SENATE BILL REPORT
SSB 5152
As Passed Senate, March 3, 2021
Title: An act relating to enhancing data stewardship and privacy protections for vehicle and driver data by clarifying the allowable uses of personal or identity information, prescribing penalties for data misuse, and codifying existing data contract practices.
Brief Description: Enhancing data stewardship and privacy protections for vehicle and driver data.
Sponsors: Senate Committee on Transportation (originally sponsored by Senators Nguyen, Rivers, Carlyle, Das, Kuderer, Muzzall, Salda?a and Wilson, C.; by request of Department of Licensing).
Brief History:
Committee Activity: Transportation: 1/25/21, 2/04/21 [DPS, w/oRec].
Floor Activity: Passed Senate: 3/3/21, 49-0.
Brief Summary of First Substitute Bill
  • Defines personal or identity information that are applicable to all driver and vehicle records the Department of Licensing (DOL) administers.
  • Requires DOL to enter into a contract prior to providing data containing personal or identity information and specifies the minimum contract provisions.
  • Creates a new civil penalty of up to $20,000 per incident of unauthorized disclosure or use of personal or identity information.
SENATE COMMITTEE ON TRANSPORTATION
Majority Report: That Substitute Senate Bill No. 5152 be substituted therefor, and the substitute bill do pass.
Signed by Senators Hobbs, Chair; Saldaña, Vice Chair; King, Ranking Member; Cleveland, Das, Lovelett, Nguyen, Nobles, Randall, Sheldon and Wilson, C.
Minority Report: That it be referred without recommendation.
Signed by Senators Fortunato, Padden and Wilson, J.
Staff: Kimberly Johnson (786-7472)
Background:

The Department of Licensing (DOL) handles the personal data of approximately 6 million driver records and 8 million vehicle and vessel owner records.

 

There are a number of federal and state laws governing how DOL may share data.  One example is the Driver Privacy Protection Act, enacted by Congress in 1994, which regulates state governments' release of personal information contained in an individual's motor vehicle record.  The state Open Public Records Act also requires the disclosure of certain types of data collected and maintained by DOL.  There are many purposes for which DOL releases driver and vehicle data.  Examples include, but are not limited to, selective service, insurance underwriting, child support collection, motor vehicle safety recalls, license plate search for registered owner information for tolling, parking and law enforcement purposes, and court records and proceedings.

 

Vehicle Records.  Under current law, prior to the release of any vehicle record information, DOL must enter into a contract with an authorized entity.  The contract must contain provisions requiring DOL or its agent, to conduct regular permissible use and data security audits.  DOL must charge a fee for this information.  DOL has contracts with both governmental and private entities. 

 

The following constitute a gross misdemeanor:

  • unauthorized disclosure of information from a vehicle or vessel record;
  • use of information from a vehicle or vessel record for a purpose other than what was stated in the request or in the disclosure agreement;
  • sale or distribution of information from a vehicle or vessel record to a person not disclosed in the disclosure agreement; or
  • the use of a false representation to obtain information from a vehicle or vessel record. 

 

Driver Records.  Upon the proper request, DOL may provide an abstract of a person's driving record to specified entities which include, but are not limited to, prospective employers, county prosecuting attorneys, insurance companies, transit authorities, units of local governments, and the Office of the Superintendent of Public Instruction.  There are limitations on the purpose for which the abstract may be provided and some of the transactions require payment of a fee. 

 

The abstract, whenever possible, must include:

  • information related to motor vehicle accidents in which the person was driving;
  • any reported convictions, forfeitures of bail, or findings that an infraction was committed based on a violation of any motor vehicle law;
  • the status of the person's driving privilege in the state; and
  • any reports of failure to appear in response to a traffic citation or failure to respond to a notice of infraction served by an arresting officer. 

 

DOL may contract with specified entities to allow for monitoring driver record abstract changes.  This service is provided for a fee set by DOL at an amount that will not result in a net revenue loss to the state.

Summary of First Substitute Bill:

Definitions.  "Identity information" means information that identifies an individual, or may be used to determine the identity of an individual, including:

  • federal tax identification number or employer identification number;
  • residential and mailing address, but not the five-digit zip code;
  • email address;
  • telephone number;
  • registered and legal vehicle owner name;
  • gender;
  • place of birth;
  • voter information status; and
  • selective service information.

