SENATE BILL REPORT

SB 5377

This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.

As of February 17, 2019

Title: An act relating to data sales and governance.

Brief Description: Concerning data sales and governance.

Sponsors: Senators Carlyle, Palumbo, Mullet, Hasegawa, Keiser, Pedersen and Saldaña.

Brief History:

Committee Activity: Environment, Energy & Technology: 1/22/19.

Brief Summary of Bill

  • Provides that this act be known as the Data Management and Protection Act.

  • Prohibits the sale of personal data to third parties by state agencies except as authorized under law.

  • Requires the Office of Privacy and Data Protection to publish principles that promote stewardship of the state's structured data sets and to develop compliance criteria for the requirements set forth in this act.

  • Requires state agencies to facilitate requests to exercise certain consumer rights beginning January 1, 2025.

  • Provides that state agencies must be transparent and accountable for their processing of personal data by making a privacy notice available.

SENATE COMMITTEE ON ENVIRONMENT, ENERGY & TECHNOLOGY

Staff: Angela Kleis (786-7469)

Background: Personal information and privacy interests are protected under various provisions of state law. The Washington State Constitution provides that no person shall be disturbed in his private affairs without authority of law. The Public Records Act (PRA) protects a person's right to privacy under certain circumstances if disclosure of personal information: (1) would be highly offensive to the reasonable person, and (2) is not of legitimate concern to the public.

The Consolidated Technology Services (CTS) agency supports state agencies as a centralized provider and procurer of certain information technology services. Within CTS, the Office of the Chief Information Officer (OCIO) has certain primary duties related to information technology for state government, which include establishing statewide enterprise architecture and standards for consistent and efficient operation. Within OCIO, the Office of Privacy and Data Protection (OPDP) serves as a central point of contact for state agencies on policy matters involving data privacy and data protection.

Summary of Bill: Short Title. This act shall be known as the Data Management and Protection Act.

Sale of Personal Data. The sale of personal data to third parties by a state agency is prohibited except as authorized under law. A state agency authorized to sell information containing personal data must take affirmative steps to protect such data from impermissible subsequent use, transfer, or sale by a third party.

Before completing the sale of data, a state agency must document the conditions under which the data is to be used in a contract involving one or more state agencies. Contracts must meet certain minimum requirements. If data is used in an unauthorized manner, the contractor responsible for the unauthorized disclosure must be denied further access to such data by the state agency.

The requirements on the sale of personal data to third parties by a state agency do not apply under certain conditions such as public records disclosed pursuant to the PRA.

Stewardship of State's Structured Assets. OPDP must publish principles to promote stewardship of the state's structured assets. The principles relate to data minimization, due diligence, sensitive data, data quality, transparency, and data security.

Consumer Rights. Beginning January 1, 2025, state agencies must facilitate requests to exercise certain consumer rights. The requirement to facilitate a request does not apply under certain conditions.

On request from a consumer, a state agency must:

A state agency must respond to a request within 30 days of receipt of the request. Under certain circumstances, this time period may be extended by 60 additional days. A state agency must notify a consumer within 30 days of receipt of the request (1) if an extension was approved and the reason for the delay, or (2) if no action was taken on a request and the reason for not taking action.

A state agency may request additional information to confirm the identity of a consumer if the state agency has doubts concerning the identity of the consumer making a request to exercise a consumer right.

Transparency. State agencies must be transparent and accountable for their processing of personal data by making a privacy notice available that includes certain criteria, such as categories of personal data collected and purposes for which the categories of personal data is used and disclosed to third parties. State agencies that engage in profiling must disclose such profiling to the consumer at or before the time personal data is obtained.

Compliance. By June 30, 2024, the OPDP will provide a template for consumer access to data and develop compliance criteria. State agencies must certify compliance with the requirements of this act. State agencies may request a waiver from OPDP for inability to comply because of special circumstances.

Appropriation: None.

Fiscal Note: Available.

Creates Committee/Commission/Task Force that includes Legislative members: No.

Effective Date: The bill contains several effective dates. Please refer to the bill.

Staff Summary of Public Testimony: PRO: The public sector needs to hold itself to the same standards as it holds the private sector. The intent of the bill is to get a handle on the state's use of data. Under this bill, there are five years to work out the mechanisms.

CON: The language of the bill is unclear and may shut down an agency's ability to meet federal reporting requirements.

Persons Testifying: PRO: Senator Reuven Carlyle, Prime Sponsor; Alex Alben, Office of Privacy. CON: Cliff Webster, Consumer Data Industry Association.

Persons Signed In To Testify But Not Testifying: No one.