Federal Laws Related to Privacy.

A sectorial framework protects personal information and privacy interests under various federal laws.  Key federal statutes related to privacy include:

• the Health Insurance Portability and Accountability Act (HIPAA), which protects the privacy and security of medical information;
• the Fair Credit Reporting Act (FCRA), which regulates the consumer reporting industry and provides privacy rights in consumer reports;
• the Gramm-Leach-Bliley Act (GLBA), which regulates the sharing of personally identifiable financial information by financial institutions and their affiliates; and
• the Family Educational Rights and Privacy Act (FERPA), which protects the privacy of student education records.

Privacy Protection in Washington.

The Washington Constitution provides that no person shall be disturbed in their private affairs without authority of law.  Similarly to the federal sectorial approach, different state statutes define permitted conduct and specify the requisite level of privacy protections for medical records, financial transactions, student information, and other personal data.

The Office of Privacy and Data Protection (OPDP) serves as a central point of contact for state agencies on policy matters involving data privacy and data protection.  The OPDP also serves as a resource to local governments and the public on data privacy and protection concerns.

Consumer Protection Act.
The Consumer Protection Act (CPA) prohibits unfair or deceptive acts or practices in trade or commerce, the formation of contracts, combinations, and conspiracies in restraint of trade or commerce, and monopolies.  Persons injured by violations of the CPA may bring a civil action to enjoin further violations and recover actual damages, costs, and attorney's fees.
 
The Attorney General may bring an action in the name of the state, or as parens patriae on behalf of persons residing in the state, against any person to enjoin violations of the CPA and obtain restitution.  The prevailing party may, at the discretion of the court, recover costs and attorney's fees.  The Attorney General may also seek civil penalties, up to the statutorily authorized maximums, against any person who violates the CPA.  Civil penalties are paid to the state.

Prohibition.

Any transacting entities who conduct business in this state and collect personal information from a consumer at a point of sale, are prohibited from selling or sharing that consumer's personal information unless the transacting entity has first received express permission from the consumer that the transacting entity is affirmatively authorized to share or sell that consumer's personal information.  

Enforcement.

 A violation of the above prohibition is a matter vitally affecting the public interest for purposes of applying the CPA and is not reasonable in relation to the development and preservation of business, is an unfair or deceptive act in trade or commerce, and an unfair method of competition.  The Attorney General has sole enforcement authority under the CPA.  

Definitions.  

The following definitions are established:

"Point of sale" means the circumstance in which a consumer executes payment for goods or services and where sales taxes may become payable.

"Transacting entity" means any of the following:  (1) a resident individual who engages regularly in commercial activity for the purpose of generating income; (2) a corporation or nonprofit corporation, limited liability company, partnership or limited liability partnership, business trust, joint venture, or other form of business organization, the constituent parts of which share an economic interest; (3) a financial institution, as defined in RCW 9A.56.280; (4) the state or any political subdivision thereof; or (5) an individual that controls, is controlled by, or is under common control with a person described in (2) or (3).

"Personal information" means any one or more of the following items of personally identifiable information about a consumer collected by a transacting entity and maintained by the transacting entity in an accessible form:  (1) a first and last name; (2) a home or other physical address which includes the name of a street and the name of a city or town; (3) an email address; (4) a telephone number; (5) a social security number; (6) an identifier that allows a specific person to be contacted either physically or online; and (7) any other information concerning a person collected from the person by a transacting entity and maintained by the transacting entity in combination with an identifier in a form that makes the information personally identifiable.

"Selling" means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by a transacting entity to a third party for monetary or other valuable consideration.  A transacting entity does not sell personal information when:

1.  A consumer uses or directs the transacting entity to intentionally:  (a) disclose personal information; or (b) interact with one or more third parties.
2. The transacting entity uses or shares an identifier for a consumer who has opted out of the sale of the consumer's personal information or limited the use of the consumer's sensitive personal information, for the purposes of alerting persons that the consumer has opted out of the sale of the consumer's personal information or limited the use of the consumer's personal information.
3. The transacting entity transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the transacting entity, provided that information is used or shared consistently with this title. If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer. The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices consistently with this title.

"Sharing" means renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by a transacting entity to a third party whether or not for monetary or other valuable consideration, including transactions between a transacting entity and a third party for cross-context behavioral advertising for the benefit of a transacting entity in which no money is exchanged.  A transacting entity does not share personal information when:

1. A consumer uses or directs the transacting entity to intentionally disclose personal information or intentionally interact with one or more third parties.
2. The transacting entity uses or shares an identifier for a consumer who has opted out of the sharing of the consumer's personal information or limited the use of the consumer's sensitive personal information for the purposes of alerting persons that the consumer has opted out of the sharing of the consumer's personal information or limited the use of the consumer's personal information.
3. The transacting entity transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the transacting entity, provided that information is used or shared consistently with this title.  If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer.  The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices consistently with this title.