Washington State

House of Representatives

Office of Program Research

BILL

ANALYSIS

Innovation, Technology & Economic Development Committee

HB 2364

This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.

Background:

Personal information and privacy interests are protected under various provisions of state law. The Washington Constitution provides that no person shall be disturbed in his private affairs without authority of law. The Public Records Act protects a person's right to privacy under certain circumstances if disclosure of personal information would be highly offensive and is not of legitimate concern to the public.

The state Consumer Protection Act (CPA) prohibits unfair methods of competition and unfair or deceptive practices in the conduct of any trade or commerce. A private person or the Attorney General may bring a civil action to enforce the provisions of the CPA. A person or entity found to have violated the CPA is subject to treble damages and attorney's fees.

Summary of Bill:

The Washington State Charter of Personal Data Rights is created to set forth individual rights and business responsibilities with regard to personal data.

"Personal data" means any information that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, with a particular individual or household. Employment-related information is exempt from the provisions of the bill.

"Business" means any person or entity that engages in business and has a substantial nexus with Washington, has more than $10 million in worldwide gross revenue in the preceding calendar year, collects or processes personal data of individuals, and determines the purposes and means of the processing.

With regard to personal data, an individual has the right to:

know what personal data a business collects or processes about the individual;
access and obtain the individual's personal data collected or processed by a business;
object to and opt out of the selling or licensing of personal data;
correct inaccurate personal data; and
delete the individual's personal data collected or processed by a business.

A business that collects or processes personal data has a duty to act in good faith and with due diligence when responding to requests from individuals to exercise personal data rights and to not discriminate against individuals who choose to exercise their personal data rights.

In addition, a business has the duty to:

minimize the collection of personal data by collecting and processing personal data only as reasonably necessary for services requested by an individual or to verify requests to exercise personal data rights;
avoid secondary uses of personal data;
secure personal data from unauthorized acquisition or access;
require service providers to process personal data only on documented instructions from the business as to the nature, duration, and purposes of the processing; and
use only those service providers that sufficiently guarantee that the processing of personal data meets set forth in the act and ensures the protection of personal data rights.

A violation of these provisions is enforceable under the state Consumer Protection Act and subject to a civil penalty of up to $10,000 per violation in actions brought by the Attorney General. An individual whose personal data rights are violated may bring a civil action for declaratory relief, injunctive relief, or to recover actual damages, but not less than statutory damages of $10,000 per violation. A court must award costs and reasonable attorney's fees to a prevailing plaintiff.