 

Personal information is defined to mirror the Public Records Act definition which includes an individual's first name or first initial and last name in combination with any one or more of the following data elements:

  • social security number or the last four digits of the social security number;
  • driver's license number or Washington identification card number;
  • account number, credit or debit card number, or any required security code, access code, or password that would permit access to an individual's financial account, or any other numbers or information that can be used to access a person's financial account;
  • full date of birth;
  • private key that is unique to an individual and that is used to authenticate or sign an electronic record;
  • student, military, or passport identification number;
  • health insurance policy number or health insurance identification number;
  • any information about a consumer's medical history or mental or physical condition or about a health care professional's medical diagnosis or treatment of the consumer; or
  • biometric data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual.

 

The terms data services and transportation network companies are also defined. 

 

Any personal or identity information obtained by DOL in the administration of driver and vehicle records is private and confidential except as otherwise provided in federal and state law.

 

Obligations of Data Recipients.  All authorized recipients of personal or identity information have an affirmative obligation to take all reasonable actions necessary to prevent the unauthorized disclosure and misuse of personal or identity information.  DOL may require an audit or investigation of any entity receiving personal or identity information that originated from DOL.

 

If data is misused or disclosed without authorization, all parties aware of the violation must inform DOL and take all reasonably available actions to mitigate and rectify the disclosure.

 

Contract Requirements.  Prior to providing data services that include the lawful release of any personal or identity information DOL must enter into a contract with the entity authorized to receive the information.  The contract must include, at a minimum:

  • limitations and restrictions for the use of personal or identity information;
  • a requirement that the data recipient allow DOL or its agent to conduct regular permissible use audits;
  • a requirement that the data recipient undergo regular data security audits, and standards for the conduct of such audits;
  • a provision that all costs of the audits are not the responsibility of DOL;
  • provisions governing redisclosure of personal or identity information by a data recipient or subrecipient other than to those categories of parties permitted by contract and standards for the handling of such information;
  • a statement that the ownership of data remains with DOL and does not transfer to the data recipient or subrecipient; and
  • a provision that the data recipient must conduct or review regular data security and permissible use audits of all subrecipients, and standards for the conduct of the audits.

 

DOL is authorized to adopt other contract requirements as necessary to ensure the privacy of individuals and protection of personal or identity information.

 

Penalties.  The unauthorized use or disclosure of personal or identity information is subject to a civil penalty up to $20,000, per incident.  The penalty cap is annually adjusted by DOL based on the consumer price index.  Other applicable sanctions in federal and state law may also apply.  Additionally, a data recipient may be denied further access to personal or identity information.

 

Vehicle Data.  The purposes for which DOL may release lists of registered and legal owners of vehicles to governmental entities is expanded. 

 

The penalties specifically tied to the violation of a contract for vehicle data are modified.  DOL is authorized, rather than required, to suspend a person's ability to receive data for up to five years. 

 

Driver Data.  DOL is authorized to provide:

  • a three-year insurance carrier driving record to an employer for existing employees only for underwriting purposes;
  • an abstract of the full driving record to an employer or prospective employer when it is required by federal or state law, or if the employee or prospective employee will be handling heavy equipment or machinery;
  • an abstract of the driving record to state and federal agencies in carrying out the agency's functions;
  • a full driving abstract to a transportation network company for purposes related to driving by an individual as a condition of being a contracted driver; and
  • driving record data to state agencies and bona fide scientific research organizations.

 

DOL may provide driving record review services for a transportation network company. 

 

The purposes for which an employer may release a driving record to a third party are specified.

 

The Office of the Superintendent of Public Instruction is not required to pay for a driver abstract.  A state agency or scientific research profession associated with a bona fide scientific research organization are exempt from paying the fees related to reviewing driving records, other than the cost to provide the data.

Appropriation: None.
Fiscal Note: Available.
Creates Committee/Commission/Task Force that includes Legislative members: No.
Effective Date: Ninety days after adjournment of session in which bill is passed.
Staff Summary of Public Testimony on Original Bill:

The committee recommended a different version of the bill than what was heard.  PRO:  This is agency request legislation and builds on the strategic investments the agency has made in data privacy.  The bill modernizes DOL statutes and provides additional protections against misuse.  It also modernizes our data laws.
 
There are three elements of this bill to highlight.  We want to codify the existing practices and protections that are currently in our data contracts and apply them uniformly across driver and vehicle data.  The new civil penalty for data misuse is key.  One example, is once a contract is terminated, data recipients are supposed to permanently delete the data, but because we are no longer in a contract we lose the ability to ensure that they comply.  The bill aligns and streamlines our driver and vehicle data sharing laws, without removing access to data for existing clients, and providing for clear protections and audits.

Persons Testifying: PRO: Senator Joe Nguyen, Prime Sponsor; Beau Perschbacher, Deptartment of Licensing.
Persons Signed In To Testify But Not Testifying: No one.