Miller Nash LLP
What law(s) specifically govern personal data / information?
The Washington Constitution explicitly recognises privacy as a fundamental right. This principle underpins the state’s approach to data protection, particularly concerning sensitive categories of data, such as health information (see, e.g., My Health My Data Act, RCW § 19.373).
Washington has laws specifically dealing with data protection, which are set out in more detail below.
What are the key data protection principles in this jurisdiction?:
Consumer Protection: The Washington State Consumer Protection Act (CPA) (RCW § 19.86) prohibits unlawful and unfair or deceptive acts or practices in trade or commerce.
Health Data Protections: The Washington My Health My Data Act (RCW § 19.373) enhances privacy protections for health-related information. It requires clear disclosures and consumer consent for the collection, sharing, and use of health data, prohibits the sale of such data without explicit authorisation, and grants individuals the right to delete their health data. It also restricts the use of geofencing around healthcare facilities to protect sensitive health information
Duty to Protect: Companies that collect and store personal identifiable information (PII) and personal health information (PHI) have a duty to use reasonable care in collecting and storing the information, including taking reasonable steps to prevent unauthorised access and disclosure of the information. Nunley v. Chelan-Douglas Health Dist. (32 Wn. App. 2d 700)
Public Records and Data Breaches: The Washington Public Records Act (RCW § 42.56) mandates disclosure of data breaches by agencies handling personal data.
Criminal History Information: Under Washington law (RCW § 10.97.050 , criminal history record information, including nonconviction data, is subject to strict limitations on dissemination by criminal justice agencies in Washinton State. Such information can only be shared for specific purposes, such as research or compliance audits, and must adhere to agreements that restrict its use and further dissemination.
What is the supervisory authority / regulator in charge of data protection?
Washington Attorney General
Is there a requirement to register with a supervisory authority / regulator?
There is no general requirement for businesses or organisations in Washington State to be registered with the Attorney General or any other supervisory authority specifically for data protection compliance. However, there are certain specific obligations and registration requirements that may apply depending on the nature of the business or the type of data being handled. For example , commercial telephone solicitors (telemarketers) must register with the Washington Department of Licensing before conducting business in the state (RCW § 19.158.050).
Is there a requirement to notify the supervisory authority / regulator?
Yes, businesses that own or license personal information and experience a data breach affecting more than 500 Washington residents must notify the Attorney General within 30 days of discovering the breach. (RCW § 19.255.010).
Is it possible to register with / notify the supervisory authority / regulator online?
Yes, in the event of certain data breaches.
What are the key data subject rights under the data protection laws of this jurisdiction?
Consumer Protection Act (RCW § 19.86): declares unlawful any unfair or deceptive acts or practices in the conduct of any trade or commerce.
Data breach notification (RCW § 19.255.005 to 19.255.040 for private entities and RCW § 42.56.590 to 42.56.594 for public entities): A business must notify individuals of a “breach of the security of the system” (data breach) in the most expedient time possible, and no later than 30 days after the breach was discovered.
Destruction of information (RCW § 19.215.020(1)): Entities must take all reasonable steps to destroy personal financial and health information and personal identification numbers (such as SSN or driver’s license number) when the entity is disposing of records.
My Health My Data Act (RCW § 19.373): Restriction on the collection or sharing of consumer health data. Creates consumer rights for consumer health data. Requires specific and separate website privacy notice for consumer health data. Requires contract between controller and processor. Restriction on geofencing around entity that provides in-person health care services.
Biometric privacy (RCW § 19.375.020): Notice and opt-out rights need to be provided for the collection of biometric identifiers. Consent must be obtained prior to selling, leasing, or disclosing a biometric identifier for a commercial purpose. GLBA and HIPAA covered entities are excluded.
Student User Privacy in Education Rights Act (SUPER Act) (RCW § 28A.604): Ed tech companies need to disclose the types of student personal information they collect and how they use and share student personal information. They also need to provide rights to access and of correction to students or parents. Ed tech companies cannot sell student personal information or use or share it for targeted advertising. They need to have administrative, technological, and physical safeguards to protect student personal information.
Employee rights (RCW 49.44.200): An employer cannot require or request that an employee or a job applicant provide access to a personal social media account.
Unauthorised transmission of software (RCW § 19.270.020): It is unlawful to modify certain computer settings or software without a user’s authorisation and knowledge. It is unlawful to collect personally identifiable information through keystroke logging without a user’s authorisation and knowledge.
Radio-frequency identification (RFID) (RCW § 19.300.030): Unless an exception applies, a business cannot remotely read a device using radio frequency identification technology for commercial purposes unless it issued the RFID device.
Misrepresentation over the internet (RCW § 19.190.080): it is a violation to solicit, request, or take any action to induce a person to provide personally identifying information through a web page, email, or the internet by misrepresenting who you are.
Is there a requirement to appoint a data protection officer (or equivalent)?
No, none for private entities. Certain state agencies are required to designate privacy officers or similar roles to oversee data protection and privacy matters.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
No, but My Health My Data requires reasonable administrative, technical, and physical data security practices, which will likely require businesses to complete an assessment. Further, companies that collect and store personal identifiable information (PII) and personal health information (PHI) have a duty to use reasonable care in collecting and storing the information, including taking reasonable steps to prevent unauthorised access and disclosure of the information. This will likely require certain businesses to complete an assessment.
