ESSB 6513 - H AMD

By Representative Sullivan

Strike everything after the enacting clause and insert the following:

ANEW SECTION. Sec. 1. INTENT. (1) The legislature finds that every financial institution has an affirmative and continuing obligation to respect the privacy of its consumers and to protect the security and confidentiality of consumers. The legislature finds that Washington's citizens have a right to privacy and a reasonable expectation that the personal information that they provide in transactions with financial institutions will be kept private and confidential. The legislature finds that there is no existing uniform law that creates an appropriate standard of conduct for disclosure of consumers' personal information and that Washington's citizens need additional statutory protection from fraud, deception, nuisance, invasion of privacy, and breach of confidentiality related to the disclosure of personal information. The legislature intends to ensure that financial institutions and consumers work cooperatively to protect consumer information and enforce sanctions when violations occur.

(2) The legislature finds that the disclosure of personal information has caused specific significant harms to Washington consumers, including the appearance of unauthorized charges or debits on consumers' accounts, misappropriation of information for the purpose of assuming a consumer's identity, the unwanted and unintended dissemination of personal information, and the invasion of privacy.

(3) The legislature finds that the flow of some personal information has resulted in a number of increased market efficiencies that are beneficial to consumers. These include more rapid credit transactions and check verifications, as well as an increased number of choices for products and services. The legislature finds that these benefits can be maintained by giving consumers the choice to allow their personal information to be shared. The legislature finds that giving consumers this choice best balances the benefits and harms of disclosure of such information.

NEW SECTION. Sec. 2. DEFINITIONS. Unless the context clearly requires otherwise, the definitions in this section apply throughout this chapter.

(1) "Affiliate" means an entity that controls, is controlled by, or is under common control or common ownership with another entity. Companies that form alliances as a financial services group for purposes of marketing their services and are located at a common address, have personnel and payroll functions administered through a central office, jointly sponsor one combined employee savings and profit sharing plan, and have centralized data processing, mail service, communications, and procurement are considered under common control and affiliated with each other.

(2) "Consumer" or "customer" means a natural person or his or her legal representative, who is a resident of the state of Washington and who purchases, leases, or otherwise contracts for financial products or services within the state of Washington. Consumer shall be interpreted to include a marital community.

(3) "Consumer-requested purpose" means for the purpose of establishing or maintaining a business relationship, completing a transaction, or providing a product or service requested by the consumer.

(4) "Financial institution" means (a) a financial institution as defined in section 527(4) of the Gramm-Leach-Bliley Act, P.L. 106-102 and its implementing regulations as of the effective date of this act; or (b) a bank holding company or financial holding company, as defined in sections 2(a) and 2(p) of the Bank Holding Company Act, as amended as of the effective date of this act, or any subsidiary thereof as defined in section 2(d) of the Bank Holding Company Act, as amended as of the effective date of this act.

(5) "Functional business purpose" means use or disclosure of personal information by a financial institution to another entity or person to perform services or functions on behalf of the financial institution as part of the financial institution=s provision of its products or services to its customers;

(6) "Personal information" means information that is provided by the consumer and is identifiable to the individual consumer, that concerns the amount or condition of the consumer's assets, liabilities, financial transactions, purchasing history, buying preferences, or that reflects current or historical deposit or credit card account balances or purchase amounts, or which may be held for the purpose of transaction initiation, account access or identity verification, and includes account numbers, access codes or passwords, social security numbers, tax identification numbers, driver's license or permit numbers, state identicard numbers issued by the department of licensing, and credit card numbers or expiration dates, and electronically captured signatures.

NEW SECTION. Sec. 3. RESTRICTION ON CONSUMER INFORMATION. Financial institutions shall, in performing a transaction with a consumer, providing a service for a consumer, or establishing a business relationship with a consumer, require only that the consumer provide information reasonably necessary to perform the transaction, establish the relationship, administer or maintain the business relationship, collect or service a debt, protect against fraud or unauthorized transactions, or comply with applicable law. Any optional information must be specified as such, and the consumer must be given the option not to provide it.

