Back to Washington

HB1671 • 2026

Personal data privacy

Protecting personal data privacy.

Privacy
Passed Legislature

This bill passed both chambers and reached final enrollment, even if later executive action is not shown here.

Sponsor
Representative Kloba, Representative Fosse, Representative Doglio, Representative Parshley, Representative Berry, Representative Ramel, Representative Scott, Representative Taylor, Representative Simmons
Last action
2026-01-12
Official status
H Approps
Effective date
Not listed

Plain English Breakdown

Using official source text because the generated explanation was unavailable or could not be confirmed against the official bill text.

Personal data privacy

Personal data privacy

What This Bill Does

  • Personal data privacy

Limits and Unknowns

  • This entry is temporarily using official source text because the generated explanation could not be confirmed against the official bill text during the last sync.

Bill History

  1. 2026-01-12 House

    By resolution, reintroduced and retained in present status.

Official Summary Text

Personal data privacy

Current Bill Text

Read the full stored bill text
AN ACT Relating to personal data privacy; adding a new section to 1
chapter 19.373 RCW; adding a new chapter to Title 19 RCW; and 2
providing an effective date. 3
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:4
NEW SECTION. Sec. 1. DEFINITIONS. The definitions in this 5
section apply throughout this chapter unless the context clearly 6
requires otherwise.7
(1) "Affiliate" has the same meaning as defined in RCW 8
19.373.010. 9
(2)(a) "Affirmative consent" or "consent" means a clear 10
affirmative act signifying a consumer's freely given, specific, 11
informed, revokable, and unambiguous authorization for an act or 12
practice after having been informed, in response to a specific 13
request from a controller, provided that: 14
(i) The request is provided to the consumer in a clear and 15
conspicuous stand-alone disclosure; 16
(ii) The request includes a description of the processing purpose 17
for which the consumer's consent is sought and (A) clearly 18
distinguishes between an act or practice that is necessary to fulfill 19
a request of the consumer and an act or practice that is for another 20
purpose, (B) clearly states the specific categories of personal data 21
H-0779.1
HOUSE BILL 1671
State of Washington 69th Legislature 2025 Regular Session
By Representatives Kloba, Fosse, Doglio, Parshley, Berry, Ramel,
Scott, Taylor, and Simmons
Read first time 01/28/25. Referred to Committee on Technology,
Economic Development, & Veterans.
p. 1 HB 1671
that the controller intends to collect, process, or transfer under 1
each act or practice, and (C) is written in easy to understand 2
language and includes a prominent heading that would enable a 3
reasonable consumer to identify and understand each act or practice;4
(iii) The request clearly explains the consumer's rights related 5
to consent; 6
(iv) The request is made in a manner reasonably accessible to and 7
usable by consumers with disabilities; 8
(v) The request is made available to the consumer in each 9
language in which the controller provides a product or service for 10
which authorization is sought; 11
(vi) The option to refuse to give consent is at least as 12
prominent and takes the same number of steps or fewer as the option 13
to give consent; and 14
(vii) Affirmative consent to an act or practice is not inferred 15
from the inaction of the consumer or the consumer's continued use of 16
a service or product provided by the controller. 17
(b) "Affirmative consent" does not include: 18
(i) Acceptance of a general or broad terms of use or similar 19
document that contains descriptions of personal data processing along 20
with other, unrelated information; 21
(ii) Hovering over, muting, pausing, or closing a given piece of 22
content; 23
(iii) Agreement obtained through the use of a false, fraudulent, 24
or materially misleading statement or representation; or25
(iv) Agreement obtained through the use of dark patterns.26
(3) "Authenticate" means to use reasonable means to determine 27
that a request to exercise any of the rights afforded in this chapter 28
is being made by, or on behalf of, the consumer who is entitled to 29
exercise such rights with respect to the personal data at issue.30
(4) "Biometric data" has the same meaning as defined in RCW 31
19.373.010. 32
(5) "Child" means a consumer under the age of 13 years old.33
(6) "Collect" means buying, renting, gathering, obtaining, 34
receiving, accessing, or otherwise acquiring personal data by any 35
means. 36
(7) "Consumer" means a natural person: (a)(i) Who is a Washington 37
resident or (ii) whose personal data is collected in Washington 38
state, and (b) who acts only in an individual or household context, 39
p. 2 HB 1671
however identified, including by any unique identifier. "Consumer" 1
