S-4475.1 _______________________________________________
SUBSTITUTE SENATE BILL 6513
_______________________________________________
State of Washington 56th Legislature 2000 Regular Session
By Senate Committee on Commerce, Trade, Housing & Financial Institutions (originally sponsored by Senators Prentice, McCaslin, Kline, Gardner, Winsley, Kohl‑Welles, Spanel and Costa; by request of Attorney General)
Read first time 02/04/2000.
AN ACT Relating to the privacy of personal information in commercial transactions involving financial institutions and others who maintain and transfer information; adding a new chapter to Title 19 RCW; creating a new section; prescribing penalties; and providing an effective date.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:
NEW SECTION. Sec. 1. INTENT. (1) The legislature finds that every entity has an affirmative and continuing obligation to respect the privacy of its consumers and to protect the security and confidentiality of consumers. The legislature finds that Washington's citizens have a right to privacy and a reasonable expectation that the personal information that they provide in commercial transactions with financial institutions and others who maintain and transfer information will be kept private and confidential. The legislature finds that there is no existing uniform law that creates an appropriate standard of conduct for disclosure of consumers' personal information and that Washington's citizens need additional statutory protection from fraud, deception, nuisance, invasion of privacy, and breach of confidentiality related to the disclosure of personal information. The legislature intends to ensure that entities and consumers work cooperatively to protect consumer information and enforce sanctions when violations occur.
(2) The legislature finds that the disclosure of personal information has caused specific significant harms to Washington consumers, including the appearance of unauthorized charges or debits on consumers' accounts, misappropriation of sensitive information for the purpose of assuming a consumer's identity, the unwanted and unintended dissemination of personal and sensitive information, and the invasion of privacy.
(3) The legislature finds that the dissemination of certain sensitive information causes a great risk of harm to the consumer, that it should be given a greater level of protection under the law, and that requiring consumer authorization to disseminate such sensitive information best balances the benefits and harms of disclosure.
(4) The legislature finds that the flow of less sensitive personal information has resulted in a number of increased market efficiencies that are beneficial to consumers. These include more rapid credit transactions and check verifications, as well as an increased number of choices for products and services. The legislature finds that these benefits can be maintained by giving consumers the opportunity to choose whether their less sensitive information will be shared. The legislature finds that giving consumers this choice best balances the benefits and harms of disclosure of such information.
NEW SECTION. Sec. 2. DEFINITIONS. Unless the context clearly requires otherwise, the definitions in this section apply throughout this chapter.
(1) "Affiliate" means an entity that controls, is controlled by, or is under common control or common ownership with another entity.
(2) "Consumer" or "customer" means a natural person who purchases, leases, or otherwise contracts for goods or services that are primarily used for personal, family, or household purposes.
(3) "Consumer-requested purpose" means that the consumer has requested the information custodian to establish or maintain a business relationship, complete a transaction, or provide a product or service.
(4) "De minimus cost method" means a method in connection with which the consumer does not incur a cost greater than the cost of an envelope and first-class postage for a one-ounce letter.
(5) "Financial institution" means a financial institution as defined in section 527(4) of the Gramm-Leach-Bliley Act, P.L. 106-102.
(6) "Information custodian" means a financial institution that maintains data containing personal information or sensitive information about consumers it knows reside in Washington and that sells, shares, or otherwise transfers the information to others, including affiliates or nonaffiliates, for purposes other than customer-requested purposes. An "information custodian" does not include a consumer reporting agency, as defined in the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.), to the extent its activities are directly related to assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and to the extent that the activities are regulated by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).
(7) "Marketer" means a nonpublic, commercial entity that maintains data containing personal information or sensitive information about consumers it knows reside in Washington, that does not sell, share, or otherwise transfer the information to others, either affiliates or nonaffiliates, but that uses the information to engage in marketing.
(8) "Marketing" or "marketing information" means a promotion, solicitation, or advertisement made by a commercial entity through written, telephonic, electronic, or other means, offering goods or services, that is directed to a specific named individual, and that is separate from a billing, or a promotion, solicitation, or advertisement directed to the general public for sale of the marketer's own goods or services.
(9) "Personal information" means information that is provided by the consumer in a commercial context, and is identifiable to the individual consumer, that concerns the amount or condition of the consumer's assets, liabilities, financial transactions, purchasing history, buying preferences, business relationships, account existence, customer status, demographic information, name, address, telephone number, or electronic mail address.
