SENATE BILL REPORT

E2SHB 1503

As of October 28, 2020

Title: An act relating to registration and consumer protection obligations of data brokers.

Brief Description: Concerning registration and consumer protection obligations of data brokers.

Sponsors: House Committee on Appropriations (originally sponsored by Representatives Smith, Hudgins and Stanford).

Brief History: Passed House: 2/17/20, 87-11.

Committee Activity: Environment, Energy & Technology: 2/25/20, 2/27/20 [DPA, DNP, w/oRec-WM].

Ways & Means: 2/29/20.

Brief Summary of Amended Bill

TEST
Requires data brokers to register annually, disclose certain information regarding their practices, and to implement a comprehensive information security program to protect personally identifiable information.
Prohibits acquisition of brokered personal information through fraudu

SENATE COMMITTEE ON WAYS & MEANS

Staff: Kevin Black (786-7747)

Background: According to the Federal Trade Commission, companies known as "data brokers" collect personal information from consumers and sell or share it with others. Data brokers collect this information from a wide variety of commercial and government sources, and use both raw and inferred data about individuals to develop and mark\ctices in trade or commerce. A private person or the Attorney General may bring a civil action to enforce the provisions of the CPA. A person or entity found to have violated the CPA is subject to treble damages and attorney's fees.

Summary of Amended Bill:

Definitions.

"Brokered personal information" means one or more of the computerized data elements about a

consumer, categorized or organized for dissemination to third parties, and includes name,

address, date and place of birth, and other information that would allow a reasonable person to

identify the consumer with reasonable certainty.

"Data broker" means a business that knowingly collects and sells or licenses to third parties the

brokered personal information of a consumer with whom the business does not have a direct

relationship.

Businesses that provide publicly available information via real-time or near real-time alert

services for health or safety purposes and collect and sell brokered personal information

incidental to those activities are not data brokers.

Requirements for data brokers.

Data brokers are required to register annually with the Chief Privacy Officer, pay a $250

registration fee, and provide certain information regarding their practices related to the

collection, storage or sale of brokered personal data, including whether the data brokers permit

consumers to opt out from data collection or sale of personal information.

Data brokers are required to develop, implement, and maintain a comprehensive information

security program that contains appropriate administrative, technical, and physical safeguards to

protect personally identifiable information. The security program must include certain features,

such as identification and assessment of reasonably foreseeable risks, ongoing employee

training, supervision of service providers, and regular monitoring to ensure proper operation.

The security program must also include specified computer system security elements, including

secure use authentication protocols, encryption of all files containing personally identifiable

information, and reasonable monitoring of systems for unauthorized access or use.

Brokered personal information may not be acquired through fraudulent means or for the purpose

of stalking, committing a fraud or engaging in unlawful discrimination.

Enforcement.

Violations of these provisions are enforceable solely by the Attorney General under the

Consumer Protection Act.

Failure to register and to provide required information is subject to a fine of up to $10,000 a year

and other penalties imposed by law.

Reports to the Legislature.

The Attorney General must review and consider additional legislative approaches to protecting

the data privacy of Washington consumers, and to report its findings to the economic

development committees of the Legislature by January 1, 2020.

The Attorney General and the Chief Privacy Officer must submit a preliminary report concerning

the implementation of this bill to the economic development committees of the Legislature by

July 1, 2021.

Appropriation: None.

Fiscal Note: Available.

Creates Committee/Commission/Task Force that includes Legislative members:

Effective Date: The bill takes effect January 1, 2020, except Section 6, which relates to reports requirements and which takes effect 90 days after adjournment of the session in which the bill is passed.