BP BHEAD INT S [atlas:bill]

AN ACT Relating to the privacy of personal information in commercial transactions involving information custodians other than financial institutions who maintain and transfer information; adding a new chapter to Title 19 RCW; creating a new section; prescribing penalties; and providing an effective date.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:

NEW SECTION. Sec. 1. INTENT. (1) The legislature finds that every entity has an affirmative and continuing obligation to respect the privacy of its consumers and to protect the security and confidentiality of consumers. The legislature finds that Washington's citizens have a right to privacy and a reasonable expectation that the personal information that they provide in commercial transactions with financial institutions and others who maintain and transfer information will be kept private and confidential. The legislature finds that there is no existing uniform law that creates an appropriate standard of conduct for disclosure of consumers' personal information and that Washington's citizens need additional statutory protection from fraud, deception, nuisance, invasion of privacy, and breach of confidentiality related to the disclosure of personal information. The legislature intends to ensure that entities and consumers work cooperatively to protect consumer information and enforce sanctions when violations occur.

(2) The legislature finds that the disclosure of personal information has caused specific significant harms to Washington consumers, including the appearance of unauthorized charges or debits on consumers' accounts, misappropriation of sensitive information for the purpose of assuming a consumer's identity, the unwanted and unintended dissemination of personal and sensitive information, and the invasion of privacy.

(3) The legislature finds that the dissemination of certain sensitive information causes a great risk of harm to the consumer, that it should be given a greater level of protection under the law, and that requiring consumer authorization to disseminate such sensitive information best balances the benefits and harms of disclosure.

(4) The legislature finds that the flow of less sensitive personal information has resulted in a number of increased market efficiencies that are beneficial to consumers. These include more rapid credit transactions and check verifications, as well as an increased number of choices for products and services. The legislature finds that these benefits can be maintained by giving consumers the opportunity to choose whether their less sensitive information will be shared. The legislature finds that giving consumers this choice best balances the benefits and harms of disclosure of such information.

NEW SECTION. Sec. 2. DEFINITIONS. Unless the context clearly requires otherwise, the definitions in this section apply throughout this chapter.

(1) "Affiliate" means an entity that controls, is controlled by, or is under common control or common ownership with another entity.

(2) "Consumer" or "customer" means a natural person who purchases, leases, or otherwise contracts for goods or services that are primarily used for personal, family, or household purposes.

(3) "Consumer-requested purpose" means that the consumer has requested the information custodian to establish or maintain a business relationship, complete a transaction, or provide a product or service.

(4) "Information custodian" means a nonpublic, commercial entity other than a financial institution that maintains data containing personal information or sensitive information about consumers it knows reside in Washington and that sells, shares, or otherwise transfers the information to others, including affiliates or nonaffiliates, for purposes other than customer-requested purposes. An "information custodian" does not include a consumer reporting agency, as defined in the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.), to the extent its activities are directly related to assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and to the extent that the activities are regulated by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).

(5) "Marketer" means a nonpublic, commercial entity that maintains data containing personal information or sensitive information about consumers it knows reside in Washington, that does not sell, share, or otherwise transfer the information to others, either affiliates or nonaffiliates, but that uses the information to engage in marketing.

(6) "Marketing" or "marketing information" means a promotion, solicitation, or advertisement made by a commercial entity through written, telephonic, electronic, or other means, offering goods or services, that is directed to a specific named individual, and that is separate from a billing, or a promotion, solicitation, or advertisement directed to the general public for sale of the marketer's own goods or services.

(7) "Personal information" means information that is provided by the consumer in a commercial context, and is identifiable to the individual consumer, that concerns the amount or condition of the consumer's assets, liabilities, financial transactions, purchasing history, buying preferences, business relationships, account existence or status, customer status, demographic information, name, address, telephone number, or electronic mail address or that reflects current or historical balances or purchase amounts.

(8) "Sensitive information" means information maintained in a commercial context that is held for the purpose of transaction initiation, account access, or identity verification, and includes account numbers, access codes or passwords, tax identification numbers, driver's license or permit numbers, state identicard numbers issued by the department of licensing, and credit card numbers or expiration dates.

NEW SECTION. Sec. 3. RESTRICTION ON CONSUMER INFORMATION. Information custodians and marketers shall, in performing a transaction with a consumer, providing a service for a consumer, or establishing a business relationship with a consumer, require only that the consumer provide information reasonably necessary to perform the transaction, establish the relationship, or administer or maintain the business relationship. Any optional information must be specified as such, and the consumer must be given the option not to provide it.

NEW SECTION. Sec. 4. CONSUMER PRIVACY POLICIES. (1) An information custodian must have a consumer privacy policy that discloses to existing and prospective consumers the policies and practices of the information custodian regarding the use of consumer personal information and sensitive information acquired or possessed by the information custodian. Entities that maintain data containing personal information or sensitive information but do not sell, share, or otherwise transfer the data, are not required to have a privacy policy.

