[atlas:bill]

AN ACT Relating to protecting privacy; adding a new chapter to Title 19 RCW; and prescribing penalties.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:

NEW SECTION. Sec. 1. INTENT. The legislature finds that every information custodian has an affirmative and continuing obligation to adopt and disclose information privacy policies with respect to the collection and use of its customers' nonpublic personal information, and to protect the security and confidentiality of those customers' nonpublic personal information. The legislature also finds that an information custodian has a further obligation to enable their customers to prevent the sharing of certain nonpublic personal information with anyone, including affiliates. The legislature intends: (1) To expand on federal protections relating to the collection and use of customers' personal and/or sensitive information; (2) to ensure the citizens of Washington have access to an information custodian privacy policy; and (3) to provide remedies for noncompliance.

NEW SECTION. Sec. 2. DEFINITIONS. Unless the context clearly requires otherwise, the definitions in this section apply throughout this chapter.

(1) "Affiliate" includes any company or organization that controls, is controlled by, or is under common control with another company or organization.

(2) "Information custodian" includes any person or governmental entity, not including the federal government, that collects, stores, or maintains data containing nonpublic personal information regarding a consumer and that sells, shares, or otherwise transfers such information to others, including affiliates, for purposes other than those specifically requested by the consumer.

(3) "Nonpublic personal information" means personally identifiable information provided by a consumer to an information custodian resulting from any transaction with the consumer or any service performed for the consumer, or otherwise obtained by an information custodian; but does not include publicly available information as that term is defined by federal regulations under P.L. 106-102 (Gramm-Leach-Bliley Act of 1999).

(4) "Person" means natural persons, corporations, trusts, unincorporated associations, and partnerships, whether for profit or nonprofit.

(5) "Consumer" means an individual that obtains, from an information custodian, products or services that are to be used primarily for personal, family, or household purposes, and also means the legal representative of such individual.

(6) "Customer" means a consumer who establishes an ongoing relationship with an information custodian through the completion of one or more transactions.

NEW SECTION. Sec. 3. DISCLOSURE OF INFORMATION PRIVACY POLICY. An information custodian shall have an information privacy policy explicitly stating the policies and practices of the information custodian regarding the use of nonpublic personal information acquired from any consumer. The policy shall, at minimum, state the following:

(1) The categories of information that may be collected regarding the consumer, including examples;

(2) How the categories of information may be used by the information custodian and any other person with whom the information may be shared;

(3) Whether or not the information may be shared with, or transferred to, other persons, including affiliates;

(4) With what other persons the information may be shared, including affiliates;

(5) The categories of information that may be shared with, or transferred to, other persons, including affiliates;

(6) Whether or not the customer may elect that information not be shared with any other person, including affiliates, and a clear description of the procedure for exercising such an option;

(7) The procedure by which a customer may notify an information custodian of any errors in the information collected regarding the customer; and

(8) A general description of how the information custodian protects the security of the nonpublic personal information collected about the customer.

NEW SECTION. Sec. 4. NOTIFICATION OF POLICY CHANGES. An information custodian shall notify a customer of any proposed changes in the information privacy policy required under this chapter. This notice shall clearly describe the nature of the change and how the changed policy differs from the policy originally disclosed and shall be provided to the customer not less than sixty days before the proposed change is to take effect.

NEW SECTION. Sec. 5. METHOD OF POLICY DISCLOSURE. (1) The disclosure of the information privacy policy required by this chapter shall be by clear and conspicuous notice, stated in plain and unambiguous language, and shall be published in writing, or electronic form, or such other form consistent with this chapter. The method of the disclosure must be reasonably calculated to provide actual and meaningful notice to a consumer covered under this chapter.

(2) An information custodian's compliance with the requirements of P.L. 106-102 (Gramm-Leach-Bliley Act of 1999) and its implementing regulations constitutes compliance with the requirements of this section.

NEW SECTION. Sec. 6. TIMING OF POLICY DISCLOSURE. (1) An information custodian shall make the required policy disclosures to a consumer at the time of the initial transaction with the consumer, or at the time of the establishment of the relationship with the consumer, and not less than annually thereafter.

(2) If the information privacy policy is amended, the information custodian shall notify a customer of such amendment not later than thirty days after the adoption of the amendment.

(3) For persons with an existing relationship with an information custodian on the effective date of this section, the information custodian shall make the required disclosures within sixty days after the effective date of this section.

(4) An information custodian's compliance with the requirements under section 503 of P.L. 106-102 (Gramm-Leach-Bliley Act of 1999) and its implementing regulations constitutes compliance with the requirements of this section.

NEW SECTION. Sec. 7. POLICY REGISTRATION REQUIREMENT. (1) An information custodian shall file with the attorney general a copy of the information privacy policy required under this chapter. The policy shall be filed with the attorney general not later than sixty days after the adoption of the policy.

(2) If an existing policy is subject to amendment, the amended policy must be filed with the attorney general by the information custodian not later than sixty days after the adoption of the amendment.

NEW SECTION. Sec. 8. REMEDIES FOR NONCOMPLIANCE. (1) A consumer may bring a civil action for damages, injunctive relief, or both against an information custodian that has failed to comply with this chapter. If the violation is inadvertent, the consumer may recover his or her actual damages. If the violation is due to negligence, damages are to be in the amount of five hundred dollars, or actual damages, whichever is greater, as well as the costs of the suit, including attorneys' fees. Upon a showing that the violation of this chapter was willful, a court may increase the award of damages in an amount not more than three times the actual damages sustained, or one thousand five hundred dollars, whichever is greater, as well as the costs of the suit, including attorneys' fees.

(2) The attorney general may bring a civil action for damages, injunctive relief, or both against an information custodian who has failed to comply with this chapter. Damages are the same as those for individual plaintiffs, under subsection (1) of this section.

(3) The legislature finds that the practices covered by this chapter are matters vitally affecting the public interest for the purpose of applying the consumer protection act, chapter 19.86 RCW. A violation of this chapter is not reasonable in relation to the development and preservation of business and is an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the consumer protection act, chapter 19.86 RCW. Remedies under chapter 19.86 RCW are available in addition to the remedies under this chapter.

NEW SECTION. Sec. 9. EFFECT OF PUBLIC DISCLOSURE ACT. This chapter does not apply to any information that is subject to disclosure by a public agency under the public disclosure act, chapter 42.17 RCW, or where disclosure by a public agency is required by another statute. For purposes of this section, "public agency" means the same as "agency" in RCW 42.17.020.

NEW SECTION. Sec. 10. RULE-MAKING AUTHORITY. The attorney general may adopt and enforce rules as necessary under this chapter.

NEW SECTION. Sec. 11. Captions used in this chapter are not any part of the law.

NEW SECTION. Sec. 12. Sections 1 through 11 of this act constitute a new chapter in Title 19 RCW.