SENATE BILL REPORT
SB 6822
As Reported By Senate Committee On:
Commerce, Trade, Housing & Financial Institutions, February 3, 2000
Title: An act relating to the privacy of personal information in commercial transactions involving information custodians other than financial institutions who maintain and transfer information.
Brief Description: Protecting privacy of personal commercial information.
Sponsors: Senators Prentice and Gardner.
Brief History:
Committee Activity: Commerce, Trade, Housing & Financial Institutions: 2/3/2000 [DP].
SENATE COMMITTEE ON COMMERCE, TRADE, HOUSING & FINANCIAL INSTITUTIONS
Majority Report: Do pass.
Signed by Senators Prentice, Chair; Shin, Vice Chair; Gardner, Hale, Rasmussen, T. Sheldon and Winsley.
Staff: Dave Cheal (786-7576)
Background: Information technology has greatly facilitated the collection, analysis and dissemination of vast amounts of personal data. The result is that personal data has become a marketable commodity. Another result is that consumers are increasingly privacy conscious and alarmed about whether they have control over highly personal and private information. The concerns range from annoyance due to a barrage of mail, phone calls, and e-mail, to the horror of identity theft.
Locally, news of certain information sharing practices of some business last summer was followed by a large number of alarmed calls to the Department of Financial Institutions and the Attorney General=s Office. This committee held a hearing on the issue last July. The Attorney General formed a work group representing a wide array of interests, including representatives of retailers and banks, victims of identity theft, the technology industry and legislators. The goal of the work group was to develop legislation that could return a measure of control over personal information to consumers, and provide protection against the worst abuses of information access.
Summary of Bill: Privacy and control of personal information in a commercial context are addressed. Commercial entities affected are Ainformation custodians,@ defined as all entities, other than financial institutions, that maintain data containing personal or sensitive information, who transfer that information to others, including affiliates, for purposes other than those requested by the customer. Information custodians must adopt a privacy policy containing certain prescribed elements, and disseminate it to current and prospective consumers according to the schedule provided.
Information about individuals is divided into two categories: Apersonal information@ and Asensitive information.@ APersonal information@ is information provided in a commercial context that facilitates profiling and targeting, such as buying practices, business relationships, assets, demographic information, name, address, telephone number, or e-mail address. ASensitive information@ means information obtained in a commercial context such as account numbers, access codes, current or historical balances, Social Security numbers, or information held for the purpose of account access or transaction initiation.
Sensitive information can be transferred to third parties only upon a positive authorization of the consumer following provision of full information about the exact information to be transferred, the purpose of the transfer, and the expiration date of the authorization. Several exceptions are made: disclosure required by law, court order, or search warrant, disclosure to debt collectors, disclosure to consumer reporting agencies as defined by the federal Fair Credit Reporting Act, and disclosure to protect against fraud.
Personal information can be transferred to third parties or used for marketing unless the consumer positively objects to the transfer after being given full information of their rights and having been provided with the privacy policy of the business. If the consumer chooses not to have their personal information shared or not to receive marketing information, time deadlines for compliance with this choice are provided. Exceptions similar to those for sensitive information are listed.
Personal or sensitive information can be transferred to third parties if the transfer is reasonably necessary to complete a transaction requested by the consumer.
Before transferring either sensitive or personal information, information custodians must obtain agreements from transferees that they will keep the information confidential, and use it only for the purpose for which it was originally shared.
A violation of the act is a violation of the Consumer Protection Act. Damages are limited to $500 or actual damages, whichever is greater. If the violation is found to be willful, recovery may be up to $1,500 or three times actual damages, whichever is greater. An action based on failure to stop marketing to the consumer as required may only be brought after the consumer notifies the violator and further violation occurs.
Appropriation: None.
Fiscal Note: Requested on January 19, 2000.
Effective Date: Ninety days after adjournment of session in which bill is passed.
Testimony For: None.
Testimony Against (concerns): The bill contains serious limitations on legitimate business functions and exposes businesses to frivolous lawsuits. Some of the information the bill presumes to protect from transfer among businesses is available from other public sources.
Testified: Jan Gee, WA Retail Assn., WA Food Industry (concerns); Bill Stauffacher, Direct Marketing Assn. (concerns).