Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Washington - Sectoral Privacy Overview
Back

Washington - Sectoral Privacy Overview

June 2022

1. RIGHT TO PRIVACY/ CONSTITUTIONAL PROTECTION 

The Constitution of the State of Washington ('the Constitution') explicitly recognises an individual's right to privacy and states under Article 1 §7:  'No person shall be disturbed in his private affairs, or his home invaded, without authority of law.' Courts have held that this Section of the Constitution affords greater protection and is broader than the Fourth Amendment to the Constitution of the United States (State v. Arreola, 176 Wash.2d 284, 291 (2012)). 

In addition to this constitutional right, the Washington State Supreme Court ('the Supreme Court') has affirmed that a common law right of privacy exists and that individuals may bring a cause of action for invasion of that right (see Reid v. Pierce County, 136 Wn.2d 195, 205, 961 P.2d 333 (1998)). There are four common law invasion of privacy claims recognised in Washington: 

  • intrusion upon solitude or seclusion;
  • public disclosure of private facts; 
  • publicity which places a person in a false light in the public eye; and 
  • appropriation of one's name or likeness.

Intrusion upon solitude or seclusion 

The tort of intrusion is based on the intentional interference with the private affairs of an individual, in such a manner that would be highly offensive to a reasonable person. The invasion need not be physical; for instance, tapping a phone line or peering into a private dwelling using binoculars could be grounds for an intrusion claim. To state a claim for intrusion upon solitude or seclusion, a plaintiff must establish that (see Armijo v. Yakima HMA, LLC, No. 11-CV-3114-TOR, 2012 WL 2576624, at *2 (E.D. Wash. 3 July 2012)):

  • the defendant deliberately intruded, physically or otherwise;
  • into the plaintiff's solitude, seclusion, or private affairs or concerns; and
  • in a manner that would be highly offensive to a reasonable person.

Public disclosure of private facts

The tort of public disclosure allows an individual to sue if highly sensitive information about them has been disclosed without their authorisation. To state a claim, a plaintiff must establish that (see Fisher v. State Department of Health, 125 Wn. App. 869, 106 P.3d 836 (Wash. Ct. App. 2005)):

  • there has been a publication or disclosure about their private affairs; and
  • the matter publicised would be highly offensive to a reasonable person.

Note that there are some important limitations to this tort. First, the disclosure of private facts must be public, meaning that a disclosure of information to a small group of individuals, or legitimately interested parties, will not suffice. For example, in Mayer v. Huesner a court held that a patient waived their privacy interest in medical records by pursuing a workers' compensation claim, and such disclosure was "internal and private, not public" (Mayer v. Huesner, 126 Wash. App. 114, 122 P.3d 152 (2005)). Second, the disclosure must involve private facts that would cause a reasonable person to be offended or embarrassed if such information were similarly disclosed about them. A plaintiff will not successfully prevail on a claim of public disclosure if they have unusual sensitivities, and the exposure of the information would not offend a reasonable person. For example, in Mark v. King Broad. Co., the court held that the plaintiff's claim of publication of private matter failed where a film portrayal of the plaintiff speaking on the phone would not offend a "person of ordinary sensitivities" (Adams v. King Cty., 164 Wash. 2d 640, 662, 192 P.3d 891, 902 (2008)).

False light privacy

The tort of false light is similar to the tort of defamation, in that it protects people who have been cast in a false light in the public eye. However, unlike a defamation action, where a plaintiff could be compensated for damages to their reputation, the tort of false light speaks more to the peace of mind of an individual than to their reputation with the broader community (see Brink v. Griffith, 65 Wash. 2d 253, 396 P.2d 793 (1964)). Plaintiffs that prevail on false light claims are allowed to recover damages for injured feelings and mental suffering. To prevail on a false light claim, a plaintiff must demonstrate that (Mark v. King Broad. Co., 27 Wash. App. 344, 356 (1980), aff'd sub nom. Mark v. Seattle Times, 96 Wash. 2d 473, 635 P.2d 1081 (1981)):

  • there was a public disclosure that put the plaintiff in a false light;
  • with convincing clarity, the plaintiff was the person about whom the publication was made;
  • the false light would be highly offensive to a reasonable person; and
  • the defendant knew of, or recklessly disregarded, the falsity of the publication and the false light in which the plaintiff was represented.

Appropriation of one's name or likeness

The tort of appropriation involves the use of an individual's name or appearance, in a commercial context, without permission. It is similar to the 'right of publicity', which protects the names and identities of celebrities and other notable persons. To be liable for the tort of appropriation, a defendant must have (see Washington Practice, Tort Law and Practice, §21:4, 4th ed.):

  • appropriated the reputation, prestige, or social or commercial standing of a plaintiff's name or likeness; and
  • without the plaintiff's authorisation. 