NEW SECTION. Sec. 4. CONSUMER PRIVACY POLICIES. (1) The attorney general shall draft a model consumer privacy policy. The model consumer privacy policy shall not preclude any financial institution from adopting a privacy policy as provided in this section. Financial institutions shall have the right to adopt the attorney general=s model consumer privacy policy in lieu of providing their own policy. The attorney general shall adopt the model consumer privacy policy by the effective date of this act.

(2) A financial institution that chooses not to adopt the attorney general=s model consumer privacy policy must have a consumer privacy policy that discloses to existing and prospective consumers the policies and practices of the financial institution regarding the use of consumer personal information acquired or possessed by the financial institution.

(3) A consumer privacy policy, at a minimum, must summarize the financial institution=s responsibilities under this chapter and describe the consumer's rights and remedies under it, and generally describe with whom the consumer's personal information will be shared or to whom it will be sold or transferred.

(4) A consumer privacy policy must also provide a reasonable means for consumers to access their personal information that the financial institution shares, sells, or transfers for marketing purposes.

(5) A financial institution that does not adopt the attorney general=s model consumer privacy policy must disclose its consumer privacy policy at least once no later than:

(a) The effective date of this act to existing customers. For the purposes of this subsection, "existing customer" means a customer whose personal information has been sold, shared, or transferred within the twelve-month period preceding the effective date of this act;

(b) Thirty days after a prospective customer's initial request for the policy, following the effective date of this act; and

(6) A financial institution not adopting the attorney general=s model consumer privacy policy must disclose its consumer privacy policy on an annual basis to existing customers after the initial disclosure described in subsection (4) of this section, and, when material changes are made to the policy, the financial institution must notify the consumer, clearly and conspicuously in writing, in plain language, of the material changes and describe the consumer's rights under section 5 of this act, including the consumer's right to withdraw any consent given by the consumer under section 5 of this act.

(7) The disclosure of the consumer privacy policy, of a financial institution not adopting the attorney general=s consumer privacy policy, must be clearly and conspicuously made in writing, in a document separate from or attached as the first item of other documents or pages that are provided to the consumer by the information custodian.

(8) All consumer privacy policies must be clearly and conspicuously posted on the financial institution's website, if a website exists, and must be readily available for review at the financial institution=s place of business.

(9) Any financial institution adopting the attorney general=s model consumer privacy policy must disclose the privacy policy as follows:

(a) Disclosure of the model consumer privacy policy must be made clearly and conspicuously on the financial institution's website, if a website exists, and must be readily available for review at the financial institution=s place of business.

(b) The model consumer privacy policy must be disclosed annually as part of the financial institutions regular correspondence with their customers.

(c) A copy of the model consumer privacy policy must be provided within 30 days of a request from a current or prospective customer.

(10) Compliance by a financial institution with the timing of disclosures under section 503 of Public Law 106-102 (the Gramm-Leach-Bliley Act of 1999) and its implementing regulations constitutes compliance with the disclosure deadline requirements of subsection (4) of this section and section 5(1)(a) of this act for existing customers.

NEW SECTION. Sec. 5. PERSONAL INFORMATION‑-CONSUMER CONTROL. (1) A financial institution may not disclose personal information to a third party or affiliate for purposes other than consumer-requested purposes or functional business purposes unless the consumer has received written notification of the following:

(a) The information to be disclosed;

(b) The entity or entities authorized to receive the disclosure of information; and

(2) A financial institution may not disclose personal information to a third party or affiliate for purposes other than consumer-requested purposes or functional business purposes unless the consumer, upon notice as provided in this section and affirmative consent, authorizes the disclosure of the personal information sought to be disclosed, in a written statement dated and accepted by the consumer that is separate and distinct from any other document, and that contains a description of the information sought to be disclosed and the purpose for which the information will be disclosed.

