5376-S2 AMH HUDG H2948.1
2SSB 5376 - H AMD 733
By Representative Hudgins
NOT CONSIDERED 12/23/2019
Strike everything after the enacting clause and insert the following:
"NEW SECTION.  Sec. 1. SHORT TITLE.This act may be known and cited as the Washington privacy act of 2019.
NEW SECTION.  Sec. 2. LEGISLATIVE FINDINGS.(1) The legislature finds that:
(a) Washington explicitly recognizes its people's right to privacy under Article I, section 7 of the state Constitution, in addition to the rights granted under the Fourth Amendment of the United States Constitution. Nothing in this act diminishes these rights.
(b) There is rapid growth in the volume and variety of personal data being generated, collected, stored, and analyzed. The protection of individual privacy and freedom in relation to the processing of personal data requires the recognition of the principle that consumers retain ownership interest of their personal data, including personal data that undergoes processing or is in possession of another party. Consumers desire greater transparency and control over the collection, disclosure, and sharing of their personal data.
(c) Personal data should be collected with a clear purpose and with consumers' consent.
(d) Nothing in this act affects, alters, or diminishes the rights that consumers have under existing federal and state laws including, but not limited to, the consumer protections in chapter 19.86 RCW, the consumer protection act, and laws that prohibit unlawful discrimination. Rather, this act adds to the rights that consumers have under existing federal and state laws.
(2) Possession of personal data brings with it an obligation of care and to fulfill requirements under this act, no matter the source of data, or the size of the entity holding or processing personal data. To preserve trust and confidence that personal data will be protected appropriately, the legislature recognizes that with regard to processing of personal data, Washington consumers have the rights to:
(a) Confirm whether or not personal data is being processed by a controller;
(b) Obtain a copy of the personal data undergoing processing;
(c) Correct inaccurate personal data;
(d) Obtain deletion of personal data;
(e) Restrict processing of personal data;
(f) Be provided with any of the consumer's personal data that the consumer provided to a controller;
(g) Object to processing of personal data; and
(h) Not be subject to a decision based solely on profiling.
(3) The European Union recently updated its privacy law through the passage and implementation of the general data protection regulation, affording its residents the strongest privacy protections in the world.
(4)(a) The legislature has long recognized that discrimination based on protected categories, including but not limited to race, color, ethnicity, nationality, gender, age, or sexual orientation is unlawful, immoral, and fundamentally inconsistent with the values of Washington state. Nothing in this act should be read as condoning, facilitating, or legitimizing discrimination.
(b) Facial recognition technology is incredibly powerful and presents both promise and potential peril. It is providing a host of beneficial uses throughout society today, and promises to provide even more benefits in the future. However, it also presents serious risks of bias, discrimination, and violations of privacy that pose real harms to Washington residents, and in particular to communities of color. There are currently insufficient legal restraints to protect consumers and communities of color from the real and serious harms stemming from unfair biases, discrimination, and violations of privacy through the use of facial recognition. Therefore, the legislature finds it necessary to put, at minimum, certain restrictions in place to provide some protections for Washington residents and communities of color from unfair biases, discrimination, and violations of privacy through the use of facial recognition technology.
(c) The legislature further finds that the restrictions on the use of facial recognition technology in this act are a necessary first step, but they are not sufficient to adequately protect Washington consumers and communities of color from harm through the use of facial recognition, including but not limited to unfair biases, discrimination, and violations of privacy. Consequently, the legislature finds that further study is necessary, and commissions a study to determine what additional restrictions ought to be considered to address concerns regarding facial recognition technology.
(d) Washington residents have long enjoyed an expectation of privacy in their public movements. The development of new technology like facial recognition could, if deployed indiscriminately and without proper regulation, enable the constant surveillance of any individual. Washington residents should have the right to a reasonable expectation of privacy in their movements, and thus should be free from ubiquitous and surreptitious surveillance using facial recognition technology. Further, Washington residents have the right to information about the capabilities, possible bias, and limitations of facial recognition technology and that it should not be deployed by private sector organizations without proper public notice.
(5) As such, the legislature recognizes the consumer protection principles in this act regarding transparency, individual control, respect for context, focused collection and reasonable use, security, access, and accuracy.
NEW SECTION.  Sec. 3. DEFINITIONS.The definitions in this section apply throughout this chapter unless the context clearly requires otherwise.
(1) "Affiliate" means a legal entity that controls, is controlled by, or is under common control with, another legal entity.
(2) "Business purpose" means the processing of a consumer's personal data with the consumer's consent for the controller's or its processor's operational purposes, provided that the processing of personal data must be reasonably necessary and proportionate to achieve the operational purposes for which the personal data was collected or processed and the data is not used for any other purpose. Business purposes include:
(a) Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, prosecuting those responsible for that activity, and notifying consumers of illegal activity that impacts personal data;
(b) Identifying and repairing errors that impair existing or intended functionality;
(c) Short-term, transient use, provided the personal data is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer's experience outside the current interaction including, but not limited to, the contextual customization of ads shown as part of the same interaction;
(d) Maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, or providing financing;
(e) Undertaking internal research for technological development, if conducted with deidentified data;
(f) Authenticating a consumer's identity at the request of the consumer or for compliance with this chapter; or
(g) Auditing related to current interaction with the consumer and concurrent transactions including, but not limited to, counting ad impressions, verifying positioning and quality of ad impressions, and auditing compliance with the law.