Does this jurisdiction have any specific data breach notification requirements?
Yes. Under RCW § 19.255.005 to § 19.255.040, a business must disclose a data breach to individuals and, if more than 500 Washington residents are impacted, to the Attorney General.
"Personal information" is defined as:
- (i) An individual's first name or first initial and last name in combination with any one or more of the following data elements:
- Social security number;
- Driver's license number or Washington identification card number;
- Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, or any other numbers or information that can be used to access a person's financial account;
- Full date of birth;
- Private key that is unique to an individual and that is used to authenticate or sign an electronic record;
- Student, military, or passport identification number;
- Health insurance policy number or health insurance identification number;
- Any information about a consumer's medical history or mental or physical condition or about a health care professional's medical diagnosis or treatment of the consumer; or
What restrictions apply to the international transfer of personal data / information?
N/A
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Washington’s data breach notification law covers Washington residents. Depending on the relationship between the individual and the business, the business may need to provide notification to the individual or to another business who will provide notification to the individual.
What rules specifically deal with marketing?
The Consumer Protection Act (RCW 19.86): makes unlawful any unfair or deceptive acts or practices in trade or commerce.
Telemarketing:
- Commercial telephone solicitors (telemarketers) must register with the department of licensing. (RCW 19.158.050).
- A telemarketer must identify the caller within the first 30 seconds of the telephone call and hang up upon request. A telemarketer must maintain a “do not call me again” list and, upon request, not sell or give contact information to another telemarketer. (RCW 19.158.110).
Spam email: Prohibition on misrepresenting the sender or the subject of the email. (RCW 19.190.020 and 19.190.030).
Do different rules apply to business-to-business and business-to-consumer marketing?
No.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
Spam email: Prohibition on misrepresenting the sender or the subject of the email. (RCW § 19.190.020 and § 19.190.030).
What rules specifically deal with cookies?
N/A
What are the consequences of non compliance with data protections laws (including marketing laws)?
Consumer Protection Act: The Attorney General can obtain civil penalties up to USD $7,500 per violation and enhanced penalties of USD $5,000 if the unlawful acts or practices targeted or impacted certain protected classes. The Attorney General can also recover attorney’s fees and restitution. (RCW § 19.86.080 and RCW § 19.86.140). There is a private right of action with a right to injunctive relief, recovery of actual damages, and reasonable attorney’s fees. Treble damages up to USD $25,000 may be recovered. (RCW § 19.86.090).
Data breach notification: Enforcement is by the Attorney General under the Consumer Protection Act. A consumer may institute a civil action to recover damages. (RCW § 19.255.040).
Destruction of information: If the failure to comply is due to negligence, an injured individual or the Attorney General may obtain a penalty of USD $200 or actual damages, whichever is greater, and attorneys’ fees. If the failure to comply is willful, an injured individual or the Attorney General may obtain a penalty of USD $600 or treble actual damages, whichever is greater, and attorneys’ fees. Treble damages are capped at USD $10,000. Individuals who think they may be injured can obtain injunctive relief. (RCW § 19.215.020).
My Health My Data Act: A violation of this act is a violation of the Consumer Protection Act. (RCW § 19.373.090).
Biometric privacy: Enforcement is by the Attorney General under the Consumer Protection Act. (RCW § 19.375.030).
Employee rights: An employee or job applicant can bring a civil action and obtain injunctive or equitable relief, actual damages, a USD $500 penalty, and attorneys’ fees. (RCW § 49.44.205).
Unauthorised transmission of software: The Attorney General or a provider of computer software or website owner who is adversely affected may obtain injunctive relief, recovery of actual damages or USD $100,000 per violation, whichever is greater, and attorneys’ fees. Treble damages may be obtained against repeat offenders. The total amount of damages is capped at USD $2 million. (RCW § 19.270.060).
RFID: A violation of this act is a violation of the Consumer Protection Act. (RCW § 19.300.030).
Misrepresentation over the internet: An injured person can bring a civil action to enjoin further violations and obtain up to USD $500 per violation or actual damages, whichever is greater. An injured business can enjoin further violations and obtain USD $5,000 per violation or actual damages, whichever is greater. An injured business can obtain treble damages against a repeat offender and attorneys’ fees. (RCW § 19.190.090).
Telemarketing: A violation of this act is a violation of the Consumer Protection Act. (RCW § 19.158.030). Civil penalties are between USD $500 and USD $2,000 per violation. (RCW § 19.158.140). For certain violations, telemarketers may also be subject to penalties based on the value of a transaction or criminal action. (RCW § 19.158.160).
Spam email: A violation of this act is a violation of the Consumer Protection Act. (RCW § 19.190.030). The recipient of spam can obtain USD $500 or actual damages, whichever is greater. (RCW § 19.190.040(1)). An ISP can obtain USD $1,000 or actual damages, whichever is greater. (RCW § 19.190.040(2)).
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Washington’s My Health My Data Act has a broad definition of consumer health data. It also contains a private right of action exercisable under the Consumer Protection Act (RCW § 19.373.100).
What upcoming data protection developments should multinational organisations be aware of?
N/A