AN ACT Relating to the privacy of personal information in commercial transactions involving financial institutions and others who maintain and transfer information; amending RCW 19.16.250, 9.35.010, and 9.35.020; adding new sections to chapter 9.35 RCW; adding a new chapter to Title 19 RCW; creating new sections; prescribing penalties; and providing an effective date.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:

NEW SECTION. Sec. 1. INTENT. (1) The legislature finds that every entity has an affirmative and continuing obligation to respect the privacy of its consumers and to protect the security and confidentiality of consumers. The legislature finds that Washington's citizens have a right to privacy and a reasonable expectation that the personal information that they provide in commercial transactions with financial institutions and others who maintain and transfer information will be kept private and confidential. The legislature finds that there is no existing uniform law that creates an appropriate standard of conduct for disclosure of consumers' personal information and that Washington's citizens need additional statutory protection from fraud, deception, nuisance, invasion of privacy, and breach of confidentiality related to the disclosure of personal information. The legislature intends to ensure that entities and consumers work cooperatively to protect consumer information and enforce sanctions when violations occur.

(2) The legislature finds that the disclosure of personal and sensitive information has caused specific significant harms to Washington consumers, including the appearance of unauthorized charges or debits on consumers' accounts, misappropriation of sensitive information for the purpose of assuming a consumer's identity, the unwanted and unintended dissemination of personal and sensitive information, and the invasion of privacy.

(3) The legislature finds that the flow of less sensitive personal information has resulted in a number of increased market efficiencies that are beneficial to consumers. These include more rapid credit transactions and check verifications, as well as an increased number of choices for products and services. The legislature finds that these benefits can be maintained by giving consumers the opportunity to choose whether their less sensitive information will be shared. The legislature finds that giving consumers this choice best balances the benefits and harms of disclosure of such information.

(4) The legislature finds that the incidence of identity theft is rapidly growing, and that victims of identity theft need further assistance in obtaining the information necessary to the prosecution of their cases. The legislature finds that requiring additional information sharing by merchants with victims will result in greater protections for consumers and deter potential perpetrators.

NEW SECTION. Sec. 2. DEFINITIONS. Unless the context clearly requires otherwise, the definitions in this section apply throughout this chapter.

(1) "Affiliate" means an entity that controls, is controlled by, or is under common control or common ownership with another entity. Companies that form alliances as a financial services group for purposes of marketing their services and are located at a common address, have personnel and payroll functions administered through a central office, jointly sponsor one combined employee savings and profit sharing plan, and have centralized data processing, mail service, communications, and procurement are considered under common control and affiliated with each other.

(2) "Consumer" or "customer" means a natural person or his or her legal representative, who is a resident of the state of Washington, who has been disclosed to be a resident of the state of Washington, and who purchases, leases, or otherwise contracts for products, goods, or services within the state of Washington or from an entity at its location in the state of Washington, that are primarily used for personal, family, or household purposes on or after the effective date of this section and who continues to be a resident of the state of Washington.

(3) "Control" means (a) ownership, control, or power to vote twenty-five percent or more of the outstanding shares of any class of voting security of the company, directly or indirectly, or acting through one or more other persons, if the company is shareholder-owned; (b) control in any manner over the election of a majority of the directors, trustees, or general partners (or individuals exercising similar functions) of the company; and (c) the power to exercise, directly or indirectly, a controlling influence over the management or policies of the company.

(4) "Consumer-requested purpose" means for the purpose of establishing or maintaining a business relationship, completing a transaction, or providing a product, good, or service requested by the consumer if the personal or sensitive information that is sold, shared, or transferred is subject to section 9(1) of this act.

(5) "De minimus cost method" means any method, such as a toll-free telephone number, a post office box or address for accepting first-class mail, or any similar, convenient, low-cost method, which does not exceed the cost of a first-class postage stamp for the consumer. If other de minimus cost methods are offered, accepting e-mail or online messages from consumers shall be considered a de minimus cost method.

(6) "Financial institution" means (a) a financial institution as defined in section 527(4) of the Gramm-Leach-Bliley Act, P.L. 106-102; or (b) a bank holding company or financial holding company, as defined in sections 2(a) and 2(p) of the Bank Holding Company Act, as amended, or any subsidiary thereof as defined in section 2(d) of the Bank Holding Company Act, as amended.

(7) "Functional business purpose" means use or disclosure of sensitive or personal information between an information custodian and another entity or person to perform services or functions on behalf of the information custodian as part of the information custodian's provision of its products, goods, or services to its customers, or to assist in the maintenance or analysis of its relationships with customers, if the personal or sensitive information that is sold, shared, or transferred is subject to section 9 of this act;

(8) "Information custodian" means all nonpublic commercial entities that maintain data containing personal information or sensitive information about consumers they actually know reside in Washington and that sell, share, or otherwise transfer the information to nonaffiliates for purposes other than consumer-requested purposes, functional business purposes, or under the circumstances described in section 5(3) or 7(3) of this act. An "information custodian" does not include a consumer reporting agency, as defined in the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.), to the extent its activities are directly related to assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and to the extent that the activities are regulated by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.). "Information custodian" does not include an agent or other entity (a) who obtains personal or sensitive information from a consumer or an information custodian; and (b) who has contracted, in writing, with the information custodian to provide products, goods, or services on behalf of the information custodian, that are part of or integral to the provision of the information custodian's own products, goods, or services to the consumer; and (c) who does not make an independent use, including marketing use, of the personal or sensitive information, apart from providing the products, goods, or services described in subsection (8)(b) of this section; and (d) who is subject to section 9 of this act. "Information custodian" does not include an entity that sells, shares, or transfers personal or sensitive information exclusively for consumer-requested purposes, functional business purposes, or under the circumstances described in section 5(3) or 7(3) of this act.