(3) "Child" means any natural person under thirteen years of age.
(4) "Consent" means a clear affirmative act signifying a freely given, specific, informed, and unambiguous indication of a consumer's agreement to the processing of personal data relating to the consumer, such as by a written statement or other clear affirmative action.
(5) "Consumer" means a natural person who is a Washington resident acting only in an individual or household context. "Consumer" does not include a natural person acting in a commercial or employment context.
(6) "Controller" means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data.
(7)(a) "Data broker" means a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.
(b) Providing publicly available information through real-time or near real-time alert services for health or safety purposes, and the collection and sale or licensing of brokered personal information incidental to conducting those activities, does not qualify the business as a data broker.
(c) Providing 411 directory assistance or directory information services, including name, address, and telephone number, on behalf of or as a function of a telecommunications carrier, does not qualify the business as a data broker.
(8) "Deidentified data" means data or information from which direct and known indirect identifiers have been removed or manipulated to break the linkage to a known natural person and to which one or more enforceable controls to prevent reidentification has been applied. Enforceable controls to prohibit or to prevent reidentification may include legal, administrative, technical, or contractual controls. "Deidentified data" cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.
(9) "Developer" means a person who creates or modifies the set of instructions or programs instructing a computer or device to perform tasks.
(10) "Direct identifier" means data that identifies a natural person directly without additional information or by linking to publicly available information. "Direct identifier" includes, but is not limited to, name, address, biometric data, social security number, or any government-issued identification number.
(11) "Direct marketing" means communication with a consumer for advertising purposes or to market goods or services.
(12) "Facial recognition" means technology that maps a person's unique facial features for purposes of identifying or verifying the person, or to discern the person's demographic information, such as gender, race, age, nationality, or sexual orientation, or emotional state or mood. "Facial recognition" includes facial verification, facial identification, and facial characterization, and generates facial recognition data that is subject to this act. "Facial recognition" does not include facial detection, whereby facial mapping is done solely for the purpose of distinguishing the presence from the absence of a human face without storing facial recognition data upon completion.
(13) "Identified or identifiable natural person" means a person who can be readily identified, directly or indirectly, in particular by reference to an identifier, including, but not limited to, a name, an online identifier, an identification number, biometric data, or specific geolocation data.
(14) "Indirect identifier" means data that identifies a natural person indirectly or helps connect pieces of data until a natural person can be singled out. "Indirect identifier" includes, but is not limited to, gender, place of birth, date of birth, or internet protocol address.
(15) "Legal effects" means, without limitation, denial of consequential services or support, such as financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services, and other similarly significant effects.
(16) "Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. "Personal data" includes reidentified data and does not include deidentified data.
(17) "Privacy harm" means harm that results when personal data is processed, shared, disclosed, or sold in unknown, unexpected, or impermissible ways. "Privacy harm" is not limited to harm that results in a provable monetary loss or other tangible harm.
(18) "Process" or "processing" means any collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
(19) "Processor" means a natural or legal person that processes personal data on behalf of the controller.
(20) "Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
(21) "Publicly available information" means information that is lawfully made available from federal, state, or local government records.
(22) "Restriction of processing" means the marking of stored personal data so that its processing is limited.
(23)(a) "Sale," "sell," or "sold" means the exchange or disclosure of personal data for consideration by the controller to another party. A sale must be consistent with consumer consent and the purposes for which the sold personal data was collected.
(b) "Sale" does not include the following: (i) The disclosure of personal data to a processor who processes the personal data on behalf of the controller; (ii) the disclosure of personal data to a third party with whom the consumer has a direct contractual relationship for purposes of providing a product or service requested by the consumer; (iii) the disclosure or transfer of personal data to an affiliate of the controller, if consumers are notified of the transfer of their data and of their rights under this chapter; or (iv) the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets, if consumers are notified of the transfer of their data and of their rights under this chapter.
(24) "Sensitive data" means (a) personal data revealing racial or ethnic origin, citizenship, immigration status, religious beliefs, mental or physical health condition or diagnosis, or sex life or sexual orientation; (b) genetic or biometric data; or (c) the personal data of a known child.
(25) "Targeted advertising" means displaying to a consumer selected advertisements based on the consumer's personal data obtained or inferred over time from the consumer's activities across nonaffiliated web sites, applications, or online services to predict user preferences or interests.
(26) "Third party" means a natural or legal person, public authority, agency, or body other than the consumer, controller, or an affiliate of the processor of the controller.
(27) "Verified request" means the process through which a consumer may submit a request to exercise a right or rights set forth in this chapter, and by which a controller can verify the legitimacy of the request and identity of the consumer making the request using reasonable means.
