BP BHEAD INT S [atlas:bill]

AN ACT Relating to the privacy of personal information in commercial transactions involving financial institutions and others who maintain and transfer information; amending RCW 19.16.250; adding a new section to chapter 9.35 RCW; adding a new chapter to Title 19 RCW; creating a new section; and prescribing penalties.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:

NEW SECTION. Sec. 1. INTENT. (1) The legislature finds that every entity has an affirmative and continuing obligation to respect the privacy of its consumers and to protect the security and confidentiality of consumers. The legislature finds that Washington's citizens have a right to privacy and a reasonable expectation that the personal information that they provide in commercial transactions with financial institutions and others who maintain and transfer information will be kept private and confidential. The legislature finds that there is no existing uniform law that creates an appropriate standard of conduct for disclosure of consumers' personal information and that Washington's citizens need additional statutory protection from fraud, deception, nuisance, invasion of privacy, and breach of confidentiality related to the disclosure of personal information. The legislature intends to ensure that entities and consumers work cooperatively to protect consumer information and enforce sanctions when violations occur.

(2) The legislature finds that the disclosure of personal information has caused specific significant harms to Washington consumers, including the inability to rectify erroneous information disclosed to others; charging consumers' credit cards or debiting their accounts without authorization; subjecting consumers to fraudulent, misleading, or deceptive telephone, direct mail, or Internet solicitations; subjecting consumers to intimidation, intrusion, harassment, and nuisance; undue embarrassment or ridicule; misappropriation of sensitive information for the purpose of assuming a consumer's identity; and invasion of privacy.

(3) The legislature finds that the dissemination of certain sensitive information causes a great risk of harm to the consumer, that it should be given a greater level of protection under the law, and that requiring consumer authorization to disseminate such sensitive information best balances the benefits and harms of disclosure.

(4) The legislature finds that the flow of less sensitive personal information has resulted in a number of increased market efficiencies that are beneficial to consumers. These include more rapid credit transactions and check verifications, as well as an increased number of choices for products and services. The legislature finds that these benefits can be maintained by giving consumers the opportunity to choose whether their less sensitive information will be shared. The legislature finds that giving consumers this choice best balances the benefits and harms of disclosure of such information.

(5) The legislature finds that the incidence of identify theft is rapidly growing, and that victims of identity theft need further assistance in obtaining the information necessary to the prosecution of their cases. The legislature finds that requiring additional information sharing by merchants with victims will result in greater protections for consumers and deter potential perpetrators.

NEW SECTION. Sec. 2. DEFINITIONS. Unless the context clearly requires otherwise, the definitions in this section apply throughout this chapter.

(1) "Affiliate" means an entity that controls, is controlled by, or is under common control or common ownership with another entity.

(2) "Consumer" or "customer" means a natural person who purchases, leases, or otherwise contracts for goods or services that are primarily used for personal, family, or household purposes.

(3) "Consumer-requested purpose" means that the consumer has requested the information custodian to establish a business relationship, complete a transaction, or provide a product or service.

(4) "Information custodian" means all entities that maintain data containing personal information or sensitive information and that sell, share, or otherwise transfer the information to others, including affiliates or nonaffiliates, for purposes other than customer-requested purposes, or that use the information to engage in marketing.

(5) "Marketing" or "marketing information" means a promotion, solicitation, or advertisement made through written, telephonic, electronic, or other means, offering goods or services, that is directed to a specific named individual, and that is separate from a billing, promotion, solicitation, or advertisement directed to all or substantially all of an information custodian's customers for sale of its own goods or services.

(6) "Personal information" means information that is provided by the consumer in a commercial context, and is identifiable to the individual consumer, that concerns the amount or condition of the consumer's assets, liabilities, financial transactions, purchasing history, buying preferences, business relationships, account existence or status, customer status, demographic information, name, address, telephone number, or electronic mail address.

(7) "Sensitive information" means information obtained in a commercial context, including account numbers, access codes or passwords, current or historical account balances, purchase amounts, information gathered for account security purposes, tax identification numbers, social security numbers, driver's license or permit numbers, state identicard numbers issued by the department of licensing, credit card numbers or expiration dates, or information held for the purpose of account access or transaction initiation.

NEW SECTION. Sec. 3. RESTRICTION ON CONSUMER INFORMATION. An information custodian may, in performing a transaction, providing a service, or establishing a business relationship, require only that the consumer provide information reasonably necessary to perform the transaction, establish the relationship, or administer or maintain the business relationship. Any optional information must be specified as such, and the consumer must be given the option not to provide it.