(9) "Marketer" means a nonpublic, commercial entity that maintains data containing personal information or sensitive information about consumers it knows reside in Washington and uses the information to engage in marketing.

(10) "Marketing" or "marketing information" means a promotion, solicitation, or advertisement that specifically references the sale or lease of products, goods, or services made through written, telephonic, electronic, or other means, that is directed to a specific named consumer, but shall not include any promotion, solicitation, or advertisement (a) included with a billing or statement, (b) directed to the public, or (c) made to such consumer while present at the marketer's place of business or during any other contact with the marketer initiated by or at the request of the consumer.

(11) "Personal information" means information that is provided by the consumer in a commercial context, and is correlated to a specific individual consumer, that concerns the amount or condition of the consumer's assets, liabilities, financial transactions, purchasing history, buying preferences, business relationships, customer status, demographic information, name, address, telephone number, electronic mail address, or that reflects current or historical deposit or credit card account balances or purchase amounts.

(12) "Sensitive information" means information maintained in a commercial context that is correlated to a specific individual consumer or a specific account and customarily held or used for the purpose of the consumer's transaction initiation, account access or identity verification, and includes account numbers, access codes or passwords, social security numbers, consumer tax identification numbers, driver's license or permit numbers, state identicard numbers issued by the department of licensing, and credit card numbers or expiration dates, and electronically captured signatures.

NEW SECTION. Sec. 3. RESTRICTION ON CONSUMER INFORMATION. Information custodians and marketers shall, in performing a transaction with a consumer, providing a service for a consumer, or establishing a business relationship with a consumer, require only that the consumer provide information reasonably necessary to perform the transaction, establish the relationship, administer or maintain the business relationship, collect or service a debt, protect against fraud or unauthorized transactions, or comply with applicable law. Any optional information must be specified as such, and the consumer must be given the option not to provide it.

NEW SECTION. Sec. 4. CONSUMER PRIVACY POLICIES. (1) An information custodian must have a consumer privacy policy that discloses to existing and prospective consumers the policies and practices of the information custodian regarding the use of consumer personal information and sensitive information acquired or possessed by the information custodian. Entities that maintain data containing personal information or sensitive information but do not sell, share, or otherwise transfer the data, are not required to have a privacy policy.

(2) The consumer privacy policy, at a minimum, must summarize the information custodian's responsibilities under this chapter and describe the consumer's rights and remedies under it, and generally describe with whom the consumer's personal and sensitive information will be shared or to whom it will be sold or transferred. This general description must disclose either the names of those with which the information is shared, sold, or transferred or a reasonable description of the nature of each entity's business, with which information is shared, sold, or transferred.

(3) The consumer privacy policy must also provide a reasonable means for consumers to review their personal information that the information custodian shares, sells, or transfers to nonaffiliates for marketing purposes and that is retrievable in the ordinary course of business. The policy must also provide a reasonable process for consumers to dispute the accuracy or completeness of the information.

(4) An information custodian must provide a disclosure of its consumer privacy policy to customers about whom it has names and addresses or other means of contact:

(a) Within a reasonable period of time after the information custodian obtains the names and addresses or other means of contact;

(b) Not less than annually after that to a customer whose personal or sensitive information the information custodian, within the twelve-month period before the date of the provision of the policy, has sold, shared, or transferred to a nonaffiliate other than under the circumstances described in section 5(3) or 7(3) of this act, for a customer requested purpose, or for a functional business purpose; and

(5) An information custodian that is not a financial institution must disclose its consumer privacy policy, and any material changes that are made to the policy or the information custodian's business structure, clearly and conspicuously in writing, through means reasonably calculated to inform new customers of the policy's provisions or material changes that are made to the policy or the information custodian's business structure.

(6) If the information custodian sells or offers products, goods, or services online, the privacy policy must be disclosed on the effective date of this section, on a continuing basis, clearly and conspicuously, on a web page that is directly and prominently linked to the information custodian's website.

(7) The consumer privacy policy must be readily available for review at the information custodian's place of business.

(8) An information custodian that is a financial institution is deemed to have complied with the requirements of this section and section 5(1)(a) of this act if it provides the disclosures required by subsections (1), (2), and (3) of this section and section 5(1)(a) of this act together with the disclosures provided in compliance with section 503 of Public Law 106-102 (the Gramm-Leach-Bliley Act).

(9) If an information custodian's business relationship is with multiple parties who are named in a common account or insurance policy, the information custodian satisfies the requirements of this section by making the required disclosures to the first-named account holder or legal representative on the signature card, contract, or other evidence of the account, or the first-named insured on the insurance policy, binder, or other evidence of insurance.