(2) The consumer privacy policy, at a minimum, must summarize the information custodian's responsibilities under this chapter and describe the consumer's rights and remedies under it, and generally describe with whom the consumer's personal and sensitive information will be shared or to whom it will be sold or transferred.

(3) The consumer privacy policy must also provide a reasonable means for consumers to access their personal and sensitive information that the information custodian shares, sells, or transfers or uses for marketing purposes. The policy must also provide a reasonable process to correct inaccurate or incomplete information.

(4) An information custodian must disclose its consumer privacy policy at least once to each consumer no later than:

(a) For existing customers on the effective date of this act about whom the information custodian has maintained personal information that includes the consumer's name and address or other means of contact or identification, within sixty days after the effective date of this act or when the consumer's name and address or other means of contact or identification is obtained and maintained by the information custodian;

(b) For prospective customers after the effective date of this act, within thirty days after the consumer's initial request for the policy; and

(c) For all new customers after the effective date of this act, at the time the customer enters into a business relationship with the information custodian that involves recording and maintaining of personal or sensitive information.

(5) An information custodian must disclose its consumer privacy policy on an annual basis to existing customers about whom the information custodian has maintained personal or sensitive information after the initial disclosure described in subsection (4) of this section, and, when material changes are made to the policy, the information custodian must notify the consumer, clearly and conspicuously in writing, in plain language, of the material changes and describe the consumer's rights under sections 5(1) and 7 (1) and (2) of this act.

(6) The disclosure of the consumer privacy policy must be clearly and conspicuously made in writing, in a document separate from all other documents or pages that are provided to the consumer by the information custodian.

(7) The consumer privacy policy must be clearly and conspicuously posted on the information custodian's website, if a website exists, and must be readily available for review at the information custodian's place of business.

NEW SECTION. Sec. 5. PERSONAL INFORMATION‑-CONSUMER CONTROL. (1) An information custodian may share, sell, or otherwise transfer personal information for purposes other than consumer-requested purposes, only if it has clearly and conspicuously disclosed to the consumer the following information in plain language:

(a) That the consumer has the right to choose not to have his or her personal information shared, sold, or otherwise transferred for purposes other than consumer-requested purposes. The disclosure must be made at the time the consumer privacy policy is provided to the customer under section 4 of this act.

(b) That the consumer may choose not to receive marketing information or have his or her personal information shared, sold, or transferred for other than consumer-requested purposes, by exercising his or her choice through a cost-free method provided by the information custodian. Disclosure of the existence of the cost-free method must be made at the time the consumer privacy policy is provided to the customer under section 4 of this act. The information custodian shall maintain adequate and reasonable access for consumers to the cost-free method it has established.

(2) If, under this section, a consumer chooses not to have his or her personal information shared, sold, or otherwise transferred under subsection (1) of this section, the information custodian must stop sharing, selling, or otherwise transferring the consumer's personal information for purposes other than consumer-requested purposes, within ninety days of receiving the consumer's notice. Once a consumer has chosen not to have his or her personal information shared, sold, or otherwise transferred, an information custodian may not share, sell, or otherwise transfer the information for purposes other than consumer-requested purposes until the consumer notifies the entity that he or she has chosen to have his or her personal information shared, sold, or otherwise transferred under subsection (1) of this section.

(3) This section does not apply to disclosure of personal information under the following circumstances:

(a) Disclosure to the consumer upon his or her request and upon presentation of proper identification;

(b) Disclosure required by federal, state, or local law or regulation;

(d) Use or disclosure of personal information by an information custodian to perform services or functions on behalf of the information custodian as part of the information custodian's provision of services or products to a consumer in connection with a consumer-requested purpose;

(e) Disclosure to a third party in the business of debt collection where necessary to collect a debt or check returned for insufficient funds;

(f) Disclosure to protect against or prevent actual or potential fraud or unauthorized transactions;

(g) Disclosure by or to a consumer reporting agency as defined by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.) and as specifically permitted by that act;

(h) Disclosure of credit report information between affiliates as defined in the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.) and as specifically permitted by that act;

(i) Disclosure for purposes of a proposed or actual securitization, secondary market sale (including sales of service rights), or similar transaction related to a consumer-requested purpose;

(j) Disclosure to persons holding a legal or beneficial interest relating to the consumer;

(k) Disclosure to persons acting in a fiduciary or lawful representative capacity on behalf of the consumer; or

(l) Disclosure in order to provide information to insurance rate advisory organizations, guaranty funds or agencies, applicable rating agencies of an information custodian, persons assessing the information custodian's compliance with industry standards, and the information custodian's attorneys, accountants, and auditors.

NEW SECTION. Sec. 6. MARKETING‑‑CONSUMER CONTROL. (1) A marketer may use personal or sensitive information for marketing purposes only if it has clearly and conspicuously disclosed in plain language to the consumer:

(a) That the consumer has the right to choose not to receive marketing information. This disclosure must be made in all marketing information, in whatever medium the marketing information is sent or, if the marketer is an information custodian, in the privacy policy provided to the customer under section 4 of this act.