NEW SECTION.  Sec. 4. JURISDICTIONAL SCOPE.(1) This chapter applies to legal entities that conduct business in Washington or produce products or services that are intentionally targeted to residents of Washington.
(2) This chapter does not apply to:
(a) State or local government;
(b) Municipal corporations; and
(c) Institutions of higher education, as defined in RCW 28B.10.016, and private, accredited, not-for-profit institutions of higher education.
(3) This chapter does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity.
(4) This chapter does not apply to the following information:
(a) Protected health information for purposes of the federal health insurance portability and accountability act of 1996, the federal health information technology for economic and clinical health act, and related regulations;
(b) Health care information for purposes of chapter 70.02 RCW;
(c) Patient identifying information for purposes of 42 C.F.R. Part 2, established pursuant to 42 U.S.C. Sec. 290 dd-2;
(d) Identifiable private information for purposes of the federal policy for the protection of human subjects, 45 C.F.R. Part 46, or identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the international council for harmonisation, or protection of human subjects under 21 C.F.R. Parts 50 and 56;
(e) Information and documents created specifically for, and collected and maintained by:
(i) A quality improvement committee for purposes of RCW 43.70.510, 70.230.080, or 70.41.200;
(ii) A peer review committee for purposes of RCW 4.24.250;
(iii) A quality assurance committee for purposes of RCW 74.42.640 or 18.20.390; or
(iv) A hospital, as defined in RCW 43.70.056, for reporting of health care-associated infections for purposes of RCW 43.70.056, a notification of an incident for purposes of RCW 70.56.040(5), or reports regarding adverse events for purposes of RCW 70.56.020(2)(b);
(f) Information and documents created for purposes of the federal health care quality improvement act of 1986 and related regulations;
(g) Patient safety work product information for purposes of 42 C.F.R. Part 3, established pursuant to 42 U.S.C. Sec. 299b-21-26;
(h) Information collected, used, or disclosed pursuant to chapter 43.71 RCW, if collection, use, or disclosure is in compliance with that law;
(i) Personal data provided to, from, or held by a consumer reporting agency as defined by 15 U.S.C. Sec. 1681a(f), but solely to the extent that such data is to be reported in, or used to generate, a consumer report, as defined by 15 U.S.C. Sec. 1681a(d), and only if the collection, processing, sale, or disclosure of such data is in compliance with the federal fair credit reporting act (15 U.S.C. Sec. 1681 et seq.);
(j) Personal data regulated by the children's online privacy protection act, 15 U.S.C. Secs. 6501 through 6506, if collected, processed, and maintained in compliance with that law;
(k) Personal data collected, processed, sold, or disclosed pursuant to the federal Gramm Leach Bliley act (P.L. 106-102), and implementing regulations, if the collection, processing, sale, or disclosure is in compliance with that law;
(l) Personal data collected, processed, sold, or disclosed pursuant to the federal driver's privacy protection act of 1994 (18 U.S.C. Sec. 2721 et seq.), if the collection, processing, sale, or disclosure is in compliance with that law; or
(m) Personal data regulated by the federal family educational rights and privacy act, 20 U.S.C. 1232g, and its implementing regulations;
(n) Information about employees or employment status collected, processed, or used by an employer pursuant to and solely for the purposes of an employer-employee relationship.
NEW SECTION.  Sec. 5. RESPONSIBILITY ACCORDING TO ROLE.(1) Controllers are responsible for meeting the obligations established under this chapter.
(2) Processors are responsible under this chapter for adhering to the instructions of the controller and assisting the controller to meet its obligations under this chapter.
(3) Processing by a processor is governed by a contract between the controller and the processor that is binding on the processor and that sets out the processing instructions to which the processor is bound.
(4) Third parties are responsible for assisting controllers and processors in meeting their obligations under this chapter with regard to personal data third parties receive from controllers or processors. Third parties must comply with consumer requests made known to them by a controller.
(5) Controllers, processors, and third parties must adhere to the consent of a consumer with regard to the consumer's personal data.
NEW SECTION.  Sec. 6. CONSUMER RIGHTS.(1) A consumer retains ownership interest in the consumer's personal data processed by a controller, a processor, or a third party and may exercise any of the consumer rights set forth in section 2 of this act by submitting to a controller a verified request that specifies which rights the consumer wishes to exercise. Controllers may not require consumers to create an account in order to make a verified request.
(2) Where a controller has reasonable doubts concerning the identity of the consumer making a request under this section, the controller may request the provision of additional reasonable information necessary to confirm the identity of the consumer. The controller may not sell, trade, or exchange information received pursuant to this subsection.