NEW SECTION. Sec. 5. PERSONAL INFORMATION‑-CONSUMER CONTROL. (1) An information custodian may share, sell, or otherwise transfer personal information to a nonaffiliate for purposes other than consumer-requested purposes, functional business purposes, or under the circumstances described in section 5(3) or 7(3) of this act, only if it has clearly and conspicuously disclosed to the consumer the following information in plain language:

(a) That the consumer has the right to choose not to have his or her personal information shared, sold, or otherwise transferred to a nonaffiliate for purposes other than consumer-requested purposes, functional business purposes, or under the circumstances described in section 5(3) or 7(3) of this act. The disclosure must be made at the time the consumer privacy policy is provided to the customer under section 4 of this act.

(b) That the consumer may choose not to have his or her personal information shared, sold, or transferred to a nonaffiliate for other than consumer-requested purposes, functional business purposes, or under the circumstances described in section 5(3) or 7(3) of this act, by exercising his or her choice through a de minimus cost method the information custodian has established.

(2) If, under this section, a consumer chooses not to have his or her personal information shared, sold, or otherwise transferred under subsection (1) of this section, the information custodian must stop sharing, selling, or otherwise transferring the consumer's personal information to a nonaffiliate as directed by the consumer within ninety days of receiving the consumer's notice. Once a consumer has exercised his or her right under this section, an information custodian may not share, sell, or otherwise transfer the information to a nonaffiliate for purposes other than consumer-requested purposes, functional business purposes, or under the circumstances described in section 5(3) or 7(3) of this act, until the consumer notifies the entity that he or she has chosen to have his or her personal information shared, sold, or otherwise transferred under subsection (1) of this section.

(3) This section does not apply to disclosure of personal information under the following circumstances:

(a) Disclosure to or at the direction or with the consent of the consumer upon his or her request. Proper identification may be required;

(b) Disclosure required by federal, state, or local law or regulation, rules, and other applicable legal requirements;

(c) Disclosure made in the course of a properly authorized civil, criminal, or regulatory examination or investigation or under a search warrant, court order, or subpoena, including an administrative subpoena or other legal process;

(d) Disclosure to a nonaffiliate for the purpose of collecting a debt or dishonored item. However, the recipient of the information is subject to section 9 of this act;

(e) Disclosure to protect the confidentiality or security of the information custodian's records;

(f) Disclosure to protect against, investigate, or prevent actual or potential fraud, unauthorized transactions, claims, or other liability or to verify information provided by a consumer in connection with a claim or application for services or benefits;

(g) Disclosure as part of a risk control program required by or subject to examination by regulators;

(h) Disclosure by or to a consumer reporting agency as specifically permitted under the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.). However, the information custodian shall inform the recipient that the information is subject to section 9 of this act;

(i) Disclosure for purposes of a proposed or actual securitization, secondary market sale (including sales of service rights), or similar transaction;

(j) Disclosure to persons holding a legal or beneficial interest relating to the consumer;

(k) Disclosure in order to provide information to insurance rate, claim, or underwriting advisory organizations, guaranty funds or agencies, applicable rating agencies of the information custodian, persons assessing the information custodian's compliance with industry standards, and the information custodian's attorneys, accountants, and auditors;

(l) Disclosure in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit or an insurance agent's book of business or interest in real property if the disclosure of information concerns solely consumers of the business or unit or consumers with a right to occupy the real property;

(m) Disclosure to a federal, state, or local agency as required by that agency to fulfill its legal obligations on behalf of a consumer;

(n) Disclosure of health care information in compliance with state and federal law;

(o) Disclosure between licensees or franchisees and their licensors or franchisors, when (i) such licensees or franchisees market, sell, or lease products, goods, or services in a retail setting at a common physical address with the licensor or franchisor; (ii) have common data processing functions with the licensor or franchisor; and (iii) advertise, market, or sell products, goods, or services marked or otherwise directly identified with the franchisor's or licensor's name or distinctive brand. However, the recipient of the information is subject to section 9 of this act;

(p) Disclosure of information between entities of a reciprocal insurer as defined in RCW 48.10.010 and 48.10.020;

(q) Disclosure to maintain or service a consumer's private label or affinity credit card account. However, the recipient of the information is subject to section 9 of this act;

(r) Disclosure by an entity or person to the public related to the gathering, publishing, disseminating, or circulating of news or matters of public interest or concern;

(s) Disclosure to or by a multiple listing service, real estate licensee, or real estate appraiser as defined in chapters 18.85 and 18.140 RCW for the purposes of comparative market analyses, price opinions, or appraisals.

NEW SECTION. Sec. 6. MARKETING-CONSUMER CONTROL. (1)(a) A marketer may use personal or sensitive information for marketing purposes only if it has clearly and conspicuously disclosed in plain language to the consumer that the consumer has the right to choose not to receive marketing information from the marketer or its affiliates with which it has shared information and may choose not to receive marketing information by exercising his or her choice through a de minimus cost method provided by the marketer. These disclosures must be made in at least one of the following manners:

(i) In all marketing information, in whatever medium the marketing information is sent;

(ii) In the privacy policy provided to the consumer under section 4 of this act, if the marketer is an information custodian;

(iii) In a separate disclosure document or page, provided to the consumer with the first marketing information sent to the consumer, and thereafter annually. If the disclosure is made on a web page, it must be made clearly and conspicuously on the same page as the marketing information or on a separate page that is directly and prominently linked to the marketing information;

(iv) In each of its places of retail business, if the marketer is a retailer whose primary sale or lease of products, goods, or services is from its places of retail business, and the disclosure must be posted clearly and conspicuously, in plain language.