NEW SECTION. Sec. 4. CONSUMER PRIVACY POLICIES. (1) An information custodian must have a consumer privacy policy that discloses to existing and prospective consumers the policies and practices of the information custodian regarding the use of consumer personal information and sensitive information acquired or possessed by the information custodian. Entities that maintain data containing personal information or sensitive information but do not use the data to engage in marketing or do not sell, share, or otherwise transfer the data, are not required to have a privacy policy.

(2) The consumer privacy policy, at a minimum, must summarize the information custodian's responsibilities under this chapter and describe the consumer's rights and remedies under it, and generally describe with whom the consumer's personal and sensitive information will be shared or to whom it will be sold or transferred.

(3) The consumer privacy policy must also provide a reasonable means for consumers to access their personal and sensitive information that the information custodian shares, sells, or transfers or uses for marketing purposes. The policy must also provide a reasonable process to correct inaccurate or incomplete information.

(4) An information custodian must disclose its consumer privacy policy at least once to each consumer no later than:

(a) For existing customers on the effective date of this act, within sixty days after the effective date of this act;

(b) For prospective customers after the effective date of this act, within thirty days after the consumer's initial request for the policy; and

(c) For all new customers after the effective date of this act, at the time the customer enters into a business relationship with the information custodian.

(5) An information custodian must disclose its consumer privacy policy on an annual basis to existing customers after the initial disclosure described in subsection (4) of this section, and when material changes are made to the policy.

(6) The disclosure of the consumer privacy policy must be clearly and conspicuously made in writing, in a document separate from all other documents or pages that are provided to the consumer by the information custodian.

(7) The consumer privacy policy must be clearly and conspicuously posted on the information custodian's website, if a website exists, and must be readily available for review at the information custodian's place of business.

NEW SECTION. Sec. 5. PERSONAL INFORMATION‑-CONSUMER CONTROL. (1) An information custodian may share, sell, or otherwise transfer personal information for purposes other than consumer-requested purposes, or may use personal information for marketing purposes, only if it has clearly and conspicuously disclosed to the consumer the following information in plain language:

(a) That the consumer has the right to choose not to receive marketing information or to have his or her personal information shared, sold, or otherwise transferred for purposes other than consumer-requested purposes. The disclosure must be made at the time the consumer privacy policy is provided to the customer under section 4 of this act.

(b) That the consumer may choose not to receive marketing information or have his or her personal information shared, sold, or transferred for other than consumer-requested purposes, by exercising his or her choice through a cost-free method provided by the information custodian. Disclosure of the existence of the cost-free method must be made at the time the consumer privacy policy is provided to the customer under section 4 of this act. The information custodian shall maintain adequate and reasonable access for consumers to the cost-free method it has established.

(2) If, under this section, a consumer chooses:

(a) Not to receive marketing information, the information custodian must stop marketing to the consumer within sixty days of receiving the consumer's notice. Once a consumer has chosen to not receive marketing information, an information custodian may not market to the consumer until the consumer notifies the entity that he or she has affirmatively chosen to receive marketing information;

(b) Not to have his or her personal information shared, sold, or otherwise transferred under subsection (1) of this section, the information custodian must stop sharing, selling, or otherwise transferring the consumer's personal information for purposes other than consumer-requested purposes, within thirty days of receiving the consumer's notice. Once a consumer has chosen not to have his or her personal information shared, sold, or otherwise transferred, an information custodian may not share, sell, or otherwise transfer the information for purposes other than consumer-requested purposes until the consumer notifies the entity that he or she has chosen to have his or her personal information shared, sold, or otherwise transferred under subsection (1) of this section.

(3) This section does not apply to disclosure of personal information under the following circumstances:

(a) Disclosure to the consumer upon his or her request and upon presentation of proper identification;

(b) Disclosure required by federal, state, or local law or regulation;

(d) Use or disclosure of personal information by an information custodian to perform services or functions on behalf of the information custodian in order to fulfill the information custodian's obligation to provide services or products to a consumer for a consumer-requested purpose;

(e) Disclosure to a third party in the business of debt collection where necessary to collect a debt or check returned for insufficient funds;

(f) Disclosure to protect against or prevent actual or potential fraud or unauthorized transactions; or

(g) Disclosure by or to a consumer reporting agency as defined by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.) in a manner that complies with the requirements of that act.

NEW SECTION. Sec. 6. SENSITIVE INFORMATION‑-CONSUMER CONTROL. (1) An information custodian may not disclose sensitive information to a third party or affiliate for purposes other than consumer-requested purposes unless the consumer has received written notification of the following:

(a) The information to be disclosed;

(b) The entity or entities authorized to receive the disclosure of information;

(d) The expiration date for authorization for use of the information, which date is no more than one year from the date of execution.

(2) An information custodian may not disclose sensitive information to a third party or affiliate for purposes other than consumer-requested purposes unless the consumer, upon knowledge and affirmative consent, authorizes the disclosure of the sensitive information sought to be disclosed, in a written statement dated and executed by the consumer that is separate and distinct from any other document, and that contains a description of the information sought to be disclosed and the purpose for which the information will be disclosed.

(3) This section does not apply to disclosure of sensitive information under the following circumstances:

(a) Disclosure to the consumer upon his or her request and upon presentation of proper identification;

(b) Disclosure required by federal, state, or local law or regulation;

(d) Use or disclosure of sensitive information by an information custodian to perform services or functions on behalf of the information custodian in order to fulfill the information custodian's obligation to provide services or products to a consumer for a consumer-requested purpose;

(e) Disclosure to a third party in the business of debt collection where necessary to collect a debt or check returned for insufficient funds;

(f) Disclosure to protect against or prevent actual or potential fraud or unauthorized transactions; and

(g) Disclosure by or to a consumer reporting agency as defined by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.) in a manner that complies with the requirements of that act.

NEW SECTION. Sec. 7. CONFIDENTIALITY AND SECURITY OF INFORMATION. (1) Third parties or affiliates that obtain personal information or sensitive information from information custodians may not sell, share, or otherwise transfer the information for any reason other than the original purpose for which the information was sold, shared, or transferred to the third party or affiliate.

(2) An information custodian, before sharing, selling, or otherwise transferring personal information or sensitive information, must obtain a written agreement from the third party or affiliate providing for the following:

(a) To keep the information confidential;

(b) To use the information only for the original purpose for which it has been shared, sold, or provided; and

(3) Every information custodian must establish reasonable safeguards to ensure the confidentiality and safety of personal information and sensitive information and to protect them from loss, misuse, theft, unauthorized access, disclosure, defacement, or alteration.

NEW SECTION. Sec. 8. VIOLATION AN UNFAIR OR DECEPTIVE ACT. (1) Unfair and deceptive invasion of privacy rights is not reasonable in relation to the development and preservation of business. The legislature finds that the practices covered by this chapter are matters vitally affecting the public interest for the purpose of applying the Consumer Protection Act, chapter 19.86 RCW. A violation of this chapter is an unfair or deceptive act in trade or commerce for the purpose of applying the Consumer Protection Act, chapter 19.86 RCW.

(2) A person may not bring an action against an information custodian for a violation of section 5(2)(a) of this act unless he or she has notified the information custodian of a violation of the section, in writing, and the information custodian has again violated section 5(2)(a) of this act after having received the notification.

(3) Damages to a person who has been the victim of a violation of this chapter are five hundred dollars, or actual damages, whichever is greater. A court may increase the award of damages in an amount not more than three times the actual damages sustained, or one thousand five hundred dollars, whichever is greater, upon a demonstration that a violation of the chapter was willful.

NEW SECTION. Sec. 9. A new section is added to chapter 9.35 RCW to read as follows:

(1) As used in this section, unless the context clearly requires otherwise:

(a) "Victim of identity theft" or "victim" means a person who has had his or her means of identification taken or personal information or sensitive information used without authorization when the person's means of identification or personal information or sensitive information has been used with the intent to commit, or to aid or abet, an unlawful activity harming or intending to harm the person whose identity is used, or for committing a felony;

(b) "Personal information" means information that is provided by the consumer in a commercial context, and is identifiable to the individual consumer, that concerns the amount or condition of the consumer's assets, liabilities, financial transactions, purchasing history, buying preferences, business relationships, account existence or status, customer status, demographic information, name, address, telephone number, or electronic mail address;

(c) "Sensitive information" means information obtained in a commercial context, including account numbers, access codes or passwords, current or historical account balances, purchase amounts, information gathered for account security purposes, tax identification numbers, social security numbers, driver's license or permit numbers, state identicard numbers issued by the department of licensing, credit card numbers or expiration dates, or information held for the purpose of account access or transaction initiation.

(2) A person, information repository, corporation, trust, partnership, or unincorporated association possessing information relating to an actual or potential violation of this chapter or chapter 19.--- RCW (sections 1 through 8 of this act), and who may have entered into a transaction, provided credit, products, or services, accepted payment, or otherwise done business with a person who has used the victim's means of identification, must, upon request of the victim, provide copies of all information relevant to the potential or actual violation of this chapter or chapter 19.--- RCW (sections 1 through 8 of this act).

