Washington - Data Protection Overview
The Constitution of the State of Washington ('the Constitution') explicitly recognises an individual's right to privacy and states under Article 1 §7: 'No person shall be disturbed in his private affairs, or his home invaded, without authority of law.' Courts have held that this section of the Constitution affords greater protection and is broader than the Fourth Amendment to the Constitution of the United States1. In addition to this constitutional right, the Washington State Supreme Court has affirmed that a common law right of privacy exists and that individuals may bring a cause of action for invasion of that right2. There are four common law invasion of privacy claims recognised in Washington:
- intrusion upon solitude or seclusion;
- public disclosure of private facts;
- publicity which places a person in a false light in the public eye; and
- appropriation of one's name or likeness.
1.1. Intrusion upon solitude or seclusion
The tort of intrusion is based on the intentional interference with the private affairs of an individual, in such a manner that would be highly offensive to a reasonable person. The invasion need not be physical; for instance, tapping a phone line or peering into a private dwelling using binoculars could be grounds for an intrusion claim. To state a claim for intrusion upon solitude or seclusion, a plaintiff must establish that:
- the defendant deliberately intruded, physically or otherwise;
- into the plaintiff's solitude, seclusion, or private affairs or concerns;
- in a manner that would be highly offensive to a reasonable person3.
1.2. Public disclosure of private facts
The tort of public disclosure allows an individual to sue if highly sensitive information about him or her has been disclosed without his or her authorisation. To state a claim, a plaintiff must establish that:
- there has been a publication or disclosure about his or her private affairs; and
- the matter publicised would be highly offensive to a reasonable person4.
Note that there are some important limitations to this tort. First, the disclosure of private facts must be public, meaning that a disclosure of information to a small group of individuals, or legitimately interested parties, will not suffice. For example, in Mayer v. Huesner5 a court held a patient waived his/her privacy interest in medical records by pursuing a workers' compensation claim, and such disclosure was "internal and private, not public." Second, the disclosure must involve private facts that would cause a reasonable person to be offended or embarrassed if such information were similarly disclosed about him or her. A plaintiff will not successfully prevail on a claim of public disclosure if he or she has unusual sensitivities and the exposure of the information would not offend a reasonable person. For example, in Adams v. King County, the court held that the plaintiff's claim of publication of private matter failed where the dissemination of information concerning the body of the plaintiff's son did not rise to a highly offensive level6.
1.3. False light privacy
The tort of false light is similar to the tort of defamation, in that it protects people who have been cast in a false light in the public eye. However, unlike a defamation action, where a plaintiff could be compensated for damages to his or her reputation, the tort of false light speaks more to the peace of mind of an individual than to his or her reputation with the broader community7. Plaintiffs that prevail on false light claims are allowed to recover damages for injured feelings and mental suffering. To prevail on a false light claim, a plaintiff must demonstrate that:
- there was a public disclosure that put the plaintiff in a false light;
- with convincing clarity, the plaintiff was the person about whom the publication was made;
- the false light would be highly offensive to a reasonable person; and
- the defendant knew of, or recklessly disregarded, the falsity of the publication and the false light in which the plaintiff was represented8.
1.4. Appropriation of one's name or likeness
The tort of appropriation involves the use of an individual's name or appearance, in a commercial context, without permission. It is similar to the 'right of publicity,' which protects the names and identities of celebrities and other notable persons. To be liable for the tort of appropriation, a defendant must have:
- appropriated the reputation, prestige or social or commercial standing of a plaintiff's name or likeness; and
- without the plaintiff's authorisation9. Monetary gain by the defendant is not necessary for the plaintiff to prevail on this claim.