(b) The marketer must maintain adequate and reasonable access to the de minimus cost method it has established for consumers who choose not to receive marketing information.

(2) If, under this section, a consumer chooses not to receive marketing information, the marketer and its affiliates with which it shares personal or sensitive information must stop marketing to the consumer within ninety days of receiving the consumer's notice. Once a consumer has chosen not to receive marketing information, a marketer and its affiliates with which it shares personal or sensitive information may not market to the consumer until the consumer notifies the marketer that he or she has chosen to receive marketing information.

(3) A small business, as defined in RCW 19.85.020, that is not an information custodian, that markets solely to its existing customers or that markets to consumers whose personal information was obtained from an information custodian, is not subject to subsection (1) of this section.

(4) A marketer may disclose personal information to another entity to perform services or functions on behalf of the marketer, as part of the marketer's marketing of its own products, goods, or services. However, the personal information that is disclosed is subject to section 9 of this act.

NEW SECTION. Sec. 7. SENSITIVE INFORMATION‑-CONSUMER CONTROL. (1) An information custodian may not disclose sensitive information to a nonaffiliate for purposes other than consumer-requested purposes, functional business purposes, or under the circumstances described in section 5(3) or 7(3) of this act unless the consumer has received written notification of the following:

(a) The information to be disclosed;

(b) The entity or entities authorized to receive the disclosure of information; and

(2) An information custodian may not disclose sensitive information to a nonaffiliate for purposes other than consumer-requested purposes, functional business purposes, or under circumstances described in section 5(3) or 7(3) of this act unless the consumer, upon notice as provided in this section and affirmative consent, authorizes the disclosure of the sensitive information sought to be disclosed, in a written statement dated and expressly accepted by the consumer that is separate and distinct from any other document, and that contains a description of the information sought to be disclosed and the purpose for which the information will be disclosed. If the written statement is made online, it must be on a separate web page.

(3) This section does not apply to disclosure of sensitive information under the following circumstances:

(a) Disclosure to or at the direction or with the consent of the consumer upon his or her request. Proper identification may be required;

(b) Disclosure required by federal, state, or local law or regulation, rules, and other applicable legal requirements;

(d) Disclosure to a nonaffiliate for the purpose of collecting a debt or a dishonored item. However, the recipient of the information is subject to section 9 of this act;

(e) Disclosure to protect the confidentiality or security of the information custodian's records;

(f) Disclosure to protect against, investigate, or prevent actual or potential fraud or unauthorized transactions, claims, or other liability or to verify information provided by a consumer in connection with a claim or application for services or benefits;

(g) Disclosure as part of a risk control program required by or subject to examination by regulators;

(i) Disclosure of sensitive information which is prohibited from disclosure by section 502(d) of Public Law 106-102 (the Gramm-Leach-Bliley Act of 1999);

(j) Disclosure for purposes of a proposed or actual securitization, secondary market sale (including sales service rights), or similar transactions related to a consumer-requested purpose;

(k) Disclosure to persons holding a legal or beneficial interest relating to the consumer;

(l) Disclosure in order to provide information to insurance rate, claim, or underwriting advisory organizations, guaranty funds or agencies, applicable rating agencies of the information custodian, persons assessing the information custodian's compliance with industry standards, and the information custodian's attorneys, accountants, and auditors;

(m) Disclosure in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit or an insurance agent's book of business or interest in real property if the disclosure of information concerns solely consumers of the business or unit or consumers with the right to occupy the real property;

(n) Disclosure of health care information in compliance with state and federal law;

(o) Disclosure to a federal, state, or local agency as required by that agency to fulfill its legal obligations on behalf of a consumer;

(p) Disclosure between licensees or franchisees and their licensors or franchisors, when (i) such licensees or franchisees market, sell, or lease products, goods, or services in a retail setting at a common physical address with the licensor or franchisor; (ii) have common data processing functions with the licensor or franchisor; and (iii) advertise, market, or sell products, goods, or services marked or otherwise directly identified with the franchisor's or licensor's name or distinctive brand. However, the recipient of the information is subject to section 9 of this act;

(q) Disclosure of information between entities of a reciprocal insurer as defined in RCW 48.10.010 and 48.10.020;

(r) Disclosure to maintain or service a consumer's private label or affinity credit card account. However, the recipient of the information is subject to section 9 of this act;

(s) Disclosure by an entity or person to the public related to the gathering, publishing, disseminating, or circulating of news or matters of public interest or concern.

NEW SECTION. Sec. 8. An information custodian shall not disclose, to a nonaffiliate, other than for a functional business purpose or a consumer-requested purpose, sensitive information for use in marketing to the consumer.

NEW SECTION. Sec. 9. CONFIDENTIALITY AND SECURITY OF INFORMATION. (1) Nonaffiliates that obtain personal information or sensitive information from information custodians, other than those who receive driver's license numbers in connection with the offering or maintenance of an insurance policy, must: (a) Not sell, share, or otherwise transfer the information for any reason other than the allowed purposes for which the information was sold, shared, or transferred by the information custodian or under circumstances described in those subsections of sections 5(3) or 7(3) of this act to which this section is not expressly subject; (b) keep the information confidential; and (c) safeguard the information from loss, misuse, theft, unauthorized access, disclosure, defacement, or alteration.

(2) An information custodian, before sharing, selling, or otherwise transferring personal information or sensitive information, must obtain an agreement from the intended recipient providing for the following:

(a) To keep the information confidential;

(b) To use the information only for the allowed purposes for which it has been shared, sold, or provided, or under circumstances described in those subsections of sections 5(3) or 7(3) of this act to which this section is not expressly subject; and

(3) Every information custodian must establish reasonable safeguards to ensure the confidentiality and safety of personal information and sensitive information and to protect them from loss, misuse, theft, unauthorized access, disclosure, defacement, or alteration.

NEW SECTION. Sec. 10. ACTIONS OR TRANSACTIONS BY COMPETITIVE TELECOMMUNICATIONS COMPANIES. The actions or transactions of information custodians or marketers who are classified as competitive telecommunications companies under RCW 80.36.320 or who are telecommunications companies providing competitive telecommunications services are subject to this chapter and the Consumer Protection Act.

NEW SECTION. Sec. 11. VIOLATION AN UNFAIR OR DECEPTIVE ACT. (1) Unfair and deceptive invasion of privacy rights is not reasonable in relation to the development and preservation of business. The legislature finds that the practices covered by this chapter are matters vitally affecting the public interest for the purpose of applying the Consumer Protection Act, chapter 19.86 RCW. A violation of this chapter is an unfair or deceptive act in trade or commerce for the purpose of applying the Consumer Protection Act, chapter 19.86 RCW.

(2) In any action for a violation of this chapter, with the exception of section 7 of this act, an information custodian or marketer may raise as a defense that the violation was not intentional and was the result of a bona fide error. This defense must be proved by a preponderance of the evidence. Examples of a bona fide error include clerical, calculation, computer malfunction and programming, and printing errors.

(3) Damages to a person who has been the victim of a violation of sections 5, 7, 8, or 9(1) of this act are five hundred dollars, or actual damages, whichever is greater. A court may increase the award of damages in an amount not more than three times the actual damages sustained, or one thousand five hundred dollars, whichever is greater, upon a showing by a preponderance of the evidence that a violation of the chapter was willful.

(4) Damages to a person who has been the victim of a violation of section 3, 4, 6, or 9 (2) or (3) of this act are actual damages. However, a court may increase the award up to five hundred dollars upon a showing that the violation was willful, intentional, or part of a pattern of repeated violations.

(5) In the case of a class action for a violation of this act, the total recovery of statutory damages in any class action arising out of the same failure to comply may not be more than the lesser of one million dollars or one percent of the net worth of the defendant. There is no limit on the recovery of actual damages.

(6) Nothing in this section limits the authority of the attorney general to enforce this chapter, or seek full recovery of both statutory and actual damages.

(7) The remedies provided for a violation of this chapter are exclusive of the remedies provided for a violation of chapter 9.35 RCW. No violation of this chapter is an unlawful activity under RCW 9.35.020(2) or under RCW 9.35.010.

NEW SECTION. Sec. 12. FILING ACTION‑-CONSEQUENCES. Filing an action for a violation of this chapter constitutes a certificate that to the best of the plaintiff's knowledge, information, and belief, formed after reasonable inquiry, it is well grounded in fact and is warranted by existing law or a good faith extension or reversal of existing law, and that it is not brought for any improper purpose, such as to harass or create a nuisance. If an action is filed in violation of this section, the court, upon motion or upon its own initiative, may impose upon the plaintiff an appropriate sanction, that may include an order to pay to the other party or parties the amount of the reasonable expenses incurred because of the filing of the action, including a reasonable attorney's fee.

NEW SECTION. Sec. 13. FEDERAL INVALIDITY--ANTITRUST LAWS. If the responsible federal chartering authority, under applicable federal law, or if a court of competent jurisdiction declares that any provision of this chapter is invalid with respect to any financial institution, the provision is also invalid, to the same extent, with respect to financial institutions chartered under the laws of the state of Washington and to host branches of out-of-state financial institutions. The director of the department of financial institutions may, from time to time, publish provisions of state laws that have been found invalidated under federal law and procedures. This section does not impair in any manner the authority of the state attorney general to enforce antitrust laws applicable to financial institutions or their affiliates.

NEW SECTION. Sec. 14. REMEDIES NONEXCLUSIVE. Nothing in this chapter in any way limits, replaces, or diminishes the protections and remedies afforded by the Domestic Violence Prevention Act, chapter 26.50 RCW, or any other act intended to protect the privacy and safety of residents of this state.

NEW SECTION. Sec. 15. A new section is added to chapter 9.35 RCW to read as follows:

DEFINITIONS. As used in this chapter, unless the context clearly requires otherwise:

(1) "Financial information" means, to the extent it is nonpublic, any of the following information identifiable to the individual that concerns the amount and conditions of an individual's assets, liabilities, or credit:

(a) Account numbers and balances;

(b) Transactional information concerning an account; and

(c) Codes, passwords, social security numbers, tax identification numbers, driver's license or permit numbers, state identicard numbers issued by the department of licensing, and other information held for the purpose of account access or transaction initiation.

(2) "Financial information repository" means a person engaged in the business of providing services to customers who have a credit, deposit, trust, stock, or other financial account or relationship with the person.

(3) "Means of identification" means information or an item that is not describing finances or credit but is personal to or identifiable with an individual or other person, including a current or former name of the person, telephone number, and electronic address or identifier of the individual or a member of his or her family, including the ancestor of the person; information relating to a change in name, address, telephone number, or electronic address or identifier of the individual or his or her family; a social security, driver's license, or tax identification number of the individual or a member of his or her family; and other information that could be used to identify the person, including unique biometric data.

(4) "Person" means an individual, partnership, corporation, or association.

(5) "Victim" means a person whose means of identification has been used or transferred with the intent to commit, or to aid or abet, an unlawful activity harming or intending to harm the person whose identity is used, or to commit a felony.

NEW SECTION. Sec. 16. A new section is added to chapter 9.35 RCW to read as follows:

INFORMATION AVAILABLE TO VICTIM. (1) A person, financial information repository, corporation, trust, partnership, or unincorporated association possessing information relating to an actual or potential violation of this chapter, and who may have entered into a transaction, provided credit, products, goods, or services, accepted payment, or otherwise done business with a person who has used the victim's means of identification, must, upon request of the victim, provide copies of all information relevant to the potential or actual violation of this chapter.

(2) Before providing the information required under subsection (1) of this section, the provider may require the victim to provide positive identification of the victim and a copy of a police report evidencing the victim's claim. The provider may require reasonable compensation for the reasonable cost of providing the information requested.

(3) No person, financial information repository, corporation, trust, partnership, or unincorporated association may be held liable for an action voluntarily taken in good faith to provide information regarding potential or actual violations of this chapter to other financial information repositories, merchants, law enforcement authorities, the victim, or any person alleging to be a victim who provides positive identification and a copy of a police report evidencing the alleged victim's claim for the purpose of identification and prosecution of violators of this chapter, or to assist a victim in recovery of fines, restitution, rehabilitation of the victim's credit, or such other relief as may be appropriate.

Sec. 17. RCW 19.16.250 and 1983 c 107 s 1 are each amended to read as follows:

No licensee or employee of a licensee shall:

(1) Directly or indirectly aid or abet any unlicensed person to engage in business as a collection agency in this state or receive compensation from such unlicensed person: PROVIDED, That nothing in this chapter shall prevent a licensee from accepting, as forwardee, claims for collection from a collection agency or attorney whose place of business is outside the state.

(2) Collect or attempt to collect a claim by the use of any means contrary to the postal laws and regulations of the United States postal department.

(3) Publish or post or cause to be published or posted, any list of debtors commonly known as "bad debt lists" or threaten to do so. For purposes of this chapter, a "bad debt list" means any list of natural persons alleged to fail to honor their lawful debts. However, nothing herein shall be construed to prohibit a licensee from communicating to its customers or clients by means of a coded list, the existence of a check dishonored because of insufficient funds, not sufficient funds or closed account by the financial institution servicing the debtor's checking account: PROVIDED, That the debtor's identity is not readily apparent: PROVIDED FURTHER, That the licensee complies with the requirements of subsection (9)(e) of this section.

(4) Have in his possession or make use of any badge, use a uniform of any law enforcement agency or any simulation thereof, or make any statements which might be construed as indicating an official connection with any federal, state, county, or city law enforcement agency, or any other governmental agency, while engaged in collection agency business.

(5) Perform any act or acts, either directly or indirectly, constituting the practice of law.

(6) Advertise for sale or threaten to advertise for sale any claim as a means of endeavoring to enforce payment thereof or agreeing to do so for the purpose of soliciting claims, except where the licensee has acquired claims as an assignee for the benefit of creditors or where the licensee is acting under court order.

(7) Use any name while engaged in the making of a demand for any claim other than the name set forth on his or its current license issued hereunder.

(8) Give or send to any debtor or cause to be given or sent to any debtor, any notice, letter, message, or form which represents or implies that a claim exists unless it shall indicate in clear and legible type:

(a) The name of the licensee and the city, street, and number at which he is licensed to do business;

(b) The name of the original creditor to whom the debtor owed the claim if such name is known to the licensee or employee: PROVIDED, That upon written request of the debtor, the licensee shall make a reasonable effort to obtain the name of such person and provide this name to the debtor;

(c) If the notice, letter, message, or form is the first notice to the debtor or if the licensee is attempting to collect a different amount than indicated in his or its first notice to the debtor, an itemization of the claim asserted must be made including:

(i) Amount owing on the original obligation at the time it was received by the licensee for collection or by assignment;

(ii) Interest or service charge, collection costs, or late payment charges, if any, added to the original obligation by the original creditor, customer or assignor before it was received by the licensee for collection, if such information is known by the licensee or employee: PROVIDED, That upon written request of the debtor, the licensee shall make a reasonable effort to obtain information on such items and provide this information to the debtor;

(iii) Interest or service charge, if any, added by the licensee or customer or assignor after the obligation was received by the licensee for collection;

(iv) Collection costs, if any, that the licensee is attempting to collect;

(v) Attorneys' fees, if any, that the licensee is attempting to collect on his or its behalf or on the behalf of a customer or assignor;

(vi) Any other charge or fee that the licensee is attempting to collect on his or its own behalf or on the behalf of a customer or assignor.

