Prefiled 01/10/20.Read first time 01/13/20.Referred to Committee on Innovation, Technology & Economic Development.

AN ACT Relating to creating the charter of personal data rights; adding a new chapter to Title 19 RCW; and prescribing penalties.

NEW SECTION. Sec. 1. (1) The legislature finds that Washingtonians have a right to privacy and that advances in technology make the protection of this vital right a matter of urgency.

(2) The legislature further finds that privacy is also the foundation of consumer trust, particularly in electronic commerce, and that people will use advanced data-driven technology only if their privacy rights are respected, their personal information is safeguarded, and their freedom to choose how much personal information to share is unobstructed.

(3) Therefore, the legislature declares, in plain language, the new baseline norms and expectations for the protection of personal data by businesses and enacts a lasting charter of personal data rights.

NEW SECTION. Sec. 2. An individual residing in Washington state has the following rights with regard to the individual's personal data:

(1) The right to know what personal data a business collects or processes about the individual, including the categories and specific pieces of personal data the business collects or processes;

(2) The right to access and to obtain, in a readily useable portable format, the individual's personal data collected or processed by a business;

(3) The right to object to and opt out of the selling or licensing of the individual's personal data to third parties;

(5) The right to delete all personal data of the individual collected or processed by a business.

NEW SECTION. Sec. 3. (1) To safeguard the privacy of individuals, a business has the duty to:

(a) Provide a prominent, publicly accessible, and easy to read privacy policy that specifies how and where an individual may contact the business to exercise personal data rights under this chapter and clearly states that the business collects or processes personal data only as reasonably necessary to provide services requested by an individual or to verify requests made pursuant to section 2 of this act;

(b) Minimize the collection of personal data by collecting and processing personal data only as reasonably necessary for services requested by an individual or to verify requests made pursuant to section 2 of this act;

(c) Avoid secondary uses of personal data and not process personal data for purposes that are not reasonably necessary to provide services requested by an individual or to verify requests made pursuant to section 2 of this act;

(d) Secure personal data from unauthorized acquisition or access by developing, implementing, and maintaining a comprehensive information security program that includes administrative, technical, and physical safeguards and meets or exceeds relevant security standards;

(e) Act in good faith and with due diligence when responding to requests made pursuant to section 2 of this act; and

(f) Not discriminate against individuals who choose to exercise their rights under this chapter, including by denying goods or services, charging different prices or rates, or providing a different level of quality of goods and services.

(2)(a) If a business uses a service provider to process personal data on behalf of the business, the business shall require the service provider to process personal data only on documented instructions from the business as to the nature, duration, and purposes of the processing.

(b) A business shall use only those service providers that deliver sufficient guarantees that processing meets the requirements of this chapter and ensures the protection of personal data rights.

(3) The duties in this chapter are in addition to any other duties imposed on a business by any state or federal law or regulation.

NEW SECTION. Sec. 4. (1) Any waiver of the provisions of this chapter is contrary to public policy and is void and unenforceable.

(2) The legislature finds that the practices covered by this chapter are matters vitally affecting the public interest for the purpose of applying the consumer protection act, chapter 19.86 RCW. A violation of this chapter is not reasonable in relation to the development and preservation of business and is an unfair or deceptive act in trade or commerce and an unfair method of competition for purposes of applying the consumer protection act, chapter 19.86 RCW.

(3) The attorney general may bring an action in the name of the state, or as parens patriae on behalf of persons residing in the state, to enforce this chapter. In any action brought by the attorney general to enforce this chapter, a violation of this chapter is subject to a civil penalty of not more than ten thousand dollars per violation.

(4) Any violation of this chapter constitutes an injury and any individual whose rights under this chapter have been violated or whose personal data has been collected or processed in violation of this chapter may bring a civil action for declaratory relief, injunctive relief, and actual damages, but not less than statutory damages of ten thousand dollars per violation.

(5) A court shall award costs and reasonable attorneys' fees to a plaintiff who prevails in an action under this chapter.

(6) The provisions of this chapter are not exclusive and are in addition to any other requirements, rights, remedies, and penalties provided by law.

NEW SECTION. Sec. 5. Nothing in this chapter applies to information that is collected or used by a business about an individual in the course of the individual's role as a job applicant, employee, or contractor of the business.

NEW SECTION. Sec. 6. The definitions in this section apply throughout this chapter unless the context clearly requires otherwise.

(ii) Has more than ten million dollars in worldwide gross revenue during the immediately preceding calendar year;

(iv) Alone or jointly with others determines the purposes and means of the processing of personal data.

(i) "Affiliate" means a person that directly or indirectly, through one or more intermediaries, controls, is controlled by, or is under common control with another person;

(ii) "Engage in business" means commencing, conducting, or continuing in business and also the exercise of corporate or franchise powers as well as liquidating a business when the liquidators thereof hold themselves out to the public as conducting such a business; and

(3) "Personal data" means any information that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, with a particular individual or household.

(4) "Process" or "processing" means any collection, use, storage, disclosure, analysis, deletion, or modification of personal data.

(5) "Service provider" means a natural or legal person that processes personal data on behalf of a business.

NEW SECTION. Sec. 7. This chapter may be known and cited as the Washington state charter of personal data rights.

NEW SECTION. Sec. 8. Sections 1 through 7 of this act constitute a new chapter in Title 19 RCW.