Washington State has enacted a number of laws that safeguard personal information and an individual's right to privacy. Recently, there has also been proposed legislation which would strengthen privacy rights for individuals in Washington. In particular, much attention was given to the failed Washington Privacy Act (Senate Bill 6281) ('the Bill'), which would have imposed General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') like requirements on businesses, including obligations to provide meaningful privacy notices about their data practices and to honour consumer rights requests (including but not limited to access, rectification and deletion requests) from Washington state residents. The Bill also included special regulations related to the development of facial recognition software. The Bill advanced farther in 2020 than its 2019 predecessor, however the State legislature ultimately failed to reach a compromise between the version passed by the Washington Senate and the version passed by the Washington House of Representatives.
2.1. The Privacy Act
Chapter 9.73 of the Revised Code of Washington ('RCW') ('the Privacy Act') addresses the right to privacy in communications, including letters sent and received and the right to be free from having conversations intercepted, recorded or divulged, in the absence of a court order. Washington courts have noted that the Washington State Legislature's primary purpose in enacting this statute was to protect the privacy of individuals and that this statute broadly protects individuals' privacy rights, more so than most other electronic surveillance laws10.
§030 of the Privacy Act makes it unlawful to intercept, record or divulge private communications, transmitted by telephone, telegraph, radio or other device, without first obtaining the consent of all participants in the conversation, unless an exception applies (e.g. in the event of an emergency, such as a fire, crime or natural disaster). The Privacy Act further specifies that where consent is needed, it shall be considered to have been obtained where one party announces to all the other parties engaged in the communication or conversation, in a reasonably effective manner, that such communication or conversation is about to be recorded or transmitted.
§050 of the Privacy Act addresses the admissibility of intercepted communications in evidence and states that information obtained in violation of §030 of the Privacy Act shall be inadmissible in any civil or criminal case, unless an exception applies11.
Violations of §030 of the Privacy Act are gross misdemeanours. In addition, any person who violates the Privacy Act could be subject to legal action for damages and liable for actual damages, including mental pain and suffering endured by the plaintiff, or liquidated damages computed at the rate of $100 per day for each violation, not to exceed $1000, and reasonable attorney's fees and other costs of litigation pursuant to §060 of the Privacy Act.
2.2. Electronic impersonation and invasion of privacy
§4.24.790 of the RCW makes it unlawful to impersonate another person online. 'Impersonation' is defined as ‘using an actual person's name or likeness to create an impersonation that another person would reasonably believe or did reasonably believe was or is the actual person being impersonated' (§4.24.790(1)(c) of the RCW). A person may be liable in a civil action based on a claim of invasion of privacy when:
- he or she intentionally impersonates another;
- the individual who was impersonated did not consent to the impersonation;
- the impersonator intended to deceive or mislead for the purpose of harassing, threatening, intimidating, humiliating or defrauding another; and
- the impersonation proximately caused injury to the impersonated individual (injury is broadly defined to include injury to reputation or humiliation, injury to professional or financial standing or physical harm). A court may also award the prevailing party costs and reasonable attorneys' fees.
There are several exemptions to §4.24.790 of the RCW. For example, it does not apply if the impersonation occurs in the context of art, commentary, satire or parody, or for other matters that are considered cultural, historical, political, religious, educational, or newsworthy in nature (§4.24.790(4) of the RCW).
2.3. Unauthorised transmission of software
§19.270.020 of the RCW is Washington State's spyware act and it makes it unlawful for a person to transmit, or procure the transmission of, software without the consent and actual knowledge of the owner or operator of the computer that the software, among other things, collects personally identifiable information through the use of a keystroke-logging function or by extracting the information from the owner or operator's hard drive. An individual that violates this act may be liable for actual damages or $100,000 per violation, whichever is greater. A court may increase the damages amount by up to three times the actual damages, if the defendant has engaged in a pattern and practice of violating this law. The court may also award costs and reasonable attorneys' fees to the prevailing party. The amount of damages awarded by the court for violations of this may not exceed $2,000,000.