Monetary gain by the defendant is not necessary for the plaintiff to prevail on this claim.

2. KEY PRIVACY LAWS

Washington State has enacted a number of laws that safeguard personal information and an individual's right to privacy. Recently, there has also been proposed legislation that would strengthen privacy rights for individuals in Washington. In particular, much attention has been given to Senate Bill 5062 for the Washington Privacy Act ('the Bill'), which would impose General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') like requirements on businesses, including obligations to provide meaningful privacy notices about their data practices and to honour consumer rights requests (including but not limited to access, rectification, and deletion requests) from Washington State residents. The Bill also includes special regulations related to COVID-19 contact tracing and 'dark pattern' tracing technologies. While the Bill's 2020 predecessor failed when the Washington State Legislature ('the State Legislature') was unable to reach a compromise between the version passed by the Washington Senate and the version passed by the Washington House of Representatives, the 2021 Bill failed when the Washington House of Representatives was unable to pass a version of the Bill at all. However, the Bill was reintroduced by resolution in January 2022 and moved to the Rules White Sheet in February. The State Legislature also introduced another comprehensive bill, House Bill 1850 for the Washington Foundational Data Privacy Act, which is similar to recent privacy laws passed in Colorado and Virginia, though it also includes a private right of action. Time will tell whether Washington will finally enact its own privacy law.

The Privacy Act

The statute on violating the right to privacy ('the Privacy Act'), under Chapter 9.73 of Title 9 of the Revised Code of Washington ('RCW'), addresses the right to privacy in communications, including letters sent and received, and the right to be free from having conversations intercepted, recorded, or divulged in the absence of a court order. Washington courts have noted that the State Legislature's primary purpose in enacting this statute was to protect the privacy of individuals and that this statute broadly protects individuals' privacy rights, more so than most other electronic surveillance laws (see State v. Williams, 94 Wn.2d 531, 543, 617 P.2d 1012 (1980); State v. Roden, 179 Wash.2d 893, 898, 321 P.3d 1183 (2014), holding that the Privacy Act "is one of the most restrictive electronic surveillance laws ever promulgated").

§9.73.030 of the Privacy Act makes it unlawful to intercept, record, or divulge private communications, transmitted by telephone, telegraph, radio, or other device, without first obtaining the consent of all participants in the conversation, unless an exception applies (e.g. in the event of an emergency, such as a fire, crime, or natural disaster). The Privacy Act further specifies that, where consent is needed, it will be considered to have been obtained where one party announces to all the other parties engaged in the communication or conversation, in a reasonably effective manner, that such communication or conversation is about to be recorded or transmitted.

§9.73.050 of the Privacy Act addresses the admissibility of intercepted communications in evidence and states that information obtained in violation of §9.73.030 of the Privacy Act will be inadmissible in any civil or criminal case, unless an exception applies (see State v. Faford, 128 Wn.2d 476, 910 P.2d 447 (1996) (en banc); State v. Townsend, 147 Wn.2d 666, 57 P.3d 255 (2002) (en banc); State v. Clark, 129 Wn.2d 211, 916 P.2d 384 (1996) (en banc)).

Violations of §9.73.030 of the Privacy Act are gross misdemeanours. In addition, any person who violates the Privacy Act could be subject to legal action for damages and liable for actual damages, including mental pain and suffering endured by the plaintiff, or liquidated damages computed at the rate of $100 per day for each violation, not to exceed $1,000, and reasonable attorney's fees and other costs of litigation pursuant to §9.73.060 of the Privacy Act.

Electronic impersonation and invasion of privacy

§4.24.790 of Chapter 4.24 of Title 4 of the RCW makes it unlawful to impersonate another person online. 'Impersonation' is defined as 'using an actual person's name or likeness to create an impersonation that another person would reasonably believe or did reasonably believe was or is the actual person being impersonated' (RCW §4.24.790(1)(c)). A person may be liable in a civil action based on a claim of invasion of privacy when:

  • they intentionally impersonate another;
  • the individual who was impersonated did not consent to the impersonation;
  • the impersonator intended to deceive or mislead for the purpose of harassing, threatening, intimidating, humiliating, or defrauding another; and
  • the impersonation proximately caused injury to the impersonated individual (injury is broadly defined to include injury to reputation or humiliation, injury to professional or financial standing, or physical harm) - a court may also award the prevailing party costs and reasonable attorney's fees.

There are several exemptions to RCW §4.24.790. For example, it does not apply if the impersonation occurs in the context of art, commentary, satire, or parody or for other matters that are considered cultural, historical, political, religious, educational, or newsworthy in nature (RCW §4.24.790(4)).