(3) Upon receiving a verified request from a consumer, a controller must:
(a) Confirm whether or not the consumer's personal data is being processed by the controller, including whether such personal data is sold to data brokers or others, and, where the consumer's personal data is being processed by the controller, provide access to such personal data;
(b) Inform the consumer about third-party recipients or categories of third-party recipients of the consumer's personal data, including third parties that received the data through a sale;
(c) Provide in a commonly used electronic format a copy of the consumer's personal data that is undergoing processing;
(d) Provide in a structured, commonly used, and machine-readable format a copy of the consumer's personal data that the consumer has provided to the controller if the processing of the consumer's personal data:
(i)(A) Requires consent under section 9(3) of this act;
(B) Is necessary for the performance of a contract to which the consumer is a party; or
(C) Is done in order to take steps at the request of the consumer prior to entering into a contract; and
(ii) Is carried out by automated means;
(e) Correct the consumer's inaccurate personal data, or complete the consumer's incomplete personal data, including by means of providing a supplementary statement where appropriate;
(f) Delete the consumer's personal data, if one of the following grounds applies:
(i) The personal data is no longer necessary in relation to the purposes for which it was collected or processed;
(ii) The consumer withdraws consent for processing that requires consent under section 9(3) of this act, and there are no business purposes for processing;
(iii) Processing is for direct marketing or targeted advertising purposes;
(iv) The personal data has been unlawfully processed; or
(v) The personal data must be deleted to comply with a legal obligation under local, state, or federal law to which the controller is subject;
(g) Take reasonable steps to inform other controllers or processors of which the controller is aware, and which are processing the consumer's personal data they received from the controller, that the consumer has requested deletion of any copies of or links to the consumer's personal data. Controllers and processors that receive notification of the consumer's deletion request must comply with that request;
(h) Restrict processing of the consumer's personal data if the purpose for which the personal data is being processed is inconsistent with a purpose for which the personal data was collected, inconsistent with a purpose disclosed to the consumer at the time of collection or authorization, or inconsistent with exercising the right of free speech. Where personal data is subject to a restriction of processing under this subsection, with the exception of storage, the personal data may only be processed with the consumer's consent or for purposes set forth in section 11 of this act, in which case the controller may not sell or otherwise disclose any personal data being processed pursuant to the claimed purposes. A controller must inform and gain consent from the consumer before any restriction of processing is lifted;
(i) Stop processing personal data of the consumer who objects to such processing, including the selling of the consumer's personal data to third parties for purposes of direct marketing or targeted advertising, without regard to the source of data. The controller must take reasonable steps to communicate a consumer's objection to processing to third parties to whom the controller sold the consumer's personal data. Third parties must comply with the consumer's request made known to them by the controller;
(j) Take reasonable steps to communicate a consumer's objection to processing to third parties to whom the controller disclosed, including through sale, the consumer's personal data and who must comply with objection requests communicated by the controller.
(4)(a) A controller must take action on a consumer's request without undue delay and within thirty days of receiving the request. The request fulfillment period may be extended by sixty additional days where reasonably necessary, taking into account the complexity of the request.
(b) Within thirty days of receiving a consumer request, a controller must inform the consumer about:
(i) Any fulfillment period extension, together with the reasons for the delay; or
(ii) The reasons for not taking action on the consumer's request, including a statement regarding any exemptions under section 11 of this act, and instructions for how to appeal the decision with the controller as described in subsection (5) of this section.
(5)(a) Controllers must establish an internal process whereby consumers may appeal a refusal to take action on a verified request under this section within a reasonable period of time after the consumer's receipt of the notice sent by the controller under subsection (4)(b) of this section. This appeal process must be conspicuously available and as easy to use as the process for submitting verified requests under this section. Within thirty days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by sixty additional days where reasonably necessary, taking into account the complexity and number of the verified requests serving as the basis for the appeal. The controller must inform the consumer of any such extension within thirty days of receipt of the appeal, together with the reasons for the delay.
(b) A consumer may submit a controller's response to an appeal under this subsection to the office of privacy and data protection through a mechanism created pursuant to RCW 43.105.369(12).
(6) A controller must communicate any correction, deletion, or restriction of processing carried out pursuant to a verified consumer request to each third party to whom the controller knows the consumer's personal data has been disclosed within one year preceding the verified request, including third parties that received the data through a sale. Third parties must comply with the consumer's requests made known to them by the controller.
(7) Information provided under this section must be provided by the controller free of charge to the consumer. Where requests from a consumer are manifestly unfounded or excessive, the controller may refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request.
(8) Requests for personal data under this section must be without prejudice to the other rights granted in this chapter.
(9) The rights provided in this section must not adversely affect the rights of others.
(10) Controllers and processors are prohibited from processing personal data in order to unlawfully discriminate against consumers.
(11) All policies adopted and used by a controller to comply with this section must be publicly available on the controller's web site and included in the controller's online privacy policy.
NEW SECTION.  Sec. 7. TRANSPARENCY.(1) Controllers must be transparent and accountable for their processing of personal data by making available in a form that is reasonably accessible to consumers a clear, meaningful privacy notice that includes:
(a) The categories of personal data collected by the controller;
(b) The categories of personal data that the controller shares with third parties;
(c) The purposes for which the categories of personal data are used by the controller and disclosed to third parties, if any;
(d) The categories of third parties, if any, with whom the controller shares personal data;
(e) Information about the rights guaranteed to the consumers in section 2 of this act;
(f) The process by which a consumer may request to exercise the rights under section 6 of this act, including a process by which a consumer may appeal a controller's action with regard to the consumer's request; and
(g) A statement that the controller processes personal data of a consumer only pursuant to the consumer's consent and solely for the purposes disclosed to the consumer under this section.