(10) "Sensitive information" means information maintained in a commercial context that is held for the purpose of transaction initiation, account access or identity verification, or that reflects current or historical deposit or credit card account balances or purchase amounts, and includes account numbers, access codes or passwords, tax identification numbers, driver's license or permit numbers, state identicard numbers issued by the department of licensing, and credit card numbers or expiration dates.
NEW SECTION. Sec. 3. RESTRICTION ON CONSUMER INFORMATION. Information custodians and marketers shall, in performing a transaction with a consumer, providing a service for a consumer, or establishing a business relationship with a consumer, require only that the consumer provide information reasonably necessary to perform the transaction, establish the relationship, or administer or maintain the business relationship. Any optional information must be specified as such, and the consumer must be given the option not to provide it.
NEW SECTION. Sec. 4. CONSUMER PRIVACY POLICIES. (1) An information custodian must have a consumer privacy policy that discloses to existing and prospective consumers the policies and practices of the information custodian regarding the use of consumer personal information and sensitive information acquired or possessed by the information custodian. Entities that maintain data containing personal information or sensitive information but do not sell, share, or otherwise transfer the data, are not required to have a privacy policy.
(2) The consumer privacy policy, at a minimum, must summarize the information custodian's responsibilities under this chapter and describe the consumer's rights and remedies under it, and generally describe with whom the consumer's personal and sensitive information will be shared or to whom it will be sold or transferred.
(3) The consumer privacy policy must also provide a reasonable means for consumers to access their personal and sensitive information that the information custodian shares, sells, or transfers for marketing purposes. The policy must also provide a reasonable process to correct inaccurate or incomplete information.
(4) An information custodian must disclose its consumer privacy policy at least once no later than:
(a) The effective date of this act to existing customers about whom the information custodian has names and addresses or other means of contact, or within a reasonable period of time after the information custodian obtains the consumers' names and addresses or other means of contact;
(b) Thirty days after a prospective customer's initial request for the policy, following the effective date of this act; and
(c) At the time when a new customer enters into a business relationship with the information custodian.
(5) An information custodian must disclose its consumer privacy policy on an annual basis to existing customers after the initial disclosure described in subsection (4) of this section, and, when material changes are made to the policy, the information custodian must notify the consumer, clearly and conspicuously in writing, in plain language, of the material changes and describe the consumer's rights under sections 5(1) and 7 (1) and (2) of this act.
(6) The disclosure of the consumer privacy policy must be clearly and conspicuously made in writing, in a document separate from or attached as the first item of other documents or pages that are provided to the consumer by the information custodian.
(7) The consumer privacy policy must be clearly and conspicuously posted on the information custodian's website, if a website exists, and must be readily available for review at the information custodian's place of business.
(8) Compliance by a financial institution with the disclosure deadline requirements of section 503 of Public Law 106-103 (the Gramm-Leach-Bliley Act of 1999) constitutes compliance with the disclosure deadline requirements of subsection (4) of this section for existing customers.
NEW SECTION. Sec. 5. PERSONAL INFORMATION‑-CONSUMER CONTROL. (1) An information custodian may share, sell, or otherwise transfer personal information for purposes other than consumer-requested purposes, only if it has clearly and conspicuously disclosed to the consumer the following information in plain language:
(a) That the consumer has the right to choose not to have his or her personal information shared, sold, or otherwise transferred for purposes other than consumer-requested purposes. The disclosure must be made at the time the consumer privacy policy is provided to the customer under section 4 of this act.
(b) That the consumer may choose not to receive marketing information or have his or her personal information shared, sold, or transferred for other than consumer-requested purposes, by exercising his or her choice through a cost-free method provided by the information custodian. Disclosure of the existence of the cost-free method must be made at the time the consumer privacy policy is provided to the customer under section 4 of this act. The information custodian shall maintain adequate and reasonable access for consumers to the cost-free method it has established.
(2) If, under this section, a consumer chooses not to have his or her personal information shared, sold, or otherwise transferred under subsection (1) of this section, the information custodian must stop sharing, selling, or otherwise transferring the consumer's personal information for purposes other than consumer-requested purposes, within ninety days of receiving the consumer's notice. Once a consumer has chosen not to have his or her personal information shared, sold, or otherwise transferred, an information custodian may not share, sell, or otherwise transfer the information for purposes other than consumer-requested purposes until the consumer notifies the entity that he or she has chosen to have his or her personal information shared, sold, or otherwise transferred under subsection (1) of this section.