Unauthorised transmission of software

§19.270.020 of Chapter 19.270 of Title 19 of the RCW is Washington State's spyware act and it makes it unlawful for a person to transmit, or procure the transmission of, software without the consent and actual knowledge of the owner or operator of the computer that the software, among other things, collects personally identifiable information through the use of a keystroke-logging function or by extracting the information from the owner or operator's hard drive.

An individual that violates this statute may be liable for actual damages or $100,000 per violation, whichever is greater. A court may increase the damages amount by up to three times the actual damages, if the defendant has engaged in a pattern and practice of violating this law. The court may also award costs and reasonable attorney's fees to the prevailing party. The amount of damages awarded by the court for violations of this may not exceed $2,000,000.

3. HEALTH DATA

There are several statutes in Washington that address the privacy and security of health information; however, the most significant is the Uniform Health Care Information Act ('the Health Act'), under Chapter 70.02 of Title 70 of the RCW, which the State Legislature adopted in 1991. Since then, the Health Act has been amended several times to be more consistent with the federal Health Insurance Portability and Accountability Act of 1996 ('HIPAA').

The Health Act restricts the unauthorised dissemination of 'health care information', which means information, whether oral or recorded, that identifies a patient or could be readily associated with the identity of a patient, and which directly relates to the patient's health care, including charts, reports, correspondence, diagnostic studies, documents, x-rays, tissue and specimen slides, and photographs. Health care information also includes any required accounting of disclosures of health care information. Subject to very limited exceptions, health care information cannot be released without a patient's written authorisation.

The Health Act also provides patients with a right to access and make copies of their medical records and it places limitations around fees health care providers can charge for complying with these requests.

In addition, the Health Act requires health care providers to adopt reasonable safeguards to secure health care information and imposes an obligation on providers to display a 'Notice of Information Practices' in a conspicuous place, to ensure that their patients are informed about the providers' information practices. The Health Act requires including language along the lines of the following in the notice:

"We keep a record of the health care services we provide you. You may ask us to see and copy that record. You may also ask us to correct the record. We will not disclose your record to others unless you direct us to do so or unless the law authorizes or compels us to do so. You may see your record or get more information about it at _______________."

There is a two-year statute of limitations period on any legal action against a health care provider for failure to comply with the Health Act after the cause of action is discovered. If an action is brought against a health care provider or facility, a court may award actual damages in addition to reasonable attorney's fees and other expenses. In addition to the remedies specifically provided for in the Health Act, a plaintiff may also have a common law claim for an invasion of privacy discussed above.

COVID-19 data

Washington was on the precipice of becoming one of the first states in the country to enact a law to safeguard COVID-19 health data collected by entities other than public health agencies, health care providers, and health care facilities. House Bill 1127 for an Act relating to protecting the privacy and security of COVID-19 health data ('the COVID-19 Bill'), which proposed privacy and security protections for COVID-19 health data, was delivered to Washington State Governor on 22 April 2021. The Governor ultimately vetoed the bill on 18 May 2021. The COVID-19 Bill would have imposed stringent requirements on the collection, use, disclosure, and deletion of data that is collected, used, or disclosed in connection with COVID-19 or the related public health response and that is linked to an individual or device ('COVID-19 health data').

The COVID-19 Bill would have required covered entities including service providers to obtain affirmative express consent prior to collecting, using, or disclosing COVID-19 health data. Covered entities would additionally have had to clearly and conspicuously display a privacy policy at or before the point of the collection of COVID-19 health data. Such privacy policy would have been required to describe the entity's retention and security policies for COVID-19 health data and the collection, use, and dissemination of such data.  

The COVID-19 Bill would have additionally barred collection, use, or disclosure of COVID-19 health data for any unauthorised or commercial purpose, including the training of machine-learning algorithms 'related to' commercial advertising.

All COVID-19 health data would have to have been deleted or rendered 'unlinkable' to an individual no later than 30 days after collection, unless otherwise required by federal law. Data would have been considered 'unlinkable' to an individual if it was impossible or demonstrably impracticable to be able to identify any individual from the data.

Finally, entities collecting, using, or disclosing the COVID-19 health data of at least 30,000 individuals over 60 calendar days would have been required to issue a public report at least once every 90 days. The public report would have been required to:

  • state the number of individuals whose COVID-19 health data the entity collected, used, or disclosed, to the extent practicable;
  • describe the categories and purposes of COVID-19 health data collected, used, or disclosed;
  • describe the categories of recipients of COVID-19 health data;
  • not contain any information that is linked or reasonably linkable to a specific individual or device or that may be used to identify or reidentify a specific individual or device; and
  • be provided to the Washington State Department of Health.

The public reporting requirement shall not have required any covered entity to maintain COVID-19 health data that it would not normally maintain or for longer than it would normally maintain it.