(2) If a controller sells personal data to data brokers, it must disclose such sales, and the manner in which a consumer may object to such sales, in a clear and conspicuous manner.
NEW SECTION.  Sec. 8. COMPLIANCE.(1) Controllers must develop, implement, and make publicly available an annual plan for complying with the obligations under this chapter.
(2) A controller that has developed and implemented a compliance plan for the European general data protection regulation 2016/679 may use that plan for purposes of subsection (1) of this section.
(3) Controllers may report metrics on their public web site to demonstrate and corroborate their compliance with this chapter.
NEW SECTION.  Sec. 9. RISK ASSESSMENTS.(1) Controllers must produce a risk assessment of each of their processing activities involving personal data and an additional risk assessment any time there is a change in processing that materially increases the risk to consumers. The risk assessments must take into account the:
(a) Type of personal data to be processed by the controller;
(b) Extent to which the personal data is sensitive data or otherwise sensitive in nature; and
(c) Context in which the personal data is to be processed.
(2) Risk assessments conducted under subsection (1) of this section must:
(a) Identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce risks; and
(b) Factor in the use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed.
(3) If the risk assessment conducted under subsection (1) of this section determines that the potential risks of privacy harm to consumers are substantial and outweigh the interests of the controller, consumer, other stakeholders, and the public in processing the personal data of the consumer, the controller may only engage in such processing with the consent of the consumer. To the extent the controller seeks consumer consent for processing, consent must be as easy to withdraw as to give.
(4) Processing personal data for a business purpose must be described in the risk assessment, but is presumed permissible unless: (a) It involves the processing of sensitive data; (b) the risk of processing cannot be reduced through the use of appropriate administrative and technical safeguards; (c) consent was not given; or (d) processing is inconsistent with consent given.
(5) The controller must make the risk assessment available to the attorney general upon request. Risk assessments provided to the attorney general are confidential and exempt from public inspection and copying under chapter 42.56 RCW.
NEW SECTION.  Sec. 10. DEIDENTIFIED DATA.A controller or processor that uses, sells, or shares deidentified data shall:
(1) Make a public commitment to not reidentify deidentified data and to maintain and use the data in a deidentified fashion;
(2) Provide by contract that third parties must not reidentify deidentified data received from a controller or a processor, or other downstream recipients of that data;
(3) Exercise reasonable measures and oversight to monitor compliance with any contractual commitments, such as not reidentifying data, to which deidentified data is subject; and
(4) Take appropriate steps to address any breaches of contractual commitments to which deidentified data is subject.
NEW SECTION.  Sec. 11. EXEMPTIONS.(1) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to:
(a) Comply with federal, state, or local laws, rules, or regulations;
(b) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
(c) Establish, exercise, or defend legal claims;
(d) Temporarily prevent, detect, or respond to security incidents;
(e) Protect against malicious, deceptive, fraudulent, or illegal activity, or identify, investigate, or prosecute those responsible for that illegal activity;
(f) Perform a contract to which the consumer is a party or in order to take steps at the request of the consumer prior to entering into a contract;
(g) Process personal data of a consumer for one or more specific purposes where the consumer has given and not withdrawn their consent to the processing for those purposes; or
(h) Assist another controller, processor, or third party with any of the obligations under this subsection.
(2) The office of privacy and data protection created in RCW 43.105.369 may grant controllers one-year waivers to permit processing that is necessary:
(a) For reasons of public health interest, where the processing: (i) Is subject to suitable and specific measures to safeguard consumer rights; (ii) is under the responsibility of a professional subject to confidentiality obligations under federal, state, or local law; and (iii) is limited to what is reasonably necessary to accomplish the objective;
(b) For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, where the deletion of personal data is likely to render impossible or seriously impair the achievement of the objectives of the processing;
(c) To safeguard intellectual property rights; or
(d) To protect the vital interests of the consumer or of another natural person.
(3) A controller may not sell any personal data processed under subsections (1) and (2) of this section.
(4) The obligations imposed on controllers or processors under this chapter do not apply where compliance by the controller or processor with this chapter would violate an evidentiary privilege under Washington law and do not prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Washington law as part of a privileged communication.
(5) This chapter does not require a controller or processor to do the following:
(a) Reidentify deidentified data; or
(b) Retain, link, or combine personal data concerning a consumer that it would not otherwise retain, link, or combine in the ordinary course of business.
NEW SECTION.  Sec. 12. FACIAL RECOGNITION.(1) The Washington state academy of sciences shall convene and staff a task force to:
(a) Analyze the potential consequences of public and private sector use of facial recognition systems on the civil rights and civil liberties of all Washingtonians, including vulnerable communities; and
(b) Provide a forum for discussion on how the development of new technology like facial recognition technology could, if deployed indiscriminately and without proper regulation, enable the pervasive and surreptitious surveillance of any individual, while recognizing that the scope of facial recognition technology is ubiquitous and widespread.
(2) The task force shall consist of members and representatives as follows:
(a) One member from each of the two largest caucuses in the house of representatives, appointed by the speaker of the house of representatives;
(b) One member from each of the two largest caucuses of the senate, appointed by the president of the senate;
(c) Representatives from organizations and communities historically impacted by surveillance technologies including, but not limited to, African American/Black, Latino American, Native American, and Asian or Pacific Islander American communities, religious minorities, protest and activist groups, and other vulnerable communities;
(d) Representatives from organizations that advocate for data privacy protections for the public at large;
(e) Representatives from different branches of law enforcement;
(f) Representatives from facial recognition technology providers; and
(g) Representatives from appropriate academic institutions.
(3) The task force may also include representatives from the ethnic commissions.
(4) The task force may consult with the tech policy lab of the University of Washington.
(5) The task force shall choose two cochairs from among its legislative members.
(6) Legislative members of the task force may be reimbursed for travel expenses in accordance with RCW  44.04.120. Nonlegislative members are not entitled to be reimbursed for travel expenses if they are elected officials or are participating on behalf of an employer, governmental entity, or other organization. Any reimbursement for other nonlegislative members is subject to chapter  43.03 RCW.
(7) The expenses of the task force must be paid jointly by the senate and the house of representatives. Task force expenditures are subject to approval by the senate facilities and operations committee and the house of representatives executive rules committee, or their successor committees.
(8) The task force must submit a report of its findings and recommendations to the governor and the appropriate committees of the legislature by December 1, 2019.
(9) This section expires June 1, 2020.
NEW SECTION.  Sec. 13. (1) The tech policy lab of the University of Washington shall conduct a study on the quality and efficacy of facial recognition technology. In addition, the study shall conduct an analysis on the bias of facial recognition technology.
(2) A report of findings from the study must be submitted to the governor and the appropriate committees of the legislature by December 1, 2019.
(3) This section expires June 1, 2020.
NEW SECTION.  Sec. 14. LIABILITY.(1) This chapter does not serve as the basis for a private right of action under this chapter or any other law. This may not be construed to relieve any party from any duties or obligations imposed, or to alter any independent rights that consumers have under other laws, the Washington state Constitution, or the United States Constitution.
(2) Where more than one controller or processor, or both a controller and a processor, involved in the same processing, is in violation of this chapter, the liability must be allocated among the parties according to principles of comparative fault, unless such liability is otherwise allocated by contract among the parties.
NEW SECTION.  Sec. 15. ENFORCEMENT.(1) The legislature finds that the practices covered by this chapter are matters vitally affecting the public interest for the purpose of applying the consumer protection act, chapter 19.86 RCW. A violation of this chapter is not reasonable in relation to the development and preservation of business and is an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the consumer protection act, chapter 19.86 RCW.
(2) The attorney general may bring an action in the name of the state, or as parens patriae on behalf of persons residing in the state, to enforce this chapter.
(3) A controller or processor is in violation of this chapter if it fails to cure any alleged violation of sections 6 through 11 of this act within thirty days after receiving notice of alleged noncompliance. Any controller or processor that violates this chapter is subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars for each violation or seven thousand five hundred dollars for each intentional violation.
(4) The consumer privacy account is created in the state treasury. All receipts from the imposition of civil penalties under this chapter must be deposited into the account. Moneys in the account may be spent only after appropriation.
Sec. 16. RCW 43.105.369 and 2016 c 195 s 2 are each amended to read as follows:
(1) The office of privacy and data protection is created within the office of the state chief information officer. The purpose of the office of privacy and data protection is to serve as a central point of contact for state agencies on policy matters involving data privacy and data protection.
(2) The director shall appoint the chief privacy officer, who is the director of the office of privacy and data protection.
(3) The primary duties of the office of privacy and data protection with respect to state agencies are:
(a) To conduct an annual privacy review;
(b) To conduct an annual privacy training for state agencies and employees;
(c) To articulate privacy principles and best practices;
(d) To coordinate data protection in cooperation with the agency; and
(e) To participate with the office of the state chief information officer in the review of major state agency projects involving personally identifiable information.
(4) The office of privacy and data protection must serve as a resource to local governments and the public on data privacy and protection concerns by:
(a) Developing and promoting the dissemination of best practices for the collection and storage of personally identifiable information, including establishing and conducting a training program or programs for local governments; and
(b) Educating consumers about the use of personally identifiable information on mobile and digital networks and measures that can help protect this information.
(5) By December 1, 2016, and every four years thereafter, the office of privacy and data protection must prepare and submit to the legislature a report evaluating its performance. The office of privacy and data protection must establish performance measures in its 2016 report to the legislature and, in each report thereafter, demonstrate the extent to which performance results have been achieved. These performance measures must include, but are not limited to, the following:
(a) The number of state agencies and employees who have participated in the annual privacy training;
(b) A report on the extent of the office of privacy and data protection's coordination with international and national experts in the fields of data privacy, data protection, and access equity;
(c) A report on the implementation of data protection measures by state agencies attributable in whole or in part to the office of privacy and data protection's coordination of efforts; and
(d) A report on consumer education efforts, including but not limited to the number of consumers educated through public outreach efforts, as indicated by how frequently educational documents were accessed, the office of privacy and data protection's participation in outreach events, and inquiries received back from consumers via telephone or other media.