(3) In providing the information required under subsection (2) of this section, the provider may require the victim of identity theft to provide a copy of a police report evidencing the victim's claim. The provider may also seek reasonable compensation for the actual cost of providing the information requested, and may also require the victim to provide positive identification before providing the information.

(4) No person, information repository, corporation, trust, partnership, or unincorporated association may be held liable for an action voluntarily taken in good faith to provide information regarding potential or actual violations of this chapter or chapter 19.--- RCW (sections 1 through 8 of this act) to other information repositories, merchants, or law enforcement authorities, for the purpose of identification and prosecution of violators of this chapter or chapter 19.--- RCW (sections 1 through 8 of this act).

Sec. 10. RCW 19.16.250 and 1983 c 107 s 1 are each amended to read as follows:

No licensee or employee of a licensee shall:

(1) Directly or indirectly aid or abet any unlicensed person to engage in business as a collection agency in this state or receive compensation from such unlicensed person: PROVIDED, That nothing in this chapter shall prevent a licensee from accepting, as forwardee, claims for collection from a collection agency or attorney whose place of business is outside the state.

(2) Collect or attempt to collect a claim by the use of any means contrary to the postal laws and regulations of the United States postal department.

(3) Publish or post or cause to be published or posted, any list of debtors commonly known as "bad debt lists" or threaten to do so. For purposes of this chapter, a "bad debt list" means any list of natural persons alleged to fail to honor their lawful debts. However, nothing herein shall be construed to prohibit a licensee from communicating to its customers or clients by means of a coded list, the existence of a check dishonored because of insufficient funds, not sufficient funds or closed account by the financial institution servicing the debtor's checking account: PROVIDED, That the debtor's identity is not readily apparent: PROVIDED FURTHER, That the licensee complies with the requirements of subsection (9)(e) of this section.

(4) Have in his possession or make use of any badge, use a uniform of any law enforcement agency or any simulation thereof, or make any statements which might be construed as indicating an official connection with any federal, state, county, or city law enforcement agency, or any other governmental agency, while engaged in collection agency business.

(5) Perform any act or acts, either directly or indirectly, constituting the practice of law.

(6) Advertise for sale or threaten to advertise for sale any claim as a means of endeavoring to enforce payment thereof or agreeing to do so for the purpose of soliciting claims, except where the licensee has acquired claims as an assignee for the benefit of creditors or where the licensee is acting under court order.

(7) Use any name while engaged in the making of a demand for any claim other than the name set forth on his or its current license issued hereunder.

(8) Give or send to any debtor or cause to be given or sent to any debtor, any notice, letter, message, or form which represents or implies that a claim exists unless it shall indicate in clear and legible type:

(a) The name of the licensee and the city, street, and number at which he is licensed to do business;

(b) The name of the original creditor to whom the debtor owed the claim if such name is known to the licensee or employee: PROVIDED, That upon written request of the debtor, the licensee shall make a reasonable effort to obtain the name of such person and provide this name to the debtor;

(c) If the notice, letter, message, or form is the first notice to the debtor or if the licensee is attempting to collect a different amount than indicated in his or its first notice to the debtor, an itemization of the claim asserted must be made including:

(i) Amount owing on the original obligation at the time it was received by the licensee for collection or by assignment;

(ii) Interest or service charge, collection costs, or late payment charges, if any, added to the original obligation by the original creditor, customer or assignor before it was received by the licensee for collection, if such information is known by the licensee or employee: PROVIDED, That upon written request of the debtor, the licensee shall make a reasonable effort to obtain information on such items and provide this information to the debtor;

(iii) Interest or service charge, if any, added by the licensee or customer or assignor after the obligation was received by the licensee for collection;

(iv) Collection costs, if any, that the licensee is attempting to collect;

(v) Attorneys' fees, if any, that the licensee is attempting to collect on his or its behalf or on the behalf of a customer or assignor;

(vi) Any other charge or fee that the licensee is attempting to collect on his or its own behalf or on the behalf of a customer or assignor.