4. FINANCIAL DATA

Washington has a number of statutes that apply to the treatment and protection of financial information, including credit card and payment information. In particular, §9A.56.290 of Chapter 9A.56 of Title 9A of the RCW makes it unlawful to use a scanning device to access, read, obtain, memorise, or store information encoded on a payment card without the permission of the authorised cardholder, or with the intent to defraud the authorised user, another person, or a financial institution. Violations of this statute are considered a class C felony, and second or subsequent violations are a class B felony.

In addition, §19.255.020 of Chapter 19.255 of Title 19 of the RCW, which is part of the State's breach notification law, under §19.255.005 et seq. of Chapter 19.255 of Title 19 of the RCW, imposes affirmative obligations on individuals, partnerships, corporations, associations, organisations, government entities, and any other legal or commercial entity to take reasonable measures when processing payment information. If a processor or business fails to take reasonable care to guard against unauthorised access to such information in its possession or control, and such failure is found to be the proximate cause of a security breach, the processor or business is liable to a financial institution for reimbursement of reasonable actual costs related to the reissuance of credit cards and debit cards. The State Legislature drafted this provision in part to encourage financial institutions to reissue credit and debit cards to consumers when appropriate to reduce the incidence of identity theft and associated costs to consumers.

The Washington Administrative Code ('WAC') also imposes obligations that relate to financial information, specifically under §284-04-120 et seq. of Chapter 284-04 of Title 284 of the WAC. Under the WAC, covered entities have an obligation to provide clear and conspicuous notice to consumers and customers that reflects their privacy policies and information practices (see WAC §284-04-200). A 'consumer' is defined as 'an individual who seeks to obtain, obtains or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family or household purposes and about whom the licensee has nonpublic personal information' (WAC §284-04-120(6)).  A 'customer' is defined as 'a consumer who has a customer relationship with a licensee' (WAC §284-04-120(9)). 'Nonpublic personal financial information' means personally identifiable financial information and any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available (WAC §284-04-120(22)(a)).

WAC Chapter 284-04 also restricts how covered entities can disclose non-public personal financial information. By statute, licensees may not disclose non-public personal financial information about a consumer to a nonaffiliated third party unless they have provided an initial notice and opt-out notice to the consumer, and the consumer does not opt-out after being given reasonable opportunity (WAC §284-04-300). Reasonable opportunity to opt-out includes providing the consumer with a form they can mail in, a toll-free number they can call, or other reasonable ways that they can provide notice 30 days from the date they received notice (WAC §284-04-300). In the case of an isolated transaction, such as providing an insurance quote, the consumer must be given the opportunity to opt-out during the transaction, and must opt-out before the transaction is complete (WAC §284-04-300). A consumer can also be given the option to partially opt-out, by selecting certain non-public information that they do not want disclosed. Consumers must be provided with such notice even if a customer relationship is never formed with the provider.

If a provider receives non-public personal financial information from a non-affiliated financial institution, they may disclose the information only to their affiliates, the affiliates of the financial institution from where they received the information and to any other person that the information could be lawfully disclosed to directly by the financial institution from where the provider received the information (WAC §284-04-305).

In addition to non-public financial information, a provider is also prohibited from disclosing a consumer's policy number (or related account number) to any non-affiliated third party for their use in marketing (WAC §284-04-310). A provider can disclose such policy information to their own service provider, for marketing purposes, as long as the service provider is not authorised to directly initiate charges to the account (WAC §284-04-310). A provider can also disclose such policy information to an affinity or similar program, if it was previously identified to the customer when they entered into the program (WAC §284-04-310).

If a consumer chooses not to grant authorisation for or to opt-out from disclosure of their non-public financial information, the provider is prohibited from thereby discriminating against them (WAC §284-04-605).

There are a number of exceptions where providers can disclose non-public financial information without consent, such as to process a transaction on behalf of the consumer, for fraud prevention purposes, or to respond to a properly authorised subpoena.

Violation of the above is deemed an unfair method of competition or an unfair or deceptive act and practice in Washington (WAC §284-04-610).

The statute also imposes breach notification requirements in the event of a security incident. In the event of a security breach, a licensee must notify the Office of the Insurance Commissioner, in writing, within two business days, about the number of affected or potentially affected customers, after determining notification must be sent to consumers (WAC §284-04-625). Failure to provide notice of a security breach is deemed an unfair practice (WAC §284-04-625).

The RCW also contains a statute on identity crimes, under §9.35.001 et seq. of Chapter 9.35 of Title 9 of the RCW. In RCW §9.35.001, the State Legislature made clear that financial information is personal and sensitive information, such that unlawful possession or use of it by others may result in a significant harm to one's privacy interest. The State Legislature also acted with the intent of protecting seniors and vulnerable individuals from identity theft. Under this statute, 'financial information' is defined as including account numbers and balances, transaction account information, codes, passwords, social security numbers, tax identification numbers, driver's license or permit numbers, state identity card numbers, and other information held for the purpose of accessing an account or initiating a transaction (RCW §9.35.005).