(6) Within one year of June 9, 2016, the office of privacy and data protection must submit to the joint legislative audit and review committee for review and comment the performance measures developed under subsection (5) of this section and a data collection plan.
(7) The office of privacy and data protection shall submit a report to the legislature on the: (a) Extent to which telecommunications providers in the state are deploying advanced telecommunications capability; and (b) existence of any inequality in access to advanced telecommunications infrastructure experienced by residents of tribal lands, rural areas, and economically distressed communities. The report may be submitted at a time within the discretion of the office of privacy and data protection, at least once every four years, and only to the extent the office of privacy and data protection is able to gather and present the information within existing resources.
(8) The office of privacy and data protection must conduct an analysis on the public and private sector use of facial recognition. By September 30, 2020, the office of privacy and data protection must submit a report of its findings and recommendations for use or limits to use of facial recognition technology to the appropriate committees of the legislature.
(9) The office of privacy and data protection must conduct a study on whether the federal health insurance portability and accountability act of 1996, the federal health information technology for economic and clinical health act, and related regulations adequately protect personal health information and prevent it from being bought, sold, or traded on a commercial basis. By December 31, 2020, the office of privacy and data protection must submit a report of its findings to the appropriate committees of the legislature.
(10) The office of privacy and data protection must convene a work group to study the best practices for ensuring consumers understand their privacy rights prior to agreeing to terms of service, terms of agreement, and other similar documents. The work group should consider the efficacy of summaries, abstracts, and other explanatory measures. By July 31, 2021, the office of privacy and data protection must submit a report of its findings and recommendations to the appropriate committees of the legislature.
(11) The office of privacy and data protection, in consultation with the attorney general, must by rule clarify definitions of this chapter as necessary. The office of privacy and data protection may create rules for granting waivers for purposes of section 11(2) of this act.
(12) The office of privacy and data protection shall create a mechanism by which consumers may submit the results of any appeal taken pursuant to section 6(10) of this act. The office of privacy and data protection may refer the results to the attorney general, who may consider whether to commence an enforcement action pursuant to section 15 of this act.
NEW SECTION.  Sec. 17. PREEMPTION.This chapter supersedes and preempts new laws, new ordinances, and new regulations, or the equivalent adopted by any local entity regarding the processing of personal data by controllers or processors. Wherever possible, law relating to consumers' personal information should be construed to harmonize with the provisions of this chapter. In the event of a conflict between other laws and the provisions of this chapter, the provisions of the law that afford the greatest protection for the right of privacy for consumers control, in the spirit of Article I, section 7 of the state Constitution.
NEW SECTION.  Sec. 18. Sections 1 through 15 and 17 of this act constitute a new chapter in Title 19 RCW.
NEW SECTION.  Sec. 19. This act is subject to appropriations in the omnibus appropriations act.
NEW SECTION.  Sec. 20. If any provision of this act is found to be in conflict with federal or state law or regulations, the conflicting provision of this act is declared to be inoperative.
NEW SECTION.  Sec. 21. If any provision of this act or its application to any person or circumstance is held invalid, the remainder of the act or the application of the provision to other persons or circumstances is not affected.
NEW SECTION.  Sec. 22. This act takes effect July 30, 2020, except for section 16 of this act which takes effect ninety days after final adjournment of the legislative session in which this act is enacted."
Correct the title.
EFFECT: (1) Sets forth the principle that consumers retain ownership interest in their personal data, including personal data that undergoes processing, and enumerates specific consumer rights with regard to processing of personal data.
(2) Provides that personal data should be collected with a clear purpose and with consumers' consent, and that possession of personal data brings with it obligations of care.
(3) Modifies several key definitions, including business purpose, consent, sale, deidentified data, sensitive data, facial recognition, and creates several new definitions, such as privacy harm, direct identifiers, and indirect identifiers.
(4) Eliminates the thresholds that a legal entity must meet in order for the obligations set forth in the bill to apply to that legal entity.
(5) Specifies additional exemptions from the provisions of the bill for institutions of higher education, private not-for-profit institutions of higher education, and certain information subject to enumerated federal and state laws, such as the federal Children's Online Privacy Protection Act.
(6) Provides that third parties are responsible for assisting controllers and processors in meeting their obligations under the bill with regard to personal data third parties receive from controllers and processors.
(7) Requires controllers, processors, and third parties to adhere to the consent of a consumer with regard to the consumer's personal data.
(8) Provides that a consumer retains ownership interest in the consumer's personal data processed by a controller or a processor and may exercise any of the consumer rights by submitting to a controller a verified request that specifies which rights the consumer wishes to exercise.
(9) Prohibits controllers from requiring consumers to create an account in order to make a verified request.