There are several statutes in Washington that address the privacy and security of health information; however, the most significant is the Uniform Health Care Information Act (Chapter 70.02 of the RCW) ('the Health Act'), which the Legislature adopted in 1991. Since then, the Health Act has been amended several times to be more consistent with the federal Health Insurance Portability and Accountability Act of 1996 ('HIPAA').
The Health Act restricts the unauthorised dissemination of 'health care information,' which means information, whether oral or recorded, that identifies a patient or could be readily associated with the identity of a patient and which directly relates to the patient's health care, including charts, reports, correspondence, diagnostic studies, documents, x-rays, tissue and specimen slides and photographs. Health care information also includes any required accounting of disclosures of health care information. Subject to very limited exceptions, health care information cannot be released without a patient's written authorisation.
The Health Act also provides patients with a right to access and make copies of their medical records and it places limitations around fees health care providers can charge for complying with these requests.
In addition, the Health Act requires health care providers to adopt reasonable safeguards to secure health care information and imposes an obligation on providers to display a 'Notice of Information Practices' in a conspicuous place, to ensure that their patients are informed about the providers' information practices. The Health Act requires including language along the lines of the following in the notice:
"We keep a record of the health care services we provide you. You may ask us to see and copy that record. You may also ask us to correct the record. We will not disclose your record to others unless you direct us to do so or unless the law authorizes or compels us to do so. You may see your record or get more information about it at _______________."
There is a two-year statute of limitations period on any legal action against a health care provider for failure to comply with the Health Act after the cause of action is discovered. If an action is brought against a health care provider or facility, a court may award actual damages in addition to reasonable attorneys' fees and other expenses. In addition to the remedies specifically provided for in the Health Act, a plaintiff may also have a common law claim for an invasion of privacy discussed above.
Washington has a number of statutes that apply to the treatment and protection of financial information, including credit card and payment information. §9A.56.290 of the RCW makes it unlawful to use a scanning device to access, read, obtain, memorise, or store information encoded on a payment card without the permission of the authorised cardholder, or with the intent to defraud the authorised user, another person, or a financial institution. Violations of this statute are considered a class C felony, and second or subsequent violations are a class B felony.
§19.255.020 of the RCW, which is part of the State's breach notification law, imposes affirmative obligations on individuals, partnerships, corporations, associations, organisations, government entities and any other legal or commercial entity to take reasonable measures when processing payment information. If a processor or business fails to take reasonable care to guard against unauthorised access to such information in its possession or control, and such failure is found to be the proximate cause of a security breach, the processor or business is liable to a financial institution for reimbursement of reasonable actual costs related to the reissuance of credit cards and debit cards. The Legislature drafted this provision in part to encourage financial institutions to reissue credit and debit cards to consumers when appropriate to reduce the incidence of identity theft and associated costs to consumers.
The Washington Administrative Code ('WAC') also imposes obligations that relate to financial information. Under the WAC, covered entities have an obligation to provide clear and conspicuous notice to consumers and customers that reflects their privacy policies and information practices (see §284-04-200 of the WAC). A 'consumer' is defined as 'an individual who seeks to obtain, obtains or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family or household purposes and about whom the licensee has nonpublic personal information' (§284-04-120(6) of the WAC). A 'customer' is defined as 'a consumer who has a customer relationship with a licensee' (§284-04-120(9) of the WAC). 'Nonpublic personal financial information' means personally identifiable financial information and any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available (§284-04-120(22)(a) of the WAC).
Chapter 284-04 of the WAC also restricts how covered entities can disclose nonpublic personal financial information. By statute, licensees may not disclose nonpublic personal financial information about a consumer to a nonaffiliated third party unless they have provided an initial notice and opt-out notice to the consumer, and the consumer does not opt-out after being given reasonable opportunity (§284-04-300 of the WAC). Reasonable opportunity to opt-out includes providing the consumer with a form they can mail in, a toll-free number they can call, or other reasonable ways that they can provide notice thirty days from the date they received notice (§284-04-300 of the WAC). In the case of an isolated transaction, such as providing an insurance quote, the consumer must be given the opportunity to opt-out during the transaction, and must opt-out before the transaction is complete (§284-04-300 of the WAC). A consumer can also be given the option to partially opt-out, by selecting certain non-public information that they do not want disclosed. Consumers must be provided with such notice even if a customer relationship is never formed with the provider.
