ByHouse Innovation, Technology & Economic Development (originally sponsored by Representatives Kloba, Hudgins, Slatter, Tarleton, Smith, Ryu, Valdez, Stanford, and Pollet)

AN ACT Relating to the management and oversight of personal data; adding a new chapter to Title 19 RCW; creating new sections; prescribing penalties; and providing an effective date.

(a) Washington explicitly recognizes its citizens' right to privacy under Article I, section 7 of the state Constitution.

(b) There is rapid growth in the volume and variety of personal data being generated, collected, stored, and analyzed. The protection of individual privacy and freedom in relation to the processing of personal data requires the recognition of the principle of joint ownership of personal data between consumers and controllers that process the data.

(2) To preserve trust and confidence that personal data will be protected appropriately, the legislature recognizes that with regard to processing of personal data, Washington consumers should have the rights to:

(a) Confirm whether or not personal data concerning the consumer is being processed by a controller;

(f) Be provided with any of the consumer's personal data that the consumer provided to a controller;

NEW SECTION. Sec. 3. DEFINITIONS.The definitions in this section apply throughout this chapter unless the context clearly requires otherwise.

NEW SECTION. Sec. 4. JURISDICTIONAL SCOPE.(1) This chapter applies to legal entities that conduct business in Washington or produce products or services that are intentionally targeted to residents of Washington, and that satisfy one or more of the following thresholds:

(b) Derives over fifty percent of gross revenue from the sale of personal data and processes or controls personal data of twenty-five thousand consumers or more.

NEW SECTION. Sec. 5. RESPONSIBILITY ACCORDING TO ROLE.Controllers are responsible for meeting the obligations established under this chapter.

(1) Confirm whether or not personal data concerning the consumer is being processed by the controller;

(6) Provide the consumer's own personal data that the consumer provided to a controller to the consumer;

NEW SECTION. Sec. 7. TRANSPARENCY.Controllers must be transparent and accountable for their processing of personal data.

NEW SECTION. Sec. 8. COMPLIANCE.(1) Controllers must develop and make publicly available an annual plan for complying with the obligations under this chapter.

(2) A controller that has developed a compliance plan for the European general data protection regulation 2016/679 may use that plan for purposes of subsection (1) of this section.

NEW SECTION. Sec. 9. DOCUMENTED RISK ASSESSMENTS.Controllers must conduct documented risk assessments.

NEW SECTION. Sec. 10. DEIDENTIFIED DATA.A controller or processor that uses deidentified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the deidentified data is subject, and must take appropriate steps to address any breaches of contractual commitments.

NEW SECTION. Sec. 11. EXEMPTIONS.The exemptions in this section apply throughout this chapter unless stated otherwise.

NEW SECTION. Sec. 12. LIABILITY.Where more than one controller or processor, or both a controller and a processor, involved in the same processing, is in violation of this chapter, the liability must be allocated among the parties according to principles of comparative fault, unless liability is otherwise allocated by contract among the parties.

NEW SECTION. Sec. 13. ENFORCEMENT.(1) The legislature finds that the practices covered by this chapter are matters vitally affecting the public interest for the purpose of applying the consumer protection act, chapter 19.86 RCW. A violation of this chapter is not reasonable in relation to the development and preservation of business and is an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the consumer protection act, chapter 19.86 RCW.

(2) The attorney general may bring an action in the name of the state, or as parens patriae on behalf of persons residing in the state, to enforce this chapter.

(3) Prior to bringing an action for violations of this chapter, a consumer must provide a controller with a written notice identifying the specific provisions of this chapter that the consumer alleges have been or are being violated. In the event a cure is possible and the controller does not cure the noticed violation within thirty days, the consumer must notify the attorney general of the consumer's intent to bring an action.

(a) Notify the consumer within thirty days that the attorney general intends to bring an action under subsections (1) and (2) of this section and that the consumer may not proceed with a separate action; or

(5) Any controller or processor that violates this chapter is subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars for each violation or seven thousand five hundred dollars for each intentional violation.

NEW SECTION. Sec. 14. PREEMPTION.This chapter supersedes and preempts laws, ordinances, regulations, or the equivalent adopted by any local entity regarding the processing of personal data by controllers or processors.

NEW SECTION. Sec. 15. FACIAL RECOGNITION.Controllers must obtain consent from consumers before deploying facial recognition services.

NEW SECTION. Sec. 17. If any provision of this act or its application to any person or circumstance is held invalid, the remainder of the act or the application of the provision to other persons or circumstances is not affected.