Washington State

House of Representatives

Office of Program Research

BILL

ANALYSIS

Technology, Energy & Communications Committee

HB 1005

This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.

Background:

There are a number of federal laws with respect to privacy. These laws often apply to specific industries (such as banking, health care, or communications) or to specific types of information (such as financial information, credit reports, or health care information). Generally, these laws define how governmental and commercial entities can collect, disclose, and use information. In addition, the Federal Trade Commission Act prohibits unfair and deceptive trade practices and authorizes the Federal Trade Commission (FTC) to bring enforcement actions against violators.

Many commercial web site operators voluntarily post a privacy policy on their web site, which describes how their consumers' personal information is collected, used, and shared. In recent years, the FTC has brought several enforcement actions against commercial web site operators who have failed to follow the policies outlined in their privacy statements.

In 2003, California passed the "California Online Privacy Protection Act," which requires owners of commercial web sites to post a privacy policy. Nebraska and Pennsylvania also have laws related to online privacy policies, both of which prohibit making false or misleading statements in a privacy policy.

Summary of Bill:

An operator of a commercial web site must conspicuously post a privacy policy on its web site if personally identifiable information is collected through the internet about a Washington resident.

A privacy policy is considered to be conspicuously posted if made available through:

a posting on a web page, if the web page is a home page or the first significant page upon entering the web site;
an icon that hyperlinks to a webpage upon which the privacy policy is posted, if the icon includes the word "privacy;" or
a text link that hyperlinks to the privacy policy if: (a) the text link is on the home page or on the first significant page upon entering the web site; (b) the word "privacy" is included in 10-point font size or larger; and (c) the text link is set off from surrounding text by symbols or other identifying marks.

An operator of a commercial web site must make its privacy policy reasonably accessible to consumers of an online service, if personally identifiable information is collected.

The privacy policy must contain the following features:

a list of categories of personally identifiable information the operator collects;
a list of categories of third parties with whom the operator may share personally identifiable information;
a description of the process, if any, by which the consumer can review and request changes to his or her personally identifiable information collected by the operator;
a description of the process by which the operator notifies consumers of material changes to the operator's privacy policy; and
the effective date of the privacy policy.

An operator of a commercial web site or online service is in violation of this section if the operator fails to post its privacy policy within 30 days after being notified of non-compliance by the Attorney General's Office.

A violation of the bill is a violation of the Consumer Protection Act.

The term "personally identifiable information" includes any of the following information about a consumer:

a first and last name;
a home or other physical address;
an e-mail address;
an internet protocol address;
a telephone number;
a social security number;
any other identifier that permits physical or online contact with a specific individual;
any information collected from the user and maintained in personally identifiable form in combination with other personally identifiable information.