RCW §9.95.010 makes it a crime to obtain a person's financial information by knowingly making a false statement or knowingly providing a forged or counterfeit document to obtain such information. In determining the appropriate penalty for violation of this statute, the State Legislature stated that, each individual unlawful use is a separate unit of prosecution for each victim and for each act of obtaining or possessing the information (RCW §9.35.001). Violation results in a class C felony. Violators are also liable for $500, or actual damages, whichever is greater, plus attorney's fees (RCW §9.95.010).

RCW §9.35.020 prohibits possession or use of another's financial information to commit a crime. Identity theft in the first degree occurs when the accused obtains credit, money, or goods in excess of $1,500 in value, or knowingly targets a senior or vulnerable individual. Additionally, any consumer fraud that targets any senior or vulnerable individual is subject to civil penalties of three times the amount of actual damages (RCW §9.35.060). Identity theft in the first degree is a class B felony. Identity theft in the second degree is a violation that does not rise to the level of first degree identity theft. Second degree identity theft is a class C felony. A defendant can be convicted of identity theft as well as the crime they intended to commit without violating double jeopardy. In State of Washington v. Michael Darrel Miliam, the court held that convictions of both second-degree theft and second-degree identity theft did not violate the prohibition against double jeopardy (State of Washington v. Michael Darrel Miliam, 155 Wash.App. 365, 375 (2010)).

It is also a misdemeanour to use another's financial information to solicit undesired mail, 'with the intent to annoy, harass, intimidate, torment, or embarrass that person' (RCW §9.35.030). Violators are also subject to civil damages of $500 or actual damages, whichever is greater, plus attorney's fees.

5. EMPLOYMENT DATA

In Washington, under Chapter 49.12 of Title 49 of the RCW, employees have a right to examine all personnel files kept by their employer. This does not include records relating to the investigation of a possible criminal offence or records complied in preparation for an impending lawsuit (RCW §49.12.260). At least annually, upon the request of the employee, the employer must allow them to inspect their own personnel files (RCW §49.12.240). An employee can also file a rebuttal or correction to any of the information in the file, and if the employer agrees such information is incorrect, they must remove it (RCW §49.12.250). An employee retains this right for two years after their employment ends (RCW §49.12.250). A proposed bill in the State Legislature, Senate Bill 5130 regarding employee's rights concerning personnel files and disciplinary actions, which further defines what is included in a 'personnel file', would also grant employees a private right of action, without requiring employees to exhaust administrative remedies, to enforce this right. 

Employers in Washington are allowed to monitor employees with television cameras or video tapes in both public and work areas; however, it is advisable for employers to tell employees that they are being monitored. It is also lawful for employers to use computers to monitor an employee's performance, but the employer should explain their ability and intention to do so ahead of time to the employee to avoid any claims of invasion of privacy.

Although it remains unsettled law, it could be argued that an employee's personal email has privacy protection under the federal Electronic Communications Privacy Act of 1986, which prohibits the intentional interception of electronic communications (see 18 U.S.C. §2511). In Sprague v. Spokane Valley Fire Department, the plaintiff firefighter brought suit due to the defendant fire department allegedly firing them for including religious comments in emails sent through the department's computer systems (Sprague v. Spokane Valley Fire Department, 409 P.3d 160 (Wash. 2018)). The Supreme Court held that the department's policy restricting the use of the email system to departmental business was reasonable, however the Supreme Court held that the plaintiff met the initial burden of establishing that the restrictions on what they could send using the department's computer systems violated their First Amendment rights (Sprague v. Spokane Valley Fire Department, at 167). Thus, employers should have in place a clear policy regarding email use, and reserve the right to monitor employees' email messages, and require employees to sign and acknowledge receipt of such policy.

It is illegal for an employer to intercept, record or transmit any private communications by employees, without their prior consent, although an employer may monitor the numbers dialled by employees, in order to monitor unauthorised phone use. Where an employer desires to monitor calls or observe employee performance, they should advise employees in advance that they will be doing so, in addition to notifying customers of this practice at the beginning of the call.

Under Chapter 49.44 of Title 49 of the RCW, when it comes to social media and networking, an employer cannot request or require an employee or applicant to (RCW §49.44.200):

  • disclose their login information;
  • access the account in the presence of the employer;
  • add a person (including the employer) to the employee's list of contacts; or
  • alter the third-party settings of their profile, so that their profile may be more easily viewed by the employer.

Similarly, an employer cannot take any adverse action against an employee or applicant because they refuse to take one of the previous actions (RCW §49.44.200). Additionally, an employer who inadvertently obtains an employee's social networking login, is prohibited from using it to access the employee's social networking account, although not liable for possessing such information alone (RCW §49.44.200).