(3) This section does not apply to disclosure of personal information under the following circumstances. However, the recipient of the information is subject to section 8 of this act:
(a) Disclosure to or at the direction of the consumer upon his or her request and upon proper identification;
(b) Disclosure required by federal, state, or local law or regulation, rules, and other applicable legal requirements;
(c) Disclosure made in the course of a properly authorized civil, criminal, or regulatory examination or investigation or under a search warrant, court order, or subpoena, including an administrative subpoena;
(d) Use or disclosure of personal information by an information custodian to another entity to perform services or functions on behalf of the information custodian as part of the information custodian's provision of its services or products to its consumers if the entity agrees in writing to keep the information confidential;
(e) Disclosure to a third party in the business of debt collection where necessary to collect a debt or check returned for insufficient funds;
(f) Disclosure to protect the confidentiality or security of the information custodian's records;
(g) Disclosure to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability;
(h) Disclosure as part of a risk control program required by regulators, or for resolving customer disputes or inquiries;
(i) Disclosure by or to a consumer reporting agency as defined by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.), and as specifically permitted by that act;
(j) Disclosure of credit report information between affiliates as defined in the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.), and as specifically permitted by that act;
(k) Disclosure for purposes of a proposed or actual securitization, secondary market sale (including sales of service rights), or similar transaction related to a consumer-requested purpose;
(l) Disclosure to persons holding a legal or beneficial interest relating to the consumer;
(m) Disclosure to persons acting in a fiduciary or lawful representative capacity on behalf of the consumer;
(n) Disclosure in order to provide information to insurance rate advisory organizations, guaranty funds or agencies, applicable rating agencies of the information custodian, persons assessing the information custodian's compliance with industry standards, and the information custodian's attorneys, accountants, and auditors; or
(o) Disclosure in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit of an information custodian if the disclosure of information concerns solely consumers of the business or unit.
NEW SECTION. Sec. 6. MARKETING-CONSUMER CONTROL. (1) A marketer may use personal or sensitive information for marketing purposes only if it has clearly and conspicuously disclosed in plain language to the consumer:
(a) That the consumer has the right to choose not to receive marketing information. This disclosure must be made in all marketing information, in whatever medium the marketing information is sent or, if the marketer is an information custodian, in the privacy policy provided to the customer under section 4 of this act;
(b) That the consumer may choose not to receive marketing information by exercising his or her choice through a de minimus cost method provided by the marketer. This disclosure must be made in all marketing information in whatever medium the marketing information is sent, or, if the marketer is an information custodian, in the privacy policy provided to the customer under section 4 of this act. The marketer shall maintain adequate and reasonable access for consumers to the de minimus cost method it has established.
(2) If, under this section, a consumer chooses not to receive marketing information, the marketer must stop marketing to the consumer within ninety days of receiving the consumer's notice. Once a consumer has chosen not to receive marketing information, a marketer may not market to the consumer until the consumer notifies the marketer that he or she has chosen to receive marketing information.
NEW SECTION. Sec. 7. SENSITIVE INFORMATION‑-CONSUMER CONTROL. (1) An information custodian may not disclose sensitive information to a third party or affiliate for purposes other than consumer-requested purposes unless the consumer has received written notification of the following:
(a) The information to be disclosed;
(b) The entity or entities authorized to receive the disclosure of information;
(c) A specific description of the purpose for which the disclosure of information will be made;
(d) The expiration date for authorization for use of the information, which date is no more than one year from the date of execution.
(2) An information custodian may not disclose sensitive information to a third party or affiliate for purposes other than consumer-requested purposes unless the consumer, upon notice as provided in this section and affirmative consent, authorizes the disclosure of the sensitive information sought to be disclosed, in a written statement dated and accepted by the consumer that is separate and distinct from any other document, and that contains a description of the information sought to be disclosed and the purpose for which the information will be disclosed.