(10) Allows a controller to request additional reasonable information necessary to confirm the identity of the consumer making a request, but prohibits the controller from selling, trading, or exchanging that additional information request to confirm the consumer's identity.
(11) Removes the qualification that the right to know about processing of personal data and the rights of access, correction, or deletion apply to personal data that a controller maintains in an identifiable form.
(12) Modifies the grounds for requiring that a controller delete a consumer's personal data and eliminates the circumstances in which the right to deletion does not apply.
(13) Requires controllers and processors notified of a consumer's deletion request to comply with that request.
(14) Modifies the right to restrict processing of personal data by requiring that any personal data subject to restriction be processed only with the consumer's consent or if an exemption applies, and prohibits the controller processing data pursuant to the claimed exemption from selling or otherwise disclosing that data.
(15) Provides that a controller must stop processing personal data of the objecting consumer regardless of whether the processing is for targeted advertising or other purposes, and that third parties notified of the consumer's objection must comply with the consumer's request.
(16) Eliminates the provisions that allow controllers to consider whether communicating certain consumer requests to third parties is functionally impractical, technically infeasible, or involve disproportionate effort.
(17) Removes the authorization for controllers to charge a reasonable fee when complying with manifestly unfounded or repetitive consumer requests.
(18) Requires controllers to establish and make conspicuously available an internal process by which consumers may appeal a controller's refusal to take action on a verified request, and specifies the timelines controllers must follow when reviewing consumer appeals.
(19) Provides that consumers may submit a controller's response to an appeal to the Office of Privacy and Data Protection (OPDP).
(20) Requires the OPDP to create a mechanism by which consumers may submit the results of any appeals and authorizes the OPDP to refer these results to the Attorney General who may consider whether to commence an enforcement action.
(21) Prohibits controllers and processors from processing personal data to unlawfully discriminate against consumers.
(22) Provides that a controller must make publicly available all policies adopted and used by the controller to comply with the provision related to consumer rights.
(23) Sets forth additional requirements for information that must be included in a controller's privacy notice, such as a statement that the controller processes personal data only pursuant to a consumer's consent and solely for the purposes disclosed to the consumer in the privacy notice.
(24) Requires controllers to develop, implement, and make publicly available an annual plan for complying with the obligations under the bill, and authorizes controllers to report compliance metrics on their public web sites.
(25) Provides that a controller may only engage in processing with the consent of the consumer if a risk assessment determines that potential risks of privacy harm outweigh the interests of the controller, consumer, other stakeholders, and the public.
(26) Sets forth additional circumstances when processing data for business purposes, as described in a risk assessment, is not presumed permissible.
(27) Sets forth additional requirements for controllers and processors that use, sell, or share deidentified data, such as making a public commitment to not reidentify deidentified data and providing by contract that third parties must not reidentify deidentified data.
(28) Eliminates certain exemptions and sets forth additional circumstances that may exempt a controller or processor from the obligations set forth in the bill.
(29) Authorizes the OPDP to grant one-year waivers to permit processing for certain purposes.
(30) Prohibits controllers from selling any personal data processed pursuant to an exemption or a waiver.
(31) Removes provisions related to limiting a controller's or processor's liability when disclosing personal data to third-party controllers or processors in specified circumstances.
(32) Removes provisions related to the use or provision of facial recognition services by controllers, processors, or state and local government agencies.
(33) Directs the Washington State Academy of Sciences (WSAS) to convene and staff a task force to analyze the potential consequences of public and private sector use of facial recognition on the civil rights and liberties of Washingtonians, to provide a forum for discussion on how the development of new technology could enable pervasive and surreptitious surveillance, and to report its findings and recommendations to the Governor and the Legislature by December 1, 2019.
(34) Enumerates the groups that must be represented on the WSAS task force and authorizes the task force to consult with the Tech Policy Lab of the University of Washington.
(35) Specifies which entities will pay the expenses of the WSAS task force and authorizes reimbursement for travel expenses of the legislative members of the task force.
(36) Requires the Tech Policy Lab of the University of Washington to conduct a study on the quality and efficacy of facial recognition technology and to report its findings to the Governor and the Legislature by December 1, 2019.
(37) Removes the limitation that expenditures from the consumer privacy account are to be used only to fund the OPDP.
(38) Modifies the rule-making authorization for the OPDP, including changing the date of a report on the public and private sector use of facial recognition.
(39) Directs the OPDP to conduct a study and to report to the Legislature on whether certain federal health information laws adequately protect personal health information and prevent it from being bought, sold, or traded on a commercial basis.
(40) Directs the OPDP to convene a work group and to report to the Legislature regarding best practices for ensuring consumers understand their privacy rights prior to agreeing to Terms of Service, Terms of Agreement, and other similar documents.
(41) Specifies that the bill preempts any new local laws or ordinances and provides additional preemption guidelines.
(42) Modifies the effective date of the bill from July 31, 2021, to July 30, 2020, except for the section related to the OPDP, which takes effect 90 days after final adjournment of the legislative session in which this act is enacted.
--- END ---