(3) This section does not apply to disclosure of personal information under the following circumstances:

(a) Disclosure to or at the direction or with the consent of the consumer upon his or her request and upon proper identification;

(b) Disclosure required by federal, state, or local law or regulation, rules, and other applicable legal requirements;

(c) Disclosure made in the course of a properly authorized civil, criminal, or regulatory examination or investigation or under a search warrant, court order, or subpoena, including an administrative subpoena or other legal process;

(d) Disclosure to a third party or an affiliate for the purpose of collecting a debt or a dishonored item, although the recipient of the information must comply with section 6 of this act;

(e) Disclosure to protect the confidentiality or security of the financial institution=s records;

(f) Disclosure to protect against, investigate, or prevent actual or potential fraud or unauthorized transactions, claims, or other liability;

(g) Disclosure as part of a risk control program required by or subject to examination by regulators;

(h) Disclosure by or to a consumer reporting agency as specifically permitted under the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.);

(i) Disclosure of consumer report information between affiliates as specifically permitted under the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.), although the recipient of the information must comply with section 6 of this act;

(j) Disclosure of personal information which is prohibited from disclosure by section 502(d) of Public Law 106-102 (the Gramm-Leach-Bliley Act of 1999);

(k) Disclosure for purposes of a proposed or actual securitization, secondary market sale (including sales service rights), or similar transactions related to a consumer-requested purpose;

(l) Disclosure to persons holding a legal or beneficial interest relating to the consumer;

(m) Disclosure in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit of a financial institution if the disclosure of information concerns solely consumers of the business or unit;

(n) Disclosure of health care information in compliance with state and federal law; or

(o) Disclosure to a federal, state, or local agency as required by that agency to fulfill its legal obligations on behalf of a consumer.

NEW SECTION. Sec. 6. CONFIDENTIALITY AND SECURITY OF INFORMATION. (1) Third parties or affiliates that obtain personal information from a financial institution may not sell, share, or otherwise transfer the information for any reason other than the original purpose for which the information was sold, shared, or transferred to the third party or affiliate.

(2) A financial institution, before sharing, selling, or otherwise transferring personal information, must obtain a written agreement from the third party or affiliate providing for the following:

(a) To keep the information confidential;

(b) To use the information only for the original purpose for which it has been shared, sold, or provided; and

(3) Every financial institution must establish reasonable safeguards to ensure the confidentiality and safety of personal information and sensitive information and to protect them from loss, misuse, theft, unauthorized access, disclosure, defacement, or alteration.

NEW SECTION. Sec. 7. VIOLATION AN UNFAIR OR DECEPTIVE ACT. (1) Unfair and deceptive invasion of privacy rights is not reasonable in relation to the development and preservation of business. The legislature finds that the practices covered by this chapter are matters vitally affecting the public interest for the purpose of applying the consumer protection act, chapter 19.86 RCW. A violation of this chapter is an unfair or deceptive act in trade or commerce for the purpose of applying the consumer protection act, chapter 19.86 RCW.

(2) Damages to a person who has been the victim of a violation of this chapter are five hundred dollars, or actual damages plus reasonable attorney=s fees, whichever is greater. A court may increase the award of damages in an amount not more than three times the actual damages sustained, or one thousand five hundred dollars, whichever is greater, upon a demonstration that a violation of the chapter was willful.

NEW SECTION. Sec. 8. FEDERAL INVALIDITY--ANTITRUST LAWS. If the responsible federal chartering authority, under applicable federal law, or if a court of competent jurisdiction declares that any provision of this chapter is invalid with respect to any financial institution, the provision is also invalid, to the same extent, with respect to financial institutions chartered under the laws of the state of Washington and to host branches of out-of-state financial institutions. The director of the department of financial institutions may, from time to time, publish provisions of state laws that have been found invalidated under federal law and procedures. This section does not impair in any manner the authority of the state attorney general to enforce antitrust laws applicable to financial institutions or their affiliates.

NEW SECTION. Sec. 9. Sections 1 through 8 of this act constitute a new chapter in Title 19 RCW.

NEW SECTION. Sec. 10. Section captions used in sections 1 through 8 of this act are not part of the law.

NEW SECTION. Sec. 11. If any provision of this act or its application to any person or circumstance is held invalid, the remainder of the act or the application of the provision to other persons or circumstances is not affected.

NEW SECTION. Sec. 12. This act takes effect June 1, 2001.@

Correct the title.