(3) This section does not apply to disclosure of sensitive information under the following circumstances. However, the recipient of the information is subject to section 8 of this act:
(a) Disclosure to or at the direction of the consumer upon his or her request and upon proper identification;
(b) Disclosure required by federal, state, or local law or regulation, rules, and other applicable legal requirements;
(c) Disclosure made in the course of a properly authorized civil, criminal, or regulatory examination or investigation or under a search warrant, court order, or subpoena, including an administrative subpoena;
(d) Use or disclosure of sensitive information by an information custodian to another entity to perform services or functions on behalf of the information custodian as part of the information custodian's provision of its services or products to its consumers if the entity agrees in writing to keep the information confidential;
(e) Disclosure to a third party in the business of debt collection where necessary to collect a debt or check returned for insufficient funds;
(f) Disclosure to protect the confidentiality or security of the information custodian's records;
(g) Disclosure to protect against or prevent actual or potential fraud or unauthorized transactions, claims, or other liability;
(h) Disclosure as part of a risk control program required by regulators, or for resolving customer disputes or inquiries;
(i) Disclosure by or to a consumer reporting agency as defined by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.), and as specifically permitted by that act;
(j) Disclosure of credit report information between affiliates as defined in the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.), and as specifically permitted by that act;
(k) Disclosure of sensitive information which is prohibited from disclosure by section 502(d) of Public Law 106-103 (the Gramm-Leach-Bliley Act of 1999);
(l) Disclosure for purposes of a proposed or actual securitization, secondary market sale (including sales service rights), or similar transactions related to a consumer-requested purpose;
(m) Disclosure to persons holding a legal or beneficial interest relating to the consumer;
(n) Disclosure to persons acting in a fiduciary or lawful representative capacity on behalf of the consumer;
(o) Disclosure in order to provide information to insurance rate advisory organizations, guaranty funds or agencies, applicable rating agencies of the information custodian, persons assessing the information custodian's compliance with industry standards, and the information custodian's attorneys, accountants, and auditors; or
(p) Disclosure in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit of an information custodian if the disclosure of information concerns solely consumers of the business or unit.
NEW SECTION. Sec. 8. CONFIDENTIALITY AND SECURITY OF INFORMATION. (1) Third parties or affiliates that obtain personal information or sensitive information from information custodians may not sell, share, or otherwise transfer the information for any reason other than the original purpose for which the information was sold, shared, or transferred to the third party or affiliate.
(2) An information custodian, before sharing, selling, or otherwise transferring personal information or sensitive information, must obtain a written agreement from the third party or affiliate providing for the following:
(a) To keep the information confidential;
(b) To use the information only for the original purpose for which it has been shared, sold, or provided; and
(c) To safeguard the information from loss, misuse, theft, unauthorized access, disclosure, defacement, or alteration.
(3) Every information custodian must establish reasonable safeguards to ensure the confidentiality and safety of personal information and sensitive information and to protect them from loss, misuse, theft, unauthorized access, disclosure, defacement, or alteration.
NEW SECTION. Sec. 9. VIOLATION AN UNFAIR OR DECEPTIVE ACT. (1) Unfair and deceptive invasion of privacy rights is not reasonable in relation to the development and preservation of business. The legislature finds that the practices covered by this chapter are matters vitally affecting the public interest for the purpose of applying the Consumer Protection Act, chapter 19.86 RCW. A violation of this chapter is an unfair or deceptive act in trade or commerce for the purpose of applying the Consumer Protection Act, chapter 19.86 RCW.
(2) A person may not bring an action for a violation of this chapter, other than a violation of section 3, 5, 7, or 8 of this act or a willful violation of section 4 of this act, unless, within seven years before the violation, he or she has notified the defendant of a violation of the section, in writing at an address specified in the defendant's privacy policy if the defendant is an information custodian or at an address provided by the defendant upon the consumer's request if the defendant is a marketer, and the defendant has again committed the violation more than ninety days after having received the notification.
(3) Damages to a person who has been the victim of a violation of this chapter are five hundred dollars, or actual damages, whichever is greater. A court may increase the award of damages in an amount not more than three times the actual damages sustained, or one thousand five hundred dollars, whichever is greater, upon a demonstration that a violation of the chapter was willful.
NEW SECTION. Sec. 10. FEDERAL INVALIDITY--ANTITRUST LAWS. If the responsible federal chartering authority, under applicable federal law, or if a court of competent jurisdiction declares that any provision of this chapter is invalid with respect to any financial institution, the provision is also invalid, to the same extent, with respect to financial institutions chartered under the laws of the state of Washington and to host branches of out-of-state banks. The director of the department of financial institutions may, from time to time, publish provisions of state laws that have been found invalidated under federal law and procedures. This section does not impair in any manner the authority of the state attorney general to enforce antitrust laws applicable to financial institutions or their affiliates.
NEW SECTION. Sec. 11. Sections 1 through 10 of this act constitute a new chapter in Title 19 RCW.
NEW SECTION. Sec. 12. Section captions used in sections 1 through 10 of this act are not part of the law.
NEW SECTION. Sec. 13. If any provision of this act or its application to any person or circumstance is held invalid, the remainder of the act or the application of the provision to other persons or circumstances is not affected.
NEW SECTION. Sec. 14. This act takes effect December 1, 2000.
--- END ---