(b) That the consumer may choose not to receive marketing information by exercising his or her choice through a cost-free method provided by the marketer. This disclosure must be made in all marketing information in whatever medium the marketing information is sent in, or, if the marketer is an information custodian, in the privacy policy provided to the customer under section 4 of this act. The marketer shall maintain adequate and reasonable access for consumers to the cost-free method it has established.

(2) If, under this section, a consumer chooses not to receive marketing information, the marketer must stop marketing to the consumer within ninety days of receiving the consumer's notice. Once a consumer has chosen not to receive marketing information, a marketer may not market to the consumer until the consumer notifies the marketer that he or she has chosen to receive marketing information.

NEW SECTION. Sec. 7. SENSITIVE INFORMATION‑-CONSUMER CONTROL. (1) An information custodian may not disclose sensitive information to a third party or affiliate for purposes other than consumer-requested purposes unless the consumer has received written notification of the following:

(a) The information to be disclosed;

(b) The entity or entities authorized to receive the disclosure of information;

(d) The expiration date for authorization for use of the information, which date is no more than one year from the date of execution.

(2) An information custodian may not disclose sensitive information to a third party or affiliate for purposes other than consumer-requested purposes unless the consumer, upon notice as provided in this section and affirmative consent, authorizes the disclosure of the sensitive information sought to be disclosed, in a written statement dated and accepted by the consumer that is separate and distinct from any other document, and that contains a description of the information sought to be disclosed and the purpose for which the information will be disclosed.

(3) This section does not apply to disclosure of sensitive information under the following circumstances:

(a) Disclosure to the consumer upon his or her request and upon proper identification;

(b) Disclosure required by federal, state, or local law or regulation;

(d) Use or disclosure of sensitive information by an information custodian to perform services or functions on behalf of the information custodian as part of the information custodian's provision of services or products to a consumer in connection with a consumer-requested purpose;

(e) Disclosure to a third party in the business of debt collection where necessary to collect a debt or check returned for insufficient funds;

(f) Disclosure to protect against or prevent actual or potential fraud or unauthorized transactions;

(g) Disclosure by or to a consumer reporting agency as defined by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.) and as specifically permitted by that act;

(h) Disclosure of credit report information between affiliates as defined in the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.) and as specifically permitted by that act;

(i) Disclosure of sensitive information that is prohibited from disclosure by section 502(d) of Public Law 106-103 (the Gramm-Leach-Bliley Act of 1999);

(j) Disclosure for purposes of a proposed or actual securitization, secondary market sale (including sales service rights), or similar transactions related to a consumer-requested purpose;

(k) Disclosure to persons holding a legal or beneficial interest relating to the consumer;

(l) Disclosure to persons acting in a fiduciary or lawful representative capacity on behalf of the consumer; and

(m) Disclosure in order to provide information to insurance rate advisory organizations, guaranty funds or agencies, applicable rating agencies of the information custodian, persons assessing the information custodian's compliance with industry standards, and the information custodian's attorneys, accountants, and auditors.

NEW SECTION. Sec. 8. CONFIDENTIALITY AND SECURITY OF INFORMATION. (1) Third parties or affiliates that obtain personal information or sensitive information from information custodians may not sell, share, or otherwise transfer the information for any reason other than the original purpose for which the information was sold, shared, or transferred to the third party or affiliate.

(2) An information custodian, before sharing, selling, or otherwise transferring personal information or sensitive information, must obtain a written agreement from the third party or affiliate providing for the following:

(a) To keep the information confidential;

(b) To use the information only for the original purpose for which it has been shared, sold, or provided; and

(3) Every information custodian must establish reasonable safeguards to ensure the confidentiality and safety of personal information and sensitive information and to protect them from loss, misuse, theft, unauthorized access, disclosure, defacement, or alteration.

NEW SECTION. Sec. 9. VIOLATION AN UNFAIR OR DECEPTIVE ACT. (1) Unfair and deceptive invasion of privacy rights is not reasonable in relation to the development and preservation of business. The legislature finds that the practices covered by this chapter are matters vitally affecting the public interest for the purpose of applying the Consumer Protection Act, chapter 19.86 RCW. A violation of this chapter is an unfair or deceptive act in trade or commerce for the purpose of applying the Consumer Protection Act, chapter 19.86 RCW.

(2) A person may not bring an action against a marketer for a violation of section 6(2) of this act unless he or she has notified the marketer of a violation of the section, in writing at an address provided by the marketer upon the consumer's request, and the information custodian has again violated section 6(2) of this act more than ninety days after having received the notification.

(3) Damages to a person who has been the victim of a violation of this chapter are five hundred dollars, or actual damages, whichever is greater. A court may increase the award of damages in an amount not more than three times the actual damages sustained, or one thousand five hundred dollars, whichever is greater, upon a demonstration that a violation of the chapter was willful.

NEW SECTION. Sec. 10. Sections 1 through 9 of this act constitute a new chapter in Title 19 RCW.

NEW SECTION. Sec. 11. Section captions used in sections 1 through 9 of this act are not part of the law.

NEW SECTION. Sec. 12. This act takes effect December 1, 2000.