Federal Laws Related to Privacy.
A sectorial framework protects personal information and privacy interests under various federal laws. Key federal statutes related to privacy include:
Privacy Protection in Washington.
The Washington Constitution provides that no person shall be disturbed in their private affairs without authority of law. Similarly to the federal sectorial approach, different state statutes define permitted conduct and specify the requisite level of privacy protections for medical records, financial transactions, student information, and other personal data.
The Office of Privacy and Data Protection (OPDP) serves as a central point of contact for state agencies on policy matters involving data privacy and data protection. The OPDP also serves as a resource to local governments and the public on data privacy and protection concerns.
Consumer Protection Act.
The Consumer Protection Act (CPA) prohibits unfair or deceptive acts or practices in trade or commerce, the formation of contracts, combinations, and conspiracies in restraint of trade or commerce, and monopolies. Persons injured by violations of the CPA may bring a civil action to enjoin further violations and recover actual damages, costs, and attorney's fees.
The Attorney General may bring an action in the name of the state, or as parens patriae on behalf of persons residing in the state, against any person to enjoin violations of the CPA and obtain restitution. The prevailing party may, at the discretion of the court, recover costs and attorney's fees. The Attorney General may also seek civil penalties, up to the statutorily authorized maximums, against any person who violates the CPA. Civil penalties are paid to the state.
Prohibition.
Any transacting entities who conduct business in this state and collect personal information from a consumer at a point of sale, are prohibited from selling or sharing that consumer's personal information unless the transacting entity has first received express permission from the consumer that the transacting entity is affirmatively authorized to share or sell that consumer's personal information.
Enforcement.
A violation of the above prohibition is a matter vitally affecting the public interest for purposes of applying the CPA and is not reasonable in relation to the development and preservation of business, is an unfair or deceptive act in trade or commerce, and an unfair method of competition. The Attorney General has sole enforcement authority under the CPA.
Definitions.
The following definitions are established:
"Point of sale" means the circumstance in which a consumer executes payment for goods or services and where sales taxes may become payable.
"Transacting entity" means any of the following: (1) a resident individual who engages regularly in commercial activity for the purpose of generating income; (2) a corporation or nonprofit corporation, limited liability company, partnership or limited liability partnership, business trust, joint venture, or other form of business organization, the constituent parts of which share an economic interest; (3) a financial institution, as defined in RCW 9A.56.280; (4) the state or any political subdivision thereof; or (5) an individual that controls, is controlled by, or is under common control with a person described in (2) or (3).
"Personal information" means any one or more of the following items of personally identifiable information about a consumer collected by a transacting entity and maintained by the transacting entity in an accessible form: (1) a first and last name; (2) a home or other physical address which includes the name of a street and the name of a city or town; (3) an email address; (4) a telephone number; (5) a social security number; (6) an identifier that allows a specific person to be contacted either physically or online; and (7) any other information concerning a person collected from the person by a transacting entity and maintained by the transacting entity in combination with an identifier in a form that makes the information personally identifiable.
"Selling" means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by a transacting entity to a third party for monetary or other valuable consideration. A transacting entity does not sell personal information when:
"Sharing" means renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by a transacting entity to a third party whether or not for monetary or other valuable consideration, including transactions between a transacting entity and a third party for cross-context behavioral advertising for the benefit of a transacting entity in which no money is exchanged. A transacting entity does not share personal information when: