AN ACT Relating to the management and oversight of personal data; amending RCW 43.105.369; adding a new section to chapter 9.73 RCW; adding a new chapter to Title 19 RCW; creating new sections; prescribing penalties; and providing an effective date.

(b) Washington is a technology leader on a national and global level and recognizes its distinctive position in promoting the efficient balance of consumer privacy and economic benefits.

(d) There is rapid growth in the volume and variety of personal data being generated, collected, stored, and analyzed. This growth has the potential for great benefits to human knowledge, technological innovation, and economic growth, but also the potential to harm individual privacy and freedom.

(e) Millions of Washingtonians have been affected by electronic data breaches and the resulting loss of privacy, and the net effect, both financially and in the chilling of consumer confidence, has and will continue to cost Washington state businesses.

(f) As technology and businesses continue to push the limits of data collection with exponential rapidity, laws must keep pace as technology and business practices evolve to protect businesses and consumers.

(g) There is a need to preserve individuals' trust and confidence that personal data will be protected appropriately, while supporting flexibility and the free flow of information. Meeting this need will promote continued innovation and economic growth in the networked economy.

(h) Enforcement of general principles in law will ensure that citizens continue to enjoy meaningful privacy protections while affording ample flexibility for technologies and business models to evolve.

(i) The European Union recently updated its privacy law through the passage and implementation of the general data protection regulation, affording its residents the strongest privacy protections in the world. Washington residents deserve to enjoy the same level of robust privacy safeguards.

(j) In addition, the technology industry has been a tremendous driver of economic growth in Washington state. We need to ensure that any new privacy laws not only provide Washington residents with strong privacy protections but also enable industry and others to use data to create innovative technologies, products, and solutions.

(k) Technology will continue to evolve and change. Consequently, any new privacy laws must be technology neutral and flexible, so that they may apply not only to the technologies and products of today, but to the technologies and products of tomorrow.

(l) Washington residents have long enjoyed an expectation of privacy in their public movements. The development of new technology like facial recognition could, if deployed indiscriminately and without guardrails, enable the constant surveillance of any individual any time of the day and every day of the year. Washington residents should have the right to a reasonable expectation of privacy in their movements, and thus should be free from ubiquitous and surreptitious surveillance using facial recognition technology. Further, Washington residents should have the right to expect information about the capabilities and limitations of facial recognition technology and that it should not be deployed by private sector organizations without proper public notice.

(2) As such, the legislature recognizes the consumer protection principles in this act regarding transparency, individual control, respect for context, focused collection and responsible use, security, access, and accuracy.

(2) "Consent" means a clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of a consumer's agreement to the processing of personal data relating to the consumer, such as by a written statement or other clear affirmative action.

(3) "Consumer" means a natural person who is a Washington resident. It does not include an employee or contractor of a business acting in their role as an employee or contractor.

(4) "Controller" means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data.

(5) "Data broker" means a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.

(b) Data (i) that has been modified to a degree that the risk of reidentification is small, (ii) that is subject to a public commitment by the controller not to attempt to reidentify the data, and (iii) to which one or more enforceable controls to prevent reidentification has been applied. Enforceable controls to prevent reidentification may include legal, administrative, technical, or contractual controls.

(8) "Identified or identifiable natural person" means a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, specific geolocation data, or an online identifier.

(11) "Process" or "processing" means any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion, or destruction.

(13) "Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

(15)(a) "Sale" means the exchange of personal data for monetary consideration by the controller to a third party for purposes of licensing or selling personal data at the third party's discretion to additional third parties.

(b) "Sale" does not include the following: (i) The disclosure of personal data to a processor who processes the personal data on behalf of the controller; or (ii) the disclosure of personal data to a third party with whom the consumer has a direct relationship for purposes of providing a product or service requested by the consumer or otherwise in a manner that is consistent with a consumer's reasonable expectations considering the context in which the consumer provided the personal data to the controller.

(16) "Sensitive data" means personal data revealing racial or ethnic origin, religious or philosophical beliefs, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning a minor, data concerning health, or data concerning a natural person's sex life or sexual orientation.

(17) "Targeted advertising" means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred over time from a consumer's activities across nonaffiliate web sites, applications, or online services. It does not include advertising to a consumer based upon the consumer's current visit to a web site, application, or online service, or in response to the consumer's request for information or feedback.

NEW SECTION. Sec. 4. JURISDICTIONAL SCOPE.(1) This chapter applies to legal entities that conduct business in Washington or produce products or services that are intentionally targeted to residents of Washington, and that satisfy one or more of the following thresholds:

(b) Derives over fifty percent of gross revenue from the sale of personal information and processes or controls personal information of twenty-five thousand consumers or more.

(b) Personal data sets to the extent that they are regulated by the federal health insurance portability and accountability act of 1996, the federal health information technology for economic and clinical health act, or the Gramm-Leach-Bliley act of 1999; or

(2) Processors are responsible under this act for adhering to the instructions of the controller and assisting the controller to meet its obligations under this chapter.

(3) Processing by a processor shall be governed by a contract between the controller and the processor that is binding on the processor and that sets out the processing instructions to which the processor is bound.

NEW SECTION. Sec. 6. CONSUMER RIGHTS.Controllers shall facilitate requests to exercise the consumer rights set forth in subsections (1) through (7) of this section.

(1) On request from a consumer, a controller must confirm whether or not personal data concerning the consumer is being processed by the controller, including whether such personal data is sold to data brokers, and, where personal data concerning the consumer is being processed by the controller, provide access to such personal data concerning the consumer.

(a) On request from a consumer, a controller must provide a copy of the personal data undergoing processing. For any further copies requested by the consumer, the controller may charge a reasonable fee based on administrative costs. Where the consumer makes the request by electronic means, and unless otherwise requested by the consumer, the information must be provided in a commonly used electronic form.

(2) On request from a consumer, the controller, without undue delay, must correct inaccurate personal data concerning the consumer. Taking into account the purposes of the processing, the controller must complete incomplete personal data, including by means of providing a supplementary statement.

(3)(a) On request from a consumer, a controller must delete the consumer's personal data without undue delay where one of the following grounds applies:

(ii) For processing that requires consent under section 8(3) of this act, the consumer withdraws consent to processing and there are no other legitimate grounds for the processing;

(iii) The consumer objects to the processing pursuant to subsection (6) of this section and (A) there are no overriding legitimate grounds for the processing; or (B) the processing is for direct marketing purposes;

(vi) The personal data has been collected in relation to the offer of a service normally provided for remuneration, at a distance, by electronic means, and at the individual request of the recipient of services.

(b) Where the controller is obliged to delete personal data under this section that has been disclosed to third parties by the controller, including data brokers that received the data through a sale, the controller must take reasonable steps, which may include technical measures, to inform other controllers that are processing the personal data that the consumer has requested the deletion by the other controllers of any links to, or copy or replication of, the personal data. Compliance with this obligation must take into account available technology and cost of implementation.

(ii) For compliance with a legal obligation that requires processing by federal, state, or local law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(iii) For reasons of public interest in the area of public health, where the processing (A) is subject to suitable and specific measures to safeguard the rights of the consumer; and (B) is processed by or under the responsibility of a professional subject to confidentiality obligations under federal, state, or local law;

(iv) For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, where the deletion of such personal data is likely to render impossible or seriously impair the achievement of the objectives of the processing; or

(iii) The controller no longer needs the personal data for the purposes of the processing, but such personal data is required by the consumer for the establishment, exercise, or defense of legal claims; or

(iv) The consumer objects to the processing pursuant to subsection (6) of this section pending the verification of whether the legitimate grounds of the controller override those of the consumer.

(b) Where personal data is subject to a restriction of processing under this subsection, the personal data must, with the exception of storage, only be processed (i) with the consumer's consent; (ii) for the establishment, exercise, or defense of legal claims; (iii) for the protection of the rights of another natural or legal person; or (iv) for reasons of important public interest under federal, state, or local law.

(c) A consumer who has obtained restriction of processing pursuant to this subsection must be informed by the controller before the restriction of processing is lifted.

(5)(a) On request from a consumer, the controller must provide the consumer any personal data concerning such consumer that such consumer has provided to the controller in a structured, commonly used, and machine-readable format if (i)(A) the processing of such personal data requires consent under section 8(3) of this act, (B) the processing of such personal data is necessary for the performance of a contract to which the consumer is a party, or (C) in order to take steps at the request of the consumer prior to entering into a contract; and (ii) the processing is carried out by automated means.

(b) Controllers must transmit the personal data requested under this subsection directly from one controller to another, where technically feasible, and transmit the personal data to another controller without hindrance from the controller to which the personal data was provided.

(d) The rights provided in this subsection do not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, and must not adversely affect the rights of others.

(6)(a) A consumer may object, on grounds relating to the consumer's particular situation, at any time to processing of personal data concerning such consumer:

(b) When a consumer objects to direct marketing, which includes the sale of personal data concerning the consumer to third parties for direct marketing purposes, profiling to the extent that it is related to such direct marketing and targeted advertising, the controller must no longer process the personal data subject to the objection for such purpose and must communicate the consumer's objection, unless it proves impossible or involves disproportionate effort, regarding any further processing of the consumer's personal data for such purposes to any third parties to whom the controller sold the consumer's personal data for such purposes. Third parties must honor objection requests pursuant to this subsection received from third-party controllers.

(c) If a consumer objects to processing for any purposes, other than direct marketing, the controller may continue processing the personal data subject to the objection if the controller can demonstrate a compelling legitimate ground to process such personal data.

(7) A consumer must not be subject to a decision based solely on profiling which produces legal effects concerning such consumer or similarly significantly affects the consumer. Legal or similarly significant effects include, but are be limited to, denial of consequential services or support, such as financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, and health care services.

(ii) Authorized by federal or state law to which the controller is subject and which incorporates suitable measures to safeguard the consumer's rights and legitimate interests, as indicated by the risk assessments required by section 8 of this act; or

(b) Notwithstanding (a) of this subsection, the controller shall implement suitable measures to safeguard consumer's rights and legitimate interests with respect to decisions based solely on profiling, including providing human review of the decision, to express the consumer's point of view with respect to the decision, and to contest the decision.

(8) A controller must communicate any correction, deletion, or restriction of processing carried out in accordance with subsections (2), (3), or (4) of this section to each third-party recipient to whom the personal data has been disclosed, including third parties that received the data through a sale, unless this proves impossible or involves disproportionate effort. The controller must inform the consumer about such third-party recipients, if any, if the consumer requests such information.

(9) A controller must provide information on action taken on a request under subsections (1) through (7) of this section without undue delay and in any event within thirty days of receipt of the request. That period may be extended by sixty additional days where necessary, taking into account the complexity and number of the requests. The controller must inform the consumer of any such extension within thirty days of receipt of the request, together with the reasons for the delay. Where the consumer makes the request by electronic means, the information must be provided by electronic means where possible, unless otherwise requested by the consumer.

(a) If a controller does not take action on the request of a consumer, the controller must inform the consumer without undue delay and at the latest within thirty days of receipt of the request of the reasons for not taking action and any possibility for internal review of the decision by the controller.

(b) Information provided under this section must be provided by the controller free of charge to the consumer. Where requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either: (i) Charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or (ii) refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request.

(c) Where the controller has reasonable doubts concerning the identity of the consumer making a request under subsections (1) through (7) of this section, the controller may request the provision of additional information necessary to confirm the identity of the consumer.

NEW SECTION. Sec. 7. TRANSPARENCY.(1) Controllers must be transparent and accountable for their processing of personal data, by making available in a form that is reasonably accessible to consumers a clear, meaningful privacy notice that includes:

(2) Controllers that engage in profiling must disclose such profiling to the consumer at or before the time personal data is obtained, including meaningful information about the logic involved and the significance and envisaged consequences of the profiling.

(3) If a controller sells personal data to data brokers or processes personal data for direct marketing purposes, including targeted marketing and profiling to the extent that it is related to such direct marketing, it must disclose such processing, as well as the manner in which a consumer may exercise the right to object to such processing, in a clear and prominent manner.

NEW SECTION. Sec. 8. DOCUMENTED RISK ASSESSMENTS.(1) Controllers must conduct and document risk assessments covering the processing of personal data prior to the processing of such personal data whenever there is a change in processing that materially impacts the risk to individuals, and on at least an annual basis regardless of changes in processing. Risk assessments must take into account the type of personal data to be processed by the controller, including the extent to which the personal data is sensitive data or otherwise sensitive in nature, and the context in which the personal data is to be processed.

(2) Risk assessments conducted under subsection (1) of this section must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks. The use of deidentified data and the reasonable expectations of consumers must factor into this assessment by the controller.

(3) If the risk assessment conducted under subsection (1) of this section determines that the potential risks to the rights of the consumer outweigh the interests of the controller, consumer, other stakeholders, and the public in processing the personal data of the consumer, the controller may only engage in such processing with the consent of the consumer. Such consent shall be as easy to withdraw as to give.

(4) The controller must make the risk assessment available to the attorney general upon request. Risk assessments are confidential and exempt from public inspection and copying under chapter 42.56 RCW.

NEW SECTION. Sec. 9. DEIDENTIFIED DATA.A controller or processor that uses deidentified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the deidentified data is subject, and must take appropriate steps to address any breaches of contractual commitments.

NEW SECTION. Sec. 10. EXEMPTIONS.(1) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to:

(b) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;

(c) Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local law;

(2) The obligations imposed on controllers or processors under this chapter do not apply where compliance by the controller or processor with this chapter would violate an evidentiary privilege under Washington law and do not prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Washington law as part of a privileged communication.

(3) A controller or processor that discloses personal data to a third-party controller or processor in compliance with the requirements of this chapter is not in violation of this chapter, including under section 11 of this act, if the third-party recipient processes such personal data in violation of this chapter, provided that, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the third-party recipient intended to commit a violation. A third-party recipient receiving personal data from a controller or processor is likewise not liable under this chapter, including under section 11 of this act, for the obligations of a controller or processor to which it provides services.

(c) Comply with a request to exercise any of the rights under section 6 (1) through (7) of this act if the controller is unable to verify, using commercially reasonable efforts, the identity of the consumer making the request.

(2) Where more than one controller or processor, or both a controller and a processor, involved in the same processing, is in violation of this chapter, the liability shall be allocated among the parties according to principles of comparative fault, unless such liability is otherwise allocated by contract among the parties.

NEW SECTION. Sec. 12. ENFORCEMENT.(1) The legislature finds that the practices covered by this chapter are matters vitally affecting the public interest for the purpose of applying the consumer protection act, chapter 19.86 RCW. A violation of this chapter is not reasonable in relation to the development and preservation of business and is an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the consumer protection act, chapter 19.86 RCW.

(2) The attorney general may bring an action in the name of the state, or as parens patriae on behalf of persons residing in the state, to enforce this chapter.

(3) A controller or processor is in violation of this chapter if it fails to cure any alleged breach of sections 7 through 10 of this act within thirty days after receiving notice of alleged noncompliance. Any controller or processor that violates this chapter is subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars for each violation or seven thousand five hundred dollars for each intentional violation.

(4) The consumer privacy account is created in the state treasury. All receipts from the imposition of civil penalties under this chapter must be deposited into the account. Moneys in the account may be spent only after appropriation. Expenditures from the account may be used only to fund the office of privacy and data protection as established under RCW 43.105.369.

NEW SECTION. Sec. 13. PREEMPTION.This chapter supersedes and preempts laws adopted by any local entity regarding the processing of personal data by controllers or processors.

