking.  By July 1, 2024, the Office of the AG, in consultation with the Office of Privacy and Data Protection, must adopt rules establishing technical specifications for one or more do not track mechanisms that clearly communicate a consumer's affirmative, freely given choice to opt out of certain processing.  The rules adopted must meet specified requirements.

Civil Action and Enforcement.  The civil action and enforcement provisions in the three parts of the bill, personal data of a child or adolescent, data brokers, and a do not track mechanism, are the same.
 

Civil Action.  An adolescent, an adult, a parent or legal guardian of a child, or a consumer alleging a violation of the right to access, delete, or correct personal data may bring a civil action in any court of competent jurisdiction.  Remedies are limited to the appropriate injunctive relief necessary and proportionate to remedy the violation against the aggrieved adolescent, adult, or child.  The courts shall also award reasonable attorneys' fees and costs.

 
Attorney General Enforcement.  Except for civil actions for alleged violation of the right to access, delete, or correct personal data, the AG has sole enforcement authority under the CPA.  Prior to filing a complaint, the AG must send a warning letter identifying an alleged violation and provide a 30-day cure period.  If, after 30 days, the AG believes the alleged violation has not been cured, the AG may bring an action.  When determining a civil penalty, the court must consider good faith efforts to comply and any actions to cure or remedy the violation before an action is filed.