An employer can request or require that an employee share content from their social networking account if such a request is made in the context of conducting an investigation in response to information about the employee's social networking activity (RCW §49.44.200). The purpose of the investigation must be to ensure compliance with the laws and against employee misconduct or investigate the employee's unauthorised use of the employer's confidential or proprietary information on their social networking profile (RCW §49.44.200). During the investigation, such information cannot be obtained from the employee by them being forced to surrender their login information, and the law does not obligate employees to divulge information even in these limited scenarios (RCW §49.44.200).

An employer can also request or require an employee to disclose their login information where the account was provided by virtue of the employment relationship or where the device or account was paid for or supplied by the employer (RCW §49.44.200).

Employees have a private right of action against an employer that violates the above-described statute and may bring a civil action against the employer (RCW §49.44.205). The court may award injunctive relief, actual damages, or penalty in the amount of $500, in addition to reasonable expenses and attorney's fees (RCW §49.44.205).

6. ONLINE PRIVACY

There are no laws in Washington State that provide for special protections of children's privacy online. However, the federal Children's Online Privacy Protection Act of 1998 ('COPPA') does apply in Washington and imposes certain requirements on internet service providers and operators of websites to safeguard the privacy of children under the age of 13.

7. UNSOLICITED COMMERCIAL COMMUNICATIONS

Under the statute on commercial electronic mail, under §19.190.010 et seq. of Chapter 19.190 of Title 19 of the RCW, RCW §19.190.020 prohibits sending a commercial electronic message that contains false or misleading information in the subject line or that misrepresents any identifying information, from a computer located in Washington or to an electronic address the sender knows or has reason to know is that of a Washington resident. Sending a commercial text message to a Washington resident is also prohibited, under RCW §19.190.060, although cellular providers that merely serve as an intermediary are exempt (RCW §19.190.070). Additionally, an interactive service provider cannot be held liable for voluntarily, and in good faith, blocking any messages it reasonably believes are or will be sent in violation of this statute (RCW §19.190.050).

A recipient of such an email or text message, sent in violation of this statute, can receive damages of the greater of $500, or actual damages (RCW §19.190.040). An interactive computer service that is damaged under this statute can receive the greater of $1,000 or actual damages (RCW §19.190.040).

In State v. Heckel, Washington's Attorney General ('AG') filed suit against an Oregon resident for violation of RCW Chapter 19.190, which, as described above, prohibits misrepresentation in unsolicited commercial emails sent from a computer in Washington or to a Washington resident (State v. Heckel, 122 Wash. App. 60, 63 (2004)). The defendant argued that the State failed to prove that they knew or had reason to know their email was directed to a Washington resident (Ibid, at 67). The court held that actual knowledge is imputed if residency information is available from the domain name registrant, and noted that the statute does not state what evidence is sufficient to demonstrate 'reason to know' (Ibid). The State proved the defendant's knowledge through showing that some of the recipients were listed at the website of the Washington Association of Internet Service Providers, where Washington residents who do not want to receive spam can register (Ibid, at 69). Ultimately, the court held that summary judgment for the State was proper (Ibid, at 72).

The State Legislature has proposed a bill that would amend the statute to provide some clarity and strengthen the limitations of the statute, House Bill 1650 concerning commercial solicitation ('HB 1650'). The proposed bill includes newly defined terms like 'mobile device' and 'established business relationship', as well as slight changes to the definitions of 'automatic dialing and announcing device' and 'commercial solicitation' so that the statute is more applicable to current and future communication methods. Notably, the bill would also amend the applicability of and exclusions under the statute. One proposed change would prohibit the sending of a commercial electronic message of the like identified above to a person within the state of Washington, rather than to a Washington resident, with a rebuttable presumption that a number with a Washington state area code is within the state of Washington (see Section 5 of HB 1650). The bill also seeks to amend what activities are not considered to be violations of the statute. Namely, the bill includes an exception for such email or text messages sent by a person with an established business relationship with the recipient as well as clarifies the consent exception by requiring the consent to be in writing and, for consents provided electronically, by requiring clear, detailed disclosures about the text messages (see Section 6 of HB 1650). The bill also increases damages from $500 to $1,000 per violation, and limits fee-shifting to reward plaintiffs only. 

Washington State also regulates telephone solicitations under Chapter 80.36 of Title 36 of the RCW, which includes calls made by non-profits, calls for polling or soliciting the expression of ideas, and calls to business contacts (RCW §80.36.390). If, at any time during the call, the party asks to not be called again, the person making the call must not call again for at least one year or give out the party's name or phone number to another company or organisation (apart from returning their information to the company it came from) (RCW §80.36.390).

The AG is permitted to bring enforcement actions with regard to this statute, although a company's first violation will consist of a warning letter (RCW §80.36.390). An aggrieved party may also bring a civil action in superior court to both prevent future violations and to recover damages, including attorney's fees and costs (RCW §80.36.390).