does not include an individual acting in an employment context.2
(8)(a) "Consumer health data" means personal data that is linked 3
or reasonably linkable to a consumer and that identifies the 4
consumer's past, present, or future physical or mental health status.5
(b) For the purposes of this definition, physical or mental 6
health status includes, but is not limited to: 7
(i) Individual health conditions, treatment, diseases, or 8
diagnosis; 9
(ii) Social, psychological, behavioral, and medical 10
interventions; 11
(iii) Health-related surgeries or procedures; 12
(iv) Use or purchase of prescribed medication;13
(v) Bodily functions, vital signs, symptoms, or measurements of 14
such information; 15
(vi) Diagnoses or diagnostic testing, treatment, or medication;16
(vii) Gender-affirming care information; 17
(viii) Reproductive or sexual health information;18
(ix) Biometric data; 19
(x) Genetic data; 20
(xi) Precise geolocation information that could reasonably 21
indicate a consumer's attempt to acquire or receive health services 22
or supplies; 23
(xii) Data that identifies a consumer seeking health care 24
services; or 25
(xiii) Any information that a controller or processor processes 26
to associate or identify a consumer with the data described in (b)(i) 27
through (xii) of this subsection that is derived or extrapolated from 28
nonhealth information (such as proxy, derivative, inferred, or 29
emergent data by any means, including algorithms or machine 30
learning). 31
(c) "Consumer health data" does not include personal data that is 32
used to engage in public or peer-reviewed scientific, historical, or 33
statistical research in the public interest that adheres to all other 34
applicable ethics and privacy laws and is approved, monitored, and 35
governed by an institutional review board, human subjects research 36
ethics review board, or a similar independent oversight entity that 37
determines that the controller or processor has implemented 38
reasonable safeguards to mitigate privacy risks associated with 39
research, including any risks associated with reidentification.40
p. 3 HB 1671
(9)(a) "Contextual advertising" means displaying or presenting an 1
advertisement that does not vary based on the identity of the 2
individual recipient and is based solely on the immediate content of 3
a web page or online service within which the advertisement appears, 4
or on a specific request of the consumer for information or feedback, 5
if displayed in proximity to the results of such request for 6
information. 7
(b) A controller may use the following types of personal data to 8
display a contextual advertisement, provided that the personal data 9
is not used to make inferences about the consumer, profile the 10
consumer, or for any other purpose, and that the consumer may use 11
technical means to obfuscate or change the consumer's physical 12
location and specify a language preference: 13
(i) Technical specifications that are necessary for the ad to be 14
delivered and displayed properly on a given device;15
(ii) A consumer's immediate presence in a geographic area with a 16
radius no smaller than 10 miles, or an area reasonably estimated to 17
include online activity from at least 5,000 users, but not including 18
precise geolocation data; or 19
(iii) The consumer's language preferences, as inferred from 20
context, browser settings, or user settings. 21
(10) "Controller" means the natural or legal person who, alone or 22
jointly with others, determines the purposes and means of collecting 23
or processing of personal data. 24
(11) "Dark pattern" means a user interface designed or 25
manipulated with the substantial effect of subverting or impairing 26
user autonomy, decision making or choice and includes, but is not 27
limited to, any practice the federal trade commission refers to as a 28
"dark pattern." 29
(12) "Decisions that produce legal or similarly significant 30
effects concerning the consumer" means decisions that result in 31
access to, or the provision or denial by the controller of financial 32
and lending services, housing, insurance, education enrollment, 33
criminal justice, employment opportunities, health care services, or 34
access to essential goods or services. 35
(13) "Deidentified data" means data that does not identify and 36
cannot reasonably be used to infer information about, or otherwise be 37
linked to, an identified or identifiable individual, or a device 38
linked to such individual, if the controller that possesses the data:39
p. 4 HB 1671
(a) Takes reasonable physical, administrative, and technical 1
measures to ensure that the data cannot be associated with an 2
individual, or be used to reidentify an individual or device that 3
identifies or is linked or reasonably linkable to an individual;4
(b) Publicly commits to process the data only in a deidentified 5
fashion and not attempt to reidentify the data; and6
(c) Contractