FINAL BILL REPORT
SSB 5152
C 93 L 21
Synopsis as Enacted
Brief Description: Enhancing data stewardship and privacy protections for vehicle and driver data.
Sponsors: Senate Committee on Transportation (originally sponsored by Senators Nguyen, Rivers, Carlyle, Das, Kuderer, Muzzall, Salda?a and Wilson, C.; by request of Department of Licensing).
Senate Committee on Transportation
House Committee on Transportation
Background:

The Department of Licensing (DOL) handles the personal data of approximately 6 million driver records and 8 million vehicle and vessel owner records.

 

There are a number of federal and state laws governing how DOL may share data.  One example is the Driver Privacy Protection Act, enacted by Congress in 1994, which regulates state governments' release of personal information contained in an individual's motor vehicle record.  The state Open Public Records Act also requires the disclosure of certain types of data collected and maintained by DOL.  There are many purposes for which DOL releases driver and vehicle data.  Examples include, but are not limited to, selective service, insurance underwriting, child support collection, motor vehicle safety recalls, license plate search for registered owner information for tolling, parking and law enforcement purposes, and court records and proceedings.

 

Vehicle Records.  Under current law, prior to the release of any vehicle record information, DOL must enter into a contract with an authorized entity.  The contract must contain provisions requiring DOL or its agent, to conduct regular permissible use and data security audits.  DOL must charge a fee for this information.  DOL has contracts with both governmental and private entities. 

 

The following constitute a gross misdemeanor:

  • unauthorized disclosure of information from a vehicle or vessel record;
  • use of information from a vehicle or vessel record for a purpose other than what was stated in the request or in the disclosure agreement;
  • sale or distribution of information from a vehicle or vessel record to a person not disclosed in the disclosure agreement; or
  • the use of a false representation to obtain information from a vehicle or vessel record. 

 

Driver Records.  Upon the proper request, DOL may provide an abstract of a person's driving record to specified entities which include, but are not limited to, prospective employers, county prosecuting attorneys, insurance companies, transit authorities, units of local governments, and the Office of the Superintendent of Public Instruction.  There are limitations on the purpose for which the abstract may be provided and some of the transactions require payment of a fee. 

 

The abstract, whenever possible, must include:

  • information related to motor vehicle accidents in which the person was driving;
  • any reported convictions, forfeitures of bail, or findings that an infraction was committed based on a violation of any motor vehicle law;
  • the status of the person's driving privilege in the state; and
  • any reports of failure to appear in response to a traffic citation or failure to respond to a notice of infraction served by an arresting officer. 

 

DOL may contract with specified entities to allow for monitoring driver record abstract changes.  This service is provided for a fee set by DOL at an amount that will not result in a net revenue loss to the state.

Summary:

Definitions.  "Identity information" means information that identifies an individual, or may be used to determine the identity of an individual, including:

  • federal tax identification number or employer identification number;
  • residential and mailing address, but not the five-digit zip code;
  • email address;
  • telephone number;
  • registered and legal vehicle owner name;
  • gender;
  • place of birth;
  • voter information status; and
  • selective service information.

 

Personal information is defined to mirror the Public Records Act definition which includes an individual's first name or first initial and last name in combination with any one or more of the following data elements:

  • social security number or the last four digits of the social security number;
  • driver license number or Washington identification card number;
  • account number, credit or debit card number, or any required security code, access code, or password that would permit access to an individual's financial account, or any other numbers or information that can be used to access a person's financial account;
  • full date of birth;
  • private key unique to an individual and used to authenticate or sign an electronic record;
  • student, military, or passport identification number;
  • health insurance policy number or health insurance identification number;
  • any information about a consumer's medical history or mental or physical condition, or about a health care professional's medical diagnosis or treatment of the consumer; or
  • biometric data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics used to identify a specific individual.

 

The terms data services and transportation network companies are also defined. 

 

Any personal or identity information obtained by DOL in the administration of driver and vehicle records is private and confidential except as otherwise provided in federal and state law.

 

Obligations of Data Recipients.  All authorized recipients of personal or identity information have an affirmative obligation to take all reasonable actions necessary to prevent the unauthorized disclosure and misuse of personal or identity information.  DOL may require an audit or investigation of any entity receiving personal or identity information that originated from DOL.

 

If data is misused or disclosed without authorization, all parties aware of the violation must inform DOL and take all reasonably available actions to mitigate and rectify the disclosure.

 

Contract Requirements.  Prior to providing data services that include the lawful release of any personal or identity information, DOL must enter into a contract with the entity authorized to receive the information.  The contract must include, at a minimum:

  • limitations and restrictions for the use of personal or identity information;
  • a requirement that the data recipient allow DOL or its agent to conduct regular permissible use audits;
  • a requirement that the data recipient undergo regular data security audits, and standards for the conduct of such audits;
  • a provision that all costs of the audits are not the responsibility of DOL;
  • provisions governing redisclosure of personal or identity information by a data recipient or subrecipient other than to those categories of parties permitted by contract and standards for the handling of such information;
  • a statement that the ownership of data remains with DOL and does not transfer to the data recipient or subrecipient; and
  • a provision that the data recipient must conduct or review regular data security and permissible use audits of all subrecipients, and standards for the conduct of the audits.

 

DOL is authorized to adopt other contract requirements necessary to ensure the privacy of individuals and protection of personal or identity information.

 

Penalties.  The unauthorized use or disclosure of personal or identity information is subject to a civil penalty up to $20,000 per incident.  The penalty cap is annually adjusted by DOL based on the consumer price index.  Other applicable sanctions in federal and state law may also apply.  Additionally, a data recipient may be denied further access to personal or identity information.

 

Vehicle Data.  The purposes for which DOL may release lists of registered and legal owners of vehicles to governmental entities is expanded. 

 

The penalties specifically tied to the violation of a contract for vehicle data are modified.  DOL is authorized, rather than required, to suspend a person's ability to receive data for up to five years. 

 

Driver Data.  DOL is authorized to provide:

  • a three-year insurance carrier driving record to an employer for existing employees only for underwriting purposes;
  • an abstract of the full driving record to an employer or prospective employer when it is required by federal or state law, or if the employee or prospective employee will be handling heavy equipment or machinery;
  • an abstract of the driving record to state and federal agencies in carrying out the agency's functions;
  • a full driving abstract to a transportation network company related to driving by an individual as a condition of being a contracted driver; and
  • driving record data to state agencies and bona fide scientific research organizations.

 

DOL may provide driving record review services for a transportation network company. 

 

The purposes for which an employer may release a driving record to a third party are specified.

 

The Office of the Superintendent of Public Instruction is not required to pay for a driver abstract.  A state agency or scientific research profession associated with a bona fide scientific research organization are exempt from paying the fees related to reviewing driving records, other than the cost to provide the data.

Votes on Final Passage:
Senate 49 0
House 76 22
Effective:

July 25, 2021