Due to the widespread practice of fraudulent commercial telephone solicitation the State Legislature enacted commercial telephone solicitation provisions into law, under Chapter 19.158 of title 19 of the RCW. This statute describes certain requirements telephone solicitors must meet. For example, the solicitor must notify the recipient of a call, within the first minute of a call, with the name of the company who the solicitation is being made on behalf of, the identity of the caller, and the product being sold (RCW §19.158.110). Solicitors must also terminate the call within ten seconds if the purchaser indicates they do not wish to continue the conversation, and agree to not contact the consumer again for at least one year, if the consumer so requests.

For the purposes of this statue, a commercial telephone solicitation means any unsolicited call by a salesperson for the purpose of inducing a purchase or investment (RCW §19.158.020). This includes giving a free gift or award to a potential purchaser, or other communication that misrepresents the price, quality or availability of a good, invites a response, and is followed by a call by a salesperson (RCW §19.158.020). Any person who engages in these activities is considered a commercial telephone solicitor (RCW §19.158.020). A commercial telephone solicitor does not include an isolated transaction that is not part of a pattern of repeated transactions, and a call for non-commercial purposes (RCW §19.158.020).

Regardless of where they are located, a commercial telephone solicitor must register with the Washington State Department of Licensing ('the Department of Licensing') if they wish to do business in (i.e. make calls to) Washington, or if they are to maintain or defend a lawsuit (RCW §19.158.050). A salesperson that solicits on behalf of an unregistered company will be guilty of a misdemeanour (RCW §19.158.150).

Anyone who knowingly violates this statute will be guilty of a misdemeanour if the value of the transaction made in violation was less than $50 (RCW §19.158.160). If the value of the transaction was more than $50, the violator will be guilty of a gross misdemeanour (RCW §19.158.160). If the value of the transaction is $250 or more, the violator will be guilty of a class C felony (RCW §19.158.160). If multiple violations are made, they may be aggregated into one transaction and sum, for the purpose of determining whether they are to be punished as a class C felony or gross misdemeanour (RCW §19.158.160).

A violation of this statute is deemed an unfair or deceptive act under the Consumer Protection Act under Chapter 19.86 of Title 19 of the RCW (RCW §19.158.030). An injured party may bring an action to recover actual damages, including court costs and attorney's fees (RCW §19.158.130). Additionally, a civil penalty of $500 to $2,000 will be imposed by the court for each violation (RCW §19.158.140). The director of the Department of Licensing may also take disciplinary action (RCW §19.158.040).

The State Legislature has proposed a bill, House Bill 1497 concerning commercial telephone solicitation ('HB 1497'), to amend RCW Chapters 80.36 and 19.158 to create more clarity to recipients of such telephone solicitations (including commercial telephone solicitations) identified above. Notably, the bill would require telephone solicitors requesting a donation or monetary gift to ask recipients if they want to continue the call, end the call, or be removed from the solicitor's contact list (see Section 1 of HB 1497). Additionally, if the recipient indicates that they want to end the call, the telephone solicitor must end the call within ten seconds. For situations where recipients want to be removed from a solicitor's contact list, the proposed bill expands the personal information removed to include any contact information, not just name and phone number, and the solicitor may not contact such recipient at any phone number associated with the recipient, not just the one called in that instance. When making a telephone solicitation, the solicitor must also identify themselves within the first 30 seconds of the call, not just the first minute.

8. PRIVACY POLICIES

There is no Washington State statute requiring the posting of privacy notices or policies on a website. However, §40.26.020 of Chapter 40.26 of Title 40 of the RCW requires that an agency that collects biometric identifiers address those identifiers in the agency's privacy policies. Additionally, businesses with an online presence should ensure they are complying with other state and federal statutes that regulate online privacy policies, such as California's Online Privacy Protection Act, under Chapter 22 of Division 8 of the Business and Professions Code, and the federal COPPA, Gramm-Leach-Bliley Act of 1999, and Section 5 of the Federal Trade Commission Act of 1914.

9. DATA DISPOSAL/CYBERSECURITY/DATA SECURITY

Under Chapter 19.215 of Title 19 of the RCW, Washington has enacted a statute to address the disposal of personal information, and to ensure the security and confidentiality of personal information during the disposal process, due to the State Legislature's finding that careless disposal can pose a significant threat of identity theft (RCW §19.215.005).

Under this statute, personal financial and health information is defined as 'information that is identifiable to an individual and that is commonly used for financial or health care purposes, including account numbers, access codes or passwords, information gathered for account security purposes, credit card numbers, information held for the purpose of account access or transaction initiation, or information that relates to medical history or status' (RCW §19.215.010). Destroying personal information is defined as 'shredding, erasing, or otherwise modifying personal information in records to make the personal information unreadable or undecipherable through any reasonable means' (RCW §19.215.010).

