Brief Summary of Engrossed Second Substitute Bill

Requires data brokers to register annually with the Chief Privacy Officer and disclose certain information regarding their practices.
Prohibits acquisition of brokered personal information through fraudulent means or for the purpose of stalking, committing a fraud, or engaging in unlawful discrimination.
Directs the Attorney General and the Chief Privacy Officer to submit certain reports to the Legislature.

Majority Report: The second substitute bill be substituted therefor and the second substitute bill do pass and do not pass the substitute bill by Committee on Innovation, Technology & Economic Development. Signed by 32 members: Representatives Ormsby, Chair; Robinson, 1st Vice Chair; Bergquist, 2nd Vice Chair; Stokesbary, Ranking Minority Member; Rude, Assistant Ranking Minority Member; Caldier, Chandler, Cody, Dolan, Dye, Fitzgibbon, Hansen, Hoff, Hudgins, Jinkins, Kraft, Macri, Mosbrucker, Pettigrew, Pollet, Ryu, Schmick, Senn, Springer, Stanford, Steele, Sullivan, Sutherland, Tarleton, Tharinger, Volz and Ybarra.

Background:

According to the Federal Trade Commission, companies known as "data brokers" collect personal information from consumers and sell or share it with others. Data brokers collect this information from a wide variety of commercial and government sources, and use both raw and inferred data about individuals to develop and market products, verify identities, and defect fraud. Because these companies generally never interact directly with consumers, consumers are often unaware of their existence, practices, and use of collected personal information.

The federal Fair Credit Reporting Act regulates the consumer reporting industry and sets forth permissible uses of consumer reports, such as in connection with insurance underwriting or the extension of credit to a consumer, for employment purposes, or a legitimate business need when engaging in a business transaction involving the consumer. The federal Gramm-Leach-Bliley Act applies to financial institutions and regulates the sharing and disclosure of nonpublic personal information with affiliates and third parties.

The state Consumer Protection Act (CPA) prohibits unfair or deceptive acts or practices in trade or commerce. A private person or the Attorney General may bring a civil action to enforce the provisions of the CPA. A person or entity found to have violated the CPA is subject to treble damages and attorney's fees.

The Office of Privacy and Data Protection (OPDP) was created in 2016 to serve as a central point of contact for state agencies on policy matters involving data privacy and data protection. The Chief Privacy Officer serves as the director of the OPDP. The primary duties of the OPDP with respect to state agencies include conducting privacy reviews and trainings, coordinating data protection, and articulating privacy principles and best policies.

Summary of Engrossed Second Substitute Bill:

Data brokers are required to register annually with the Chief Privacy Officer, pay a $250 registration fee, and provide certain information regarding their practices related to the collection, storage, or sale of personal information, including whether the data brokers permit consumers to opt out from data collection or the sale of personal information.

"Data broker" means a business that knowingly collects and sells or licenses to third parties the personal information of a consumer with whom the business does not have a direct relationship. "Personal information" is information that identifies or could reasonably be linked with a particular consumer or household and does not include publicly available information related to a consumer's business or profession.

Conducting the following activities do not qualify a business as a data broker:

furnishing a consumer credit report by a consumer reporting agency, as defined in the federal Fair Credit Reporting Act;
collecting or disclosing nonpublic personal information by a financial institution in a manner that is regulated under the federal Gramm-Leach-Bliley Act;
providing 411 directory assistance on behalf of or as a function of a telecommunications carrier; or
providing publicly available information via real-time or near real-time alert services for health or safety purposes.

Failure to register and to provide required information is subject to a fine of up to $10,000 a year and other penalties imposed by law. The Attorney General may bring an action to collect the penalties and to seek injunctive relief.

Personal information may not be acquired through fraudulent means or for the purpose of stalking, committing a fraud, or engaging in unlawful discrimination.

Violations of this act are enforceable solely by the Attorney General under the Consumer Protection Act.

The Chief Privacy Officer, in consultation with the Attorney General, must submit to the Legislature a preliminary report by December 1, 2021, and an updated report by October 1, 2022, concerning the implementation of this act. Both the preliminary and the updated report must review and consider the necessity of additional legislative and regulatory approaches to protecting the security and privacy of personal information subject to data brokers activities.

Staff Summary of Public Testimony (Innovation, Technology & Economic Development):

(In support) This data broker registration bill largely mirrors what has already been done in Vermont, with some modifications based on differences in state government organization and in the data breach laws. Data brokers are companies that an individual has no direct relationship with, but are companies that acquire thousands of data points about individuals, creating a profile, and monetizing that information in some way. The concerns about the lack of transparency into this industry sector have been repeatedly brought up in testimony before Congress. This bill is a way to ask some questions in order to begin to understand the data broker industry. Credit bureaus are subject to certain federal laws. More than 145 million Americans were impacted by the Equifax data breach, and much of the collected information was not covered by federal law because a large portion of Equifax business was not credit reporting but a data broker business. When one looks at what is being collected, it is truly troubling and concerning. According to a report from the Vermont Attorney General, some of the collected data include information about rape survivors, addresses of domestic violence shelters, state troopers' home addresses, and information about people who suffer from various diseases. People have no say in the profile that is created about them or whether it is accurate. This bill opens a window to empower each Washingtonian to have more control over data privacy.

(Opposed) The references to security breaches or data breaches overlap with Washington's data breach notification law. The activities of the consumer reporting agencies, or credit bureaus, should be exempt. The data breach obligations are duplicative and redundant, considering the existing Washington state data breach laws. The substitute version of the bill appears to address this issue.

(Other) This bill was not contemplated in the Governor's budget. The policy priorities established here are extremely important and the committee should take appropriate action. Privacy professionals have heard from all over the state that Washingtonians value their privacy and the constitutional protection for the right to be undisturbed in their private affairs. Washingtonians are very concerned about third-party data sales and how data brokerage affects them and their families. This is an important issue and a moderate, well-thought out bill. The implementation should be relatively simple.