(9) Communicate or threaten to communicate, the existence of a claim to a person other than one who might be reasonably expected to be liable on the claim in any manner other than through proper legal action, process, or proceedings except under the following conditions:

(a) A licensee or employee of a licensee may inform a credit reporting bureau of the existence of a claim: PROVIDED, That if the licensee or employee of a licensee reports a claim to a credit reporting bureau, the licensee shall upon receipt of written notice from the debtor that any part of the claim is disputed, forward a copy of such written notice to the credit reporting bureau;

(b) A licensee or employee in collecting or attempting to collect a claim may communicate the existence of a claim to a debtor's employer if the claim has been reduced to a judgment;

(c) A licensee or employee in collecting or attempting to collect a claim that has not been reduced to judgment, may communicate the existence of a claim to a debtor's employer if:

(i) The licensee or employee has notified or attempted to notify the debtor in writing at his last known address or place of employment concerning the claim and the debtor after a reasonable time has failed to pay the claim or has failed to agree to make payments on the claim in a manner acceptable to the licensee, and

(ii) The debtor has not in writing to the licensee disputed any part of the claim: PROVIDED, That the licensee or employee may only communicate the existence of a claim which has not been reduced to judgment to the debtor's employer once unless the debtor's employer has agreed to additional communications.

(d) A licensee may for the purpose of locating the debtor or locating assets of the debtor communicate the existence of a claim to any person who might reasonably be expected to have knowledge of the whereabouts of a debtor or the location of assets of the debtor if the claim is reduced to judgment, or if not reduced to judgment, when:

(i) The licensee or employee has notified or attempted to notify the debtor in writing at his last known address or last known place of employment concerning the claim and the debtor after a reasonable time has failed to pay the claim or has failed to agree to make payments on the claim in a manner acceptable to the licensee, and

(ii) The debtor has not in writing disputed any part of the claim.

(e) A licensee may communicate the existence of a claim to its customers or clients if the claim is reduced to judgment, or if not reduced to judgment, when:

(i) The licensee has notified or attempted to notify the debtor in writing at his last known address or last known place of employment concerning the claim and the debtor after a reasonable time has failed to pay the claim or has failed to agree to make payments on the claim in a manner acceptable to the licensee, and

(ii) The debtor has not in writing disputed any part of the claim.

(10) Threaten the debtor with impairment of his credit rating if a claim is not paid.

(11) Communicate with the debtor after notification in writing from an attorney representing such debtor that all further communications relative to a claim should be addressed to the attorney: PROVIDED, That if a licensee requests in writing information from an attorney regarding such claim and the attorney does not respond within a reasonable time, the licensee may communicate directly with the debtor until he or it again receives notification in writing that an attorney is representing the debtor.

(12) Communicate with a debtor or anyone else in such a manner as to harass, intimidate, threaten, or embarrass a debtor, including but not limited to communication at an unreasonable hour, with unreasonable frequency, by threats of force or violence, by threats of criminal prosecution, and by use of offensive language. A communication shall be presumed to have been made for the purposes of harassment if:

(a) It is made with a debtor or spouse in any form, manner, or place, more than three times in a single week;

(b) It is made with a debtor at his or her place of employment more than one time in a single week;

(13) Communicate with the debtor through use of forms or instruments that simulate the form or appearance of judicial process, the form or appearance of government documents, or the simulation of a form or appearance of a telegraphic or emergency message.

(14) Communicate with the debtor and represent or imply that the existing obligation of the debtor may be or has been increased by the addition of attorney fees, investigation fees, service fees, or any other fees or charges when in fact such fees or charges may not legally be added to the existing obligation of such debtor.

(15) Threaten to take any action against the debtor which the licensee cannot legally take at the time the threat is made.

(16) Send any telegram or make any telephone calls to a debtor or concerning a debt or for the purpose of demanding payment of a claim or seeking information about a debtor, for which the charges are payable by the addressee or by the person to whom the call is made.

(17) In any manner convey the impression that the licensee is vouched for, bonded to or by, or is an instrumentality of the state of Washington or any agency or department thereof.

(18) Collect or attempt to collect in addition to the principal amount of a claim any sum other than allowable interest, collection costs or handling fees expressly authorized by statute, and, in the case of suit, attorney's fees and taxable court costs.

(19) Procure from a debtor or collect or attempt to collect on any written note, contract, stipulation, promise or acknowledgment under which a debtor may be required to pay any sum other than principal, allowable interest, and, in the case of suit, attorney's fees and taxable court costs.

(20) Upon notification by a debtor, that a police report has been filed indicating that the debtor's checkbook or other series of preprinted written instruments has been stolen, and upon receipt of a copy of the report, fail to accept one single writing from the debtor that identifies the numbers of the checks, the bank, and account number, that disputes creditors' claims for the identified checks or written instruments and that includes a copy of the debtor's driver's license or other document containing the debtor's signature that was executed before the date of claim identified in the police report. If more than one collection agency is attempting collection on individual checks or written instruments that are part of the series, each collection agency may request a single writing from the debtor that disputes creditors' claims for the entire checkbook or series. Once a single writing has been received, the collection agency must not, except in the context of a judicial or administrative proceeding, contact the debtor orally within the one hundred eighty-day period after receipt of the writing to require additional proof, explanation, or evidence from the debtor disputing creditors' claims regarding the enumerated checks or other written instruments in the same series or lot and must consider the single writing as a dispute to all creditors' claims arising from use of the enumerated checks or other series of instruments.

Sec. 18. RCW 9.35.010 and 1999 c 368 s 2 are each amended to read as follows:

(1) No person may obtain or attempt to obtain, or cause to be disclosed or attempt to cause to be disclosed to any person, financial information from a financial information repository:

(a) By knowingly making a false, fictitious, or fraudulent statement or representation to an officer, employee, or agent of a financial information repository with the intent to deceive the officer, employee, or agent into relying on that statement or representation for purposes of releasing the financial information;

(b) By knowingly making a false, fictitious, or fraudulent statement or representation to a customer of a financial information repository with the intent to deceive the customer into releasing financial information or authorizing the release of such information;

(c) By knowingly providing any document to an officer, employee, or agent of a financial information repository, knowing that the document is forged, counterfeit, lost, or stolen; was fraudulently obtained; or contains a false, fictitious, or fraudulent statement or representation, if the document is provided with the intent to deceive the officer, employee, or agent to release the financial information.

(2) No person may request another person to obtain financial information from a financial information repository and knows or should have known that the person will obtain or attempt to obtain the information from the financial institution repository in any manner described in subsection (1) of this section.

(3) ((~~As used in this section, unless the context clearly requires otherwise:~~

(a) "Financial information" means, to the extent it is nonpublic, any of the following information identifiable to the individual that concerns the amount and conditions of an individual's assets, liabilities, or credit:

~~(i) Account numbers and balances;~~

~~(ii) Transactional information concerning any account; and~~

(iii) Codes, passwords, social security numbers, tax identification numbers, driver's license or permit numbers, state identicard numbers issued by the department of licensing, and other information held for the purpose of account access or transaction initiation.

(b) "Financial information repository" means any person engaged in the business of providing services to customers who have a credit, deposit, trust, stock, or other financial account or relationship with the person.

~~(c) "Person" means an individual, partnership, corporation, or association.~~

~~(4)~~)) No provision of this section shall be construed so as to prevent any action by a law enforcement agency, or any officer, employee, or agent of such agency, or any action of an agent of the financial information repository when working in conjunction with a law enforcement agency.

((~~(5)~~)) (4) This section does not apply to:

(a) Efforts by the financial information repository to test security procedures or systems of the financial institution repository for maintaining the confidentiality of customer information;

(b) Investigation of alleged employee misconduct or negligence; or

(c) Efforts to recover financial or personal information of the financial institution obtained or received by another person in any manner described in subsection (1) or (2) of this section.

((~~(6)~~)) (5) Violation of this section is a class C felony.

((~~(7)~~)) (6) A person ((~~that [who]~~)) who violates this section is liable for five hundred dollars or actual damages, whichever is greater, and reasonable attorneys' fees. If the person violating this section is a business that repeatedly violates this section, that person also violates the Consumer Protection Act, chapter 19.86 RCW.

Sec. 19. RCW 9.35.020 and 1999 c 368 s 3 are each amended to read as follows:

(1) No person may knowingly use or knowingly transfer a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity harming or intending to harm the person whose identity is used, or for committing any felony.

(2) ((For purposes of this section, "means of identification" means any information or item that is not describing finances or credit but is personal to or identifiable with any individual or other person, including any current or former name of the person, telephone number, and electronic address or identifier of the individual or any member of his or her family, including the ancestor of such person; any information relating to a change in name, address, telephone number, or electronic address or identifier of the individual or his or her family; any social security, driver's license, or tax identification number of the individual or any member of his or her family; and other information which could be used to identify the person, including unique biometric data.

~~(3)~~)) Violation of this section is a class C felony.

((~~(4)~~)) (3) A person ((~~that [who]~~)) who violates this section is liable for five hundred dollars or actual damages, including costs to repair the person's credit record, whichever is greater, and reasonable attorneys' fees. If the person violating this section is a business that repeatedly violates this section, that person also violates the Consumer Protection Act, chapter 19.86 RCW.

NEW SECTION. Sec. 20. (1) The attorney general, in consultation with representatives from individual consumers, public interest organizations, financial institutions, retailers, online services, the legislature, and other interested parties shall:

(a) Examine information-sharing practices among information custodians and their affiliates;

(b) Develop a model privacy policy disclosure to conform with the disclosure requirements of sections 4, 5, 6, and 7 of this act;

(c) Present recommendations on affiliate sharing and model privacy policies to the legislature at the start of the regular session held in 2001.

(2) The senate committee on commerce, trade, housing and financial institutions and the house of representatives committee on financial institutions and insurance shall conduct a joint review of the practices of entities that collect and sell personal and sensitive information obtained from the records maintained by government agencies and nonprofit entities.

NEW SECTION. Sec. 21. Sections 1 through 14 of this act constitute a new chapter in Title 19 RCW.

NEW SECTION. Sec. 22. Section captions used in sections 1 through 16 of this act are not part of the law.

NEW SECTION. Sec. 23. If any provision of this act or its application to any person or circumstance is held invalid, the remainder of the act or the application of the provision to other persons or circumstances is not affected.

NEW SECTION. Sec. 24. Sections 1 through 14 of this act take effect June 1, 2001.