An individual who believes they may have been harmed due to improper data disposal may petition the court for damages or an injunction (RCW §19.215.020). A company is responsible for taking all reasonable steps to destroy personal financial and health information (RCW §19.215.020). If the failure to do so is due to negligence, the court may award a penalty of $200 or actual damages, whichever is greater, plus costs and reasonable attorney's fees (RCW §19.215.020). If the failure to do so is wilful, the court may award the greater of $600 or treble damages, although treble damages are capped at $10,000 (RCW §19.215.020). In addition to an individual right of action, this statute also allows the AG to bring a civil action on behalf of the State for damages, injunctive relief, or both, and the court may award the same damages available to an individual plaintiff (RCW §19.215.020).

10. OTHER SPECIFIC JURISDICTIONAL REQUIREMENTS

Biometric data

Washington is one of the few states in the country that has enacted a law to safeguard biometric information. The Biometric Law, under Chapter 19.375 of Title 19 of the RCW, applies to 'biometric identifiers', which are defined as 'data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual' (RCW §19.375.010(1)). The Biometric Law goes on to specifically exclude 'a physical or digital photograph, video or audio recording or data generated therefrom, or information collected, used, or stored for health care treatment, payment or operations' from the definition of biometric identifiers (RCW §19.375.010(1)).

The Biometric Law prohibits enrolling a biometric identifier in a database for commercial purposes, without first:

  • providing notice;
  • obtaining consent; or
  • providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose. 

'Enroll' means 'to capture a biometric identifier of an individual, convert it into a reference template that cannot be reconstructed into the original output image, and store it in a database that matches the biometric identifier to a specific individual' (RCW §19.375.010(5)).

The Biometric Law further prohibits disclosure of biometric data to a third party for a commercial purpose without notice and consent and adequate security as required under the statute, or an applicable exception (e.g. disclosure is necessary to provide/facilitate the requested product or service or financial transaction, litigation, judicial process, required by law, or to a third party who promises not to further disclose or enroll for purposes inconsistent with consent and otherwise complies with the statute) (RCW §19.375.020(3)).

Biometric identifiers must be secured using reasonable safeguards and kept only as long as necessary to provide services requested, comply with the law, or protect against claims or other liability (RCW §19.375.020(4)).

Facial recognition services

In March 2020, Washington enacted a law to regulate the use of facial recognition services by state and local government agencies, which came into effect 1 July 2021 under Engrossed Substitute Senate Bill 6280 for an Act Relating to the Use of Facial Recognition Services ('SB 6280') (RCW Chapter forthcoming). SB 6280 highlights that the use of facial recognition services presents civil liberties risks, and the State Legislature sought to limit government agencies' use of these technologies, including prohibiting their use for on-going surveillance, real-time identification, or persistent tracking without the use of a warrant, exigent circumstances, or a court order to locate a missing person (Section 11 of SB 6280).

Although most of the obligations in SB 6280 fall on government agencies using facial recognition services, there are also implications for companies that produce and provide these services. SB 6280 requires that 'accountability reports' be published by government agencies who wish to use the services, which must include information about the vendors providing facial recognition services, including, but not limited to, the vendor's name, a description of the service, the data collected and processed by the service, a description of the vendor's security breach notification practices, and the data collected and processed by the service (Section 3 of SB 6280). Further, providers of facial recognition services must make available to government agencies the ability to conduct independent testing of the services for accuracy and bias (Section 6 of SB 6280).

Efforts to directly regulate companies that produce and provide facial recognition services were considered by the State Legislature in 2020 but failed to pass, including a Section that would have addressed this in the failed Washington Privacy Act. This may be an area of additional legislative consideration in 2022.

Driver and vehicle data

In April 2021, Washington enacted a law enhancing data stewardship and privacy protections for vehicle and driver data obtained by the Department of Licensing, which came into effect 25 July 2021 under Senate Bill 5152 ('SB 5152'). SB 5152 clarifies allowable uses of personal or identity information and prescribes penalties for data misuse.

Most of the obligations in SB 6280 fall on government agencies using facial recognition services, but as with SB 6280, there are also implications for companies that provide or receive vehicle and driver data. SB 5152 regulates all information or records containing personal or identity information obtained by the Department of Licensing, pursuant to the administration of driver and vehicle records.

Recipients and subrecipients of such data have an affirmative obligation to take all reasonable actions necessary to prevent the unauthorised disclosure and misuse of personal or identity information. The Department of Licensing may audit or investigate any entity receiving covered data under SB 5152. Finally, all data service contracts with the Department of Licensing must include several mandatory provisions, including audit requirements and limitations and restrictions on the use of personal or identity information.