NEW SECTION. Sec. 14. FACIAL RECOGNITION.(1) Controllers using facial recognition for profiling must employ meaningful human review prior to making final decisions based on such profiling where such final decisions produce legal effects concerning consumers or similarly significant effects concerning consumers. Decisions producing legal effects or similarly significant effects shall include, but not be limited to, denial of consequential services or support, such as financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, and health care services.

(2) Processors that provide facial recognition services must provide documentation that includes general information that explains the capabilities and limitations of the technology in terms that customers and consumers can understand.

(3) Processors that provide facial recognition services must prohibit, in the contract required by section 5 of this act, the use of such facial recognition services by controllers to unlawfully discriminate under federal or state law against individual consumers or groups of consumers.

(4) Controllers must obtain consent from consumers prior to deploying facial recognition services. The placement of conspicuous notice in physical premises or online that clearly conveys that facial recognition services are being used constitute a consumer's consent to the use of such facial recognition services when that consumer enters those premises or proceeds to use the online services that have such notice, provided that there is a means by which the consumer may exercise choice as to facial recognition services.

(5) Providers of commercial facial recognition services that make their technology available as an online service for developers and customers to use in their own scenarios must make available an application programming interface or other technical capability, chosen by the provider, to enable third parties that are legitimately engaged in independent testing to conduct reasonable tests of those facial recognition services for accuracy and unfair bias.

(6) For purposes of this section, "facial recognition" means technology that analyzes facial features and is used for the unique personal identification of natural persons in still or video images.

(1) State and local government agencies shall not use facial recognition technology to engage in ongoing surveillance of specified individuals in public spaces, unless such use is in support of law enforcement activities and either (a) a court order has been obtained to permit the use of facial recognition services for that ongoing surveillance; or (b) where there is an emergency involving imminent danger or risk of death or serious physical injury to a person.

(1) The office of privacy and data protection is created within the office of the state chief information officer. The purpose of the office of privacy and data protection is to serve as a central point of contact for state agencies on policy matters involving data privacy and data protection.

(e) To participate with the office of the state chief information officer in the review of major state agency projects involving personally identifiable information.

(a) Developing and promoting the dissemination of best practices for the collection and storage of personally identifiable information, including establishing and conducting a training program or programs for local governments; and

(b) Educating consumers about the use of personally identifiable information on mobile and digital networks and measures that can help protect this information.

(5) By December 1, 2016, and every four years thereafter, the office of privacy and data protection must prepare and submit to the legislature a report evaluating its performance. The office of privacy and data protection must establish performance measures in its 2016 report to the legislature and, in each report thereafter, demonstrate the extent to which performance results have been achieved. These performance measures must include, but are not limited to, the following:

(b) A report on the extent of the office of privacy and data protection's coordination with international and national experts in the fields of data privacy, data protection, and access equity;

(c) A report on the implementation of data protection measures by state agencies attributable in whole or in part to the office of privacy and data protection's coordination of efforts; and

(d) A report on consumer education efforts, including but not limited to the number of consumers educated through public outreach efforts, as indicated by how frequently educational documents were accessed, the office of privacy and data protection's participation in outreach events, and inquiries received back from consumers via telephone or other media.

(6) Within one year of June 9, 2016, the office of privacy and data protection must submit to the joint legislative audit and review committee for review and comment the performance measures developed under subsection (5) of this section and a data collection plan.

(7) The office of privacy and data protection shall submit a report to the legislature on the: (a) Extent to which telecommunications providers in the state are deploying advanced telecommunications capability; and (b) existence of any inequality in access to advanced telecommunications infrastructure experienced by residents of tribal lands, rural areas, and economically distressed communities. The report may be submitted at a time within the discretion of the office of privacy and data protection, at least once every four years, and only to the extent the office of privacy and data protection is able to gather and present the information within existing resources.

(8) The office of privacy and data protection must conduct an analysis on the public sector use of facial recognition. By September 30, 2023, the office of privacy and data protection must submit a report of its findings to the appropriate committees of the legislature.