(9) Communicate or threaten to communicate, the existence of a claim to a person other than one who might be reasonably expected to be liable on the claim in any manner other than through proper legal action, process, or proceedings except under the following conditions:

(a) A licensee or employee of a licensee may inform a credit reporting bureau of the existence of a claim: PROVIDED, That if the licensee or employee of a licensee reports a claim to a credit reporting bureau, the licensee shall upon receipt of written notice from the debtor that any part of the claim is disputed, forward a copy of such written notice to the credit reporting bureau;

(b) A licensee or employee in collecting or attempting to collect a claim may communicate the existence of a claim to a debtor's employer if the claim has been reduced to a judgment;

(c) A licensee or employee in collecting or attempting to collect a claim that has not been reduced to judgment, may communicate the existence of a claim to a debtor's employer if:

(i) The licensee or employee has notified or attempted to notify the debtor in writing at his last known address or place of employment concerning the claim and the debtor after a reasonable time has failed to pay the claim or has failed to agree to make payments on the claim in a manner acceptable to the licensee, and

(ii) The debtor has not in writing to the licensee disputed any part of the claim: PROVIDED, That the licensee or employee may only communicate the existence of a claim which has not been reduced to judgment to the debtor's employer once unless the debtor's employer has agreed to additional communications.

(d) A licensee may for the purpose of locating the debtor or locating assets of the debtor communicate the existence of a claim to any person who might reasonably be expected to have knowledge of the whereabouts of a debtor or the location of assets of the debtor if the claim is reduced to judgment, or if not reduced to judgment, when:

(i) The licensee or employee has notified or attempted to notify the debtor in writing at his last known address or last known place of employment concerning the claim and the debtor after a reasonable time has failed to pay the claim or has failed to agree to make payments on the claim in a manner acceptable to the licensee, and

(ii) The debtor has not in writing disputed any part of the claim.

(e) A licensee may communicate the existence of a claim to its customers or clients if the claim is reduced to judgment, or if not reduced to judgment, when:

(i) The licensee has notified or attempted to notify the debtor in writing at his last known address or last known place of employment concerning the claim and the debtor after a reasonable time has failed to pay the claim or has failed to agree to make payments on the claim in a manner acceptable to the licensee, and

(ii) The debtor has not in writing disputed any part of the claim.

(10) Threaten the debtor with impairment of his credit rating if a claim is not paid.

(11) Communicate with the debtor after notification in writing from an attorney representing such debtor that all further communications relative to a claim should be addressed to the attorney: PROVIDED, That if a licensee requests in writing information from an attorney regarding such claim and the attorney does not respond within a reasonable time, the licensee may communicate directly with the debtor until he or it again receives notification in writing that an attorney is representing the debtor.

(12) Communicate with a debtor or anyone else in such a manner as to harass, intimidate, threaten, or embarrass a debtor, including but not limited to communication at an unreasonable hour, with unreasonable frequency, by threats of force or violence, by threats of criminal prosecution, and by use of offensive language. A communication shall be presumed to have been made for the purposes of harassment if:

(a) It is made with a debtor or spouse in any form, manner, or place, more than three times in a single week;

(b) It is made with a debtor at his or her place of employment more than one time in a single week;

(13) Communicate with the debtor through use of forms or instruments that simulate the form or appearance of judicial process, the form or appearance of government documents, or the simulation of a form or appearance of a telegraphic or emergency message.

(14) Communicate with the debtor and represent or imply that the existing obligation of the debtor may be or has been increased by the addition of attorney fees, investigation fees, service fees, or any other fees or charges when in fact such fees or charges may not legally be added to the existing obligation of such debtor.

(15) Threaten to take any action against the debtor which the licensee cannot legally take at the time the threat is made.

(16) Send any telegram or make any telephone calls to a debtor or concerning a debt or for the purpose of demanding payment of a claim or seeking information about a debtor, for which the charges are payable by the addressee or by the person to whom the call is made.

(17) In any manner convey the impression that the licensee is vouched for, bonded to or by, or is an instrumentality of the state of Washington or any agency or department thereof.

(18) Collect or attempt to collect in addition to the principal amount of a claim any sum other than allowable interest, collection costs or handling fees expressly authorized by statute, and, in the case of suit, attorney's fees and taxable court costs.

(19) Procure from a debtor or collect or attempt to collect on any written note, contract, stipulation, promise or acknowledgment under which a debtor may be required to pay any sum other than principal, allowable interest, and, in the case of suit, attorney's fees and taxable court costs.

(20) Upon notification by a victim of identity theft that a police report has been filed regarding the identity theft, and upon receipt of a copy of the report indicating that the victim's checkbook or other series of preprinted written instruments has been stolen, fail to accept one single writing from the victim that disputes creditors' claims for the entire checkbook or series. Once a single writing has been received, the collection agency must not recontact the victim regarding the checks or other written instruments in the same series or lot and must consider the single writing as a dispute to all creditors' claims arising from use of the checkbook or other series of instruments.

NEW SECTION. Sec. 11. Sections 1 through 8 of this act constitute a new chapter in Title 19 RCW.

NEW SECTION. Sec. 12. Section captions used in sections 1 through 8 of this act are not part of the law.