Strike everything after the enacting clause and insert the following:

"NEW SECTION.  Sec. 1. The definitions in this section apply throughout this chapter unless the context clearly requires otherwise.

(1) "Business" means a commercial entity, including a sole proprietorship, partnership, corporation, association, limited liability company, or other group, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the laws of Washington state, or any other state, the United States, or any other country, or the parent, affiliate, or subsidiary of a financial institution, but it does not include the state, any political subdivision of the state, or a vendor acting solely on behalf of, and at the direction of, the state.

(2) "Chief privacy officer" means the person appointed under RCW 43.105.369(2).

(3) "Consumer" means an individual residing in this state.

(4)(a) "Data broker" means a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the personal information of a consumer with whom the business does not have a direct relationship.

(b) The following activities conducted by a business do not qualify the business as a data broker:

(i) Furnishing a consumer credit report, as defined in 15 U.S.C. Sec. 1681a(d), by a consumer reporting agency, as defined in 15 U.S.C. Sec. 1681a(f);

(ii) Collecting or disclosing nonpublic personal information, as defined in 15 U.S.C. Sec. 6809(4), by a financial institution, as defined in 15 U.S.C. Sec. 6809(3), in a manner than is regulated under the federal Gramm Leach Bliley act, P.L. 106-102, and implementing regulations;

(iii) Providing 411 directory assistance or directory information services, including name, address, and telephone number, on behalf of or as a function of a telecommunications carrier; or

(iv) Providing publicly available information via real-time or near real-time alert services for health or safety purposes.

(5)(a) "Personal information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

(b) "Personal information" does not include publicly available information to the extent that it is related to a consumer's business or profession.

(6) "Record" means any material on which written, drawn, spoken, visual, or electromagnetic information is recorded or preserved, regardless of physical form or characteristic.

(7) "Sale," "sell," "selling," or "sold" means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration.

(a) Register with the chief privacy officer;

(b) Pay a registration fee of two hundred fifty dollars to the chief privacy officer; and

(c) Provide the following information to the chief privacy officer:

(i) The name and primary physical, email, and internet addresses of the data broker;

(ii) If the data broker permits a consumer to opt out of the data broker's collection of personal information, opt out of its databases, or opt out of certain sales of data:

(A) The method for requesting an opt-out;

(B) If the opt-out applies to only certain activities or sales, a statement specifying to which activities or sales the opt-out applies;

(C) Whether the data broker permits a consumer to authorize a third party to opt out on the consumer's behalf;

(D) A statement specifying the data collection, databases, or sales activities from which a consumer may not opt out;

(iii) Whether the data broker implements a purchaser credentialing process;

(iv) Where the data broker has actual knowledge that it possesses the personal information of minors, a separate statement detailing the data collection practices, databases, sales activities, and opt-out policies that are applicable to the personal information of minors; and

(v) Any additional information that the data broker chooses to provide concerning its data collection practices.

(2) The chief privacy officer is authorized to coordinate with a third party for the purpose of collecting the registration fee under subsection (1)(b) of this section.

(3) A data broker that fails to fulfill the requirements of subsection (1) of this section is subject to:

(a) A civil penalty of fifty dollars for each day, not to exceed a total of ten thousand dollars for each year it fails to register pursuant to this section;

(b) A fine equal to the fees due under this section during the period it failed to register pursuant to this section; and

(c) Other penalties imposed by law.

(4) The attorney general may maintain an action to collect the penalties imposed in this section and to seek appropriate injunctive relief.

(2) A person shall not acquire or use personal information for the purpose of:

(a) Stalking or harassing another person;

(b) Committing a fraud, including identity theft, financial fraud, or email fraud; or

(c) Engaging in unlawful discrimination, including employment discrimination and housing discrimination.

(2) This chapter may be enforced solely by the attorney general under the consumer protection act, chapter 19.86 RCW.

(2) On or before October 1, 2022, the chief privacy officer, in consultation with the attorney general, shall update the preliminary report and provide additional information concerning the implementation of this act and the necessity of additional legislative and regulatory approaches to protecting the data security and privacy of Washington consumers whose data is subject to data brokers activities.

(3) This section expires January 1, 2023.

Correct the title.