If a provider receives nonpublic personal financial information from a non-affiliated financial institution, they may disclose the information only to their affiliates, the affiliates of the financial institution from where they received the information and to any other person that the information could be lawfully disclosed to directly by the financial institution from where the provider received the information (§284-04-305 of the WAC).
In addition to nonpublic financial information, a provider is also prohibited from disclosing a consumer's policy number (or related account number) to any non-affiliated third party for their use in marketing (§284-04-310 of the WAC). A provider can disclose such policy information to their own service provider, for marketing purposes, as long as the service provider is not authorised to directly initiate charges to the account (§284-04-310 of the WAC). A provider can also disclose such policy information to an affinity or similar programme, if it was previously identified to the customer when they entered into the programme (§284-04-310 of the WAC).
If a consumer chooses not to grant authorisation for or to opt-out from disclosure of their nonpublic financial information, the provider is prohibited from thereby discriminating against them (§284-04-605 of the WAC).
There are a number of exceptions where providers can disclose nonpublic financial information without consent, such as to process a transaction on behalf of the consumer, for fraud prevention purposes or to respond to a properly authorised subpoena.
Violation of the above is deemed an unfair method of competition or an unfair or deceptive act and practice in Washington (§284-04-610 of the WAC).
The statute also imposes breach notification requirements in the event of a security incident. In the event of a security breach, a licensee must notify the Office of the Insurance Commissioner, in writing, within two business days, about the number of affected or potentially affected customers, after determining notification must be sent to consumers (§284-04-625 of the WAC). Failure to provide notice of a security breach is deemed an unfair practice (§284-04-625 of the WAC).
In §9.35.001 of the RCW, the Legislature made clear that financial information is personal and sensitive information, such that unlawful possession or use of it by others may result in a significant harm to one's privacy interest. The Legislature also acted with the intent of protecting seniors and vulnerable individuals from identity theft. Under this statute, 'financial information' is defined as including account numbers and balances, transaction account information, codes, passwords, social security numbers, tax identification numbers, driver's license or permit numbers, state Identicard numbers, and other information held for the purpose of accessing an account or initiating a transaction (§9.35.005 of RCW).
§9.95.010 of RCW makes it a crime to obtain a person's financial information by knowingly making a false statement or knowingly providing a forged or counterfeit document to obtain such information. In determining the appropriate penalty for violation of this statute, the Legislature stated that, each individual unlawful use is a separate unit of prosecution for each victim and for each act of obtaining or possessing the information (§3.93.001 of RCW). Violation results in a class C felony. Violators are also liable for $500, or actual damages, whichever is greater, plus attorney's fees (§9.95.010 of RCW).
§9.35.020 of RCW prohibits possession or use of another's financial information to commit a crime. Identity theft in the first degree occurs when the accused obtains credit, money or goods in excess of $1,500 in value, or knowingly targets a senior or vulnerable individual. Additionally, any consumer fraud that targets any senior or vulnerable individual is subject to civil penalties of three times the amount of actual damages (§9.35.060 of RCW). Identity theft in the first degree is a class B felony. Identity theft in the second degree is a violation that does not rise to the level of first degree identity theft. Second degree identity theft is a class C felony. A defendant can be convicted of identity theft as well as the crime they intended to commit without violating double jeopardy. In State of Washington v. Michael Darrel Miliam, the court held that convictions of both second-degree theft and second-degree identity theft did not violate the prohibition against double jeopardy12.
It is also a misdemeanour to use another's financial information to solicit undesired mail, 'with the intent to annoy, harass, intimidate, torment, or embarrass that person' (§9.35.030 of RCW). Violators are also subject to civil damages of $500 or actual damages, whichever is greater, plus attorney's fees.
In Washington, employees have a right to examine all personnel files kept by their employer. This does not include records relating to the investigation of a possible criminal offence or records complied in preparation for an impending lawsuit (§49.12.260 of RCW). At least annually, upon the request of the employee, the employer must allow them to inspect their own personnel files (§49.12.240 of RCW). An employee can also file a rebuttal or correction to any of the information in the file, and if the employer agrees such information is incorrect they must remove it (§49.12.250 of RCW). An employee retains this right for two years after their employment ends (§49.12.250 of RCW).
Employers in Washington are allowed to monitor employees with television cameras or video tapes in both public and work areas; however, it is advisable for employers to tell employees that they are being monitored. It is also lawful for employers to use computers to monitor an employee's performance, but the employer should explain their ability and intention to do so ahead of time to the employee to avoid any claims of invasion of privacy.
Although it remains unsettled law, it could be argued that an employee's personal email has privacy protection under the federal Electronic Communications Privacy Act of 1986, which prohibits the intentional interception of electronic communications (see 18 U.S.C. §2511). In Sprague v. Spokane Valley Fire Department, the plaintiff firefighter brought suit due to the defendant fire department allegedly firing him for including religious comments in emails sent through the departments computer systems13. The Washington State Supreme Court held that the department's policy restricting the use of the email system to departmental business was reasonable, however the court held that the plaintiff met the initial burden of establishing that the restrictions on what he could send using the department's computer systems violated his First Amendment rights14. Thus, employers should have in place a clear policy regarding email use, and reserve the right to monitor employees' email messages, and require employees to sign and acknowledge receipt of such policy.
It is illegal for an employer to intercept, record or transmit any private communications by employees, without their prior consent, although an employer may monitor the numbers dialled by employees, in order to monitor unauthorised phone use. Where an employer desires to monitor calls or observe employee performance, they should advise employees in advance that they will be doing so, in addition to notifying customers of this practice at the beginning of the call.
When it comes to social media and networking, an employer cannot request or require an employee or applicant to (§49.44.200 of the RCW):
- disclose their login information;
- access the account in the presence of the employer;
- add a person (including the employer) to the employee's list of contacts; or
- alter the third-party settings of their profile, so that their profile may be more easily viewed by the employer.
Similarly, an employer cannot take any adverse action against an employee or applicant because they refuse to take one of the previous actions (§49.44.200 of the RCW). Additionally, an employer who inadvertently obtains an employee's social networking login, is prohibited from using it to access the employee's social networking account, although not liable for possessing such information alone (§49.44.200 of the RCW).
An employer can request or require that an employee share content from their social networking account if such a request is made in the context of conducting an investigation in response to information about the employee's social networking activity (§49.44.200 of the RCW). The purpose of the investigation must be to ensure compliance with the laws and against employee misconduct or investigate the employee's unauthorised use of the employer's confidential or proprietary information on their social networking profile (§49.44.200 of the RCW). During the investigation, such information cannot be obtained from the employee by them being forced to surrender their login information, and the law does not obligate employees to divulge information even in these limited scenarios (§49.44.200 of the RCW).
An employer can also request or require an employee to disclose their login information where the account was provided by virtue of the employment relationship or where the device or account was paid for or supplied by the employer (§49.44.200 of the RCW).
Employees have a private right of action against an employer that violates the above described statute, and may bring a civil action against the employer (§49.44.205 of the RCW). The court may award injunctive relief, actual damages, or penalty in the amount of $500, in addition to reasonable expenses and attorneys' fees (§49.44.205 of the RCW).
There are no laws in Washington State that provide for special protections of children's privacy online. However, the federal Children's Online Privacy Protection Act of 1998 does apply in Washington and imposes certain requirements on internet service providers and operators of websites to safeguard the privacy of children under the age of 13.
§19.190.020 of the RCW prohibits sending a commercial electronic message that contains false or misleading information in the subject line or that misrepresents any identifying information, from a computer located in Washington or to an electronic address the sender knows or has reason to know is that of a Washington resident. Sending a commercial text message to a Washington resident is also prohibited, under §19.190.060 of the RCW, although cellular providers that merely serve as an intermediary are exempt (§19.190.070 of the RCW). Additionally, an interactive service provider cannot be held liable for voluntarily, and in good faith, blocking any messages it reasonably believes are or will be sent in violation of this statute (§19.190.050 of the RCW).
A recipient of such an email or text message, sent in violation of this statute, can receive damages of the greater of $500, or actual damages (§19.190.040 of the RCW). An interactive computer service that is damaged under this statute can receive the greater of $1,000 or actual damages (§19.190.040 of the RCW).
In State v. Heckel, Washington's Attorney General ('AG') filed suit against an Oregon resident for violation of Chapter 19.190 of the RCW, which, as described above, prohibits misrepresentation in unsolicited commercial emails sent from a computer in Washington or to a Washington resident15. The defendant argued that the State failed to prove that he knew or had reason to know his email was directed to a Washington resident16. The court held that actual knowledge is imputed if residency information is available from the domain name registrant, and noted that the statute does not state what evidence is sufficient to demonstrate 'reason to know'17. The State proved the defendant's knowledge through showing that some of the recipients were listed at the website of the Washington Association of Internet Service Providers, where Washington residents who do not want to receive spam can register18. Ultimately, the court held that summary judgment for the State was proper19.
Washington State also regulates telephone solicitations, which includes calls made by non-profits, calls for polling or soliciting the expression of ideas, and calls to business contacts (RCW 80.36.390). If, at any time during the call, the party asks to not be called again, the person making the call must not call again for at least one year or give out the party's name or phone number to another company or organisation (apart from returning their information to the company it came from) (§80.36.390 of the RCW).
The AG is permitted to bring enforcement actions with regards to this statute, although a company's first violation will consist of a warning letter (§80.36.390 of the RCW). An aggrieved party may also bring a civil action in superior court to both prevent future violations and to recover damages, including attorneys' fees and costs §80.36.390 of the RCW).
Due to the widespread practice of fraudulent commercial telephone solicitation the Legislature enacted commercial telephone solicitation provisions into law (See §19.158 of the RCW). This statute describes certain requirements telephone solicitors must meet. For example, the solicitor must notify the recipient of a call, within the first minute of a call, with the name of company who the solicitation is being made on behalf of, the identity of the caller, and the product being sold (§19.158.110 of the RCW). Solicitors must also terminate the call within ten seconds if the purchaser indicates they do not wish to continue the conversation, and agree to not contact the consumer again for at least one year, if the consumer so requests.
For the purposes of this statue, a commercial telephone solicitation means any unsolicited call by a salesperson for the purpose of inducing a purchase or investment (§19.158.020 of the RCW). This includes giving a free gift or award to a potential purchaser, or other communication that misrepresents the price, quality or availability of a good, invites a response, and is followed by a call by a salesperson (§19.158.020 of the RCW). Any person who engages in these activities is considered a commercial telephone solicitor (§19.158.020 of the RCW). A commercial telephone solicitor does not include an isolated transaction that is not part of a pattern of repeated transactions, and a call for non-commercial purposes (§19.158.020 of the RCW).
Regardless of where they are located, a commercial telephone solicitor must register with the department of licensing if they wish to do business in (i.e. make calls to) Washington, or if they are to maintain or defend a lawsuit (RCW §19.158.050 of the RCW). A salesperson that solicits on behalf of an unregistered company will be guilty of a misdemeanour (§19.158.150 of the RCW).
Anyone who knowingly violates this statute will be guilty of a misdemeanour if the value of the transaction made in violation was less than $50 (§19.158.160 of the RCW). If the value of the transaction was more than $50, the violator will be guilty of a gross misdemeanour (§19.158.160 of the RCW). If the value of the transaction is $250 or more, the violator will be guilty of a class C felony (§19.158.160 of the RCW). If multiple violations are made, they may be aggregated into one transaction and sum, for the purpose of determining whether they are to be punished as a class C felony or gross misdemeanour (§19.158.160 of the RCW).
A violation of this statute is deemed an unfair or deceptive act under the Consumer Protection Act (Chapter 19.86 of the RCW) (§19.158.030 of the RCW). An injured party may bring an action to recover actual damages, including court costs and attorneys' fees (§19.158.130 of the RCW). Additionally, a civil penalty of $500 to $2,000 will be imposed by the court for each violation (§19.158.140 of the RCW). The director of the department of licensing may also take disciplinary action (§19.158.040 of the RCW).
There is no Washington state statute requiring the posting of privacy notices or policies on a website. However, §40.26.020 of the RCW requires that an agency that collects biometric identifiers address those identifiers in the agency's privacy policies. Additionally, businesses with an online presence should ensure they are complying with other state and federal statutes that regulate online privacy policies, such as Chapter 22, Division 8 of the Business and Professions Code, referred to as the 'California Online Privacy Protection Act', and the federal Children’s Online Privacy Protection Act of 1998, the Gramm-Leach-Bliley Act of 1999 and Section 5 of the Federal Trade Commission Act of 1914.
Washington has enacted a statute to address the disposal of personal information, and to ensure the security and confidentiality of personal information during the disposal process, due to the Legislature's finding that careless disposal can pose a significant threat of identity theft (§19.215.005 of the RCW).
Under this statute, personal financial and health information is defined as 'information that is identifiable to an individual and that is commonly used for financial or health care purposes, including account numbers, access codes or passwords, information gathered for account security purposes, credit card numbers, information held for the purpose of account access or transaction initiation, or information that relates to medical history or status' (§19.215.010 of the RCW). Destroying personal information is defined as 'shredding, erasing, or otherwise modifying personal information in records to make the personal information unreadable or undecipherable through any reasonable means' (§19.215.010 of the RCW).
An individual who believes he or she may have been harmed due to improper data disposal may petition the court for damages or an injunction (§19.215.020 of the RCW). A company is responsible for taking all reasonable steps to destroy personal financial and health information (§19.215.020 of the RCW). If the failure to do so is due to negligence, the court may award a penalty of $200 or actual damages, whichever is greater, plus costs and reasonable attorneys' fees (§19.215.020 of the RCW). If the failure to do so is wilful, the court may award the greater of $600 or treble damages, although treble damages are capped at $10,000 (§19.215.020 of the RCW). In addition to an individual right of action, this statute also allows the AG to bring a civil action on behalf of the State for damages, injunctive relief, or both, and the court may award the same damages available to an individual plaintiff (§19.215.020 of the RCW).
10.1. Biometric data
Washington is one of the few states in the country that has enacted a law to safeguard biometric information. Chapter 19.375 of the RCW ('the Biometric Law') applies to 'biometric identifiers,' which are defined as 'data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual' (§19.375.010(1) of the RCW). The Biometric Law goes on to specifically exclude 'a physical or digital photograph, video or audio recording or data generated therefrom, or information collected, used, or stored for health care treatment, payment or operations' from the definition of biometric identifiers (§19.375.010(1) of the RCW).
The Biometric Law prohibits enrolling a biometric identifier in a database for commercial purposes, without first:
- providing notice;
- obtaining consent; or
- providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.
'Enroll' means 'to capture a biometric identifier of an individual, convert it into a reference template that cannot be reconstructed into the original output image, and store it in a database that matches the biometric identifier to a specific individual' (§19.375.010(5) of the RCW).
The Biometric Law further prohibits disclosure of biometric data to a third party for a commercial purpose without notice and consent and adequate security as required under the statute, or an applicable exception (e.g. disclosure is necessary to provide/facilitate the requested product or service or financial transaction, litigation, judicial process, required by law, or to a third party who promises not to further disclose or enroll for purposes inconsistent with consent and otherwise complies with the statute) (§19.375.020(3) of the RCW).
Biometric identifiers must be secured using reasonable safeguards and kept only as long as necessary to provide services requested, comply with the law, or protect against claims or other liability (§19.375.020(4) of the RCW).
10.2. Facial recognition services
In March 2020, Washington enacted a law to regulate the use of facial recognition services by state and local government agencies, which will come into effect as of 1 July 2020 under Engrossed Substitute Senate Bill 6280; ('SB 6280') (RCW chapter forthcoming). SB 6280 highlights that the use of facial recognition services presents civil liberties risks, the legislature sought to limit government agencies' use of these technologies, including prohibiting their use for on-going surveillance, real-time identification, or persistent tracking without the use of a warrant, exigent circumstances, or a court order to locate a missing person (Section 11 of SB 6280).
Although most of the obligations in SB 6280 fall on government agencies using facial recognition services, there are also implications for companies that produce and provide these services. SB 6280 requires that 'accountability reports' be published by government agencies who wish to use the services, which must include information about the vendors providing facial recognition services, including, but not limited to, the vendor's name, a description of the service, the data collected and processed by the service, a description of the vendor's security breach notification practices, and the data collected and processed by the service (Section 3 of SB 6280). Further, providers of facial recognition services must make available to government agencies the ability to conduct independent testing of the services for accuracy and bias (Section 6 of SB 6280).
Efforts to directly regulate companies that produce and provide facial recognition services were considered by the Washington State legislature in 2020 but failed to pass, including a section that would have addressed this in the failed Washington Privacy Act. This may be an area of additional legislative consideration in 2021.
- State v. Arreola, 176 Wash.2d 284, 291 (2012).
- See Reid v. Pierce County, 136 Wn.2d 195, 205, 961 P.2d 333 (1998).
- See Armijo v. Yakima HMA, LLC, No. 11-CV-3114-TOR, 2012 WL 2576624, at *2 (E.D. Wash. 3 July 2012).
- See Fisher v. State Department of Health, 125 Wn. App. 869, 106 P.3d 836 (Wash. Ct. App. 2005).
- Mayer v. Huesner, 126 Wash. App. 114, 122 P.3d 152 (2005).
- Adams v. King Cty., 164 Wash. 2d 640, 662, 192 P.3d 891, 902 (2008).
- See Brink v. Griffith, 65 Wash. 2d 253, 396 P.2d 793 (1964).
- See Eastwood v. Cascade Broad, 106 Wn.2d 466, 722 P.2d 1295 (Wash. 1986).
- See Washington Practice, Tort Law and Practice, §21:4, 4th ed.
- See State v. Williams, 94 Wn.2d 531, 543, 617 P.2d 1012 (1980); State v. Roden, 179 Wash.2d 893, 898, 321 P.3d 1183 (2014), holding that the act "is one of the most restrictive electronic surveillance laws ever promulgated."
- See State v. Faford, 128 Wn.2d 476, 910 P.2d 447 (1996) (en banc); State v. Townsend, 147 Wn.2d 666, 57 P.3d 255 (2002) (en banc); State v. Clark, 129 Wn.2d 211, 916 P.2d 384 (1996) (en banc).
- State of Washington v. Michael Darrel Miliam, 155 Wash.App. 365, 375 (2010).
- Sprague v. Spokane Valley Fire Department, 409 P.3d 160 (Wash. 2018).
- Sprague v. Spokane Valley Fire Department, at 167.
- State v. Heckel, 122 Wash. App. 60, 63 (2004).
- Ibid, at 67.
- Ibid at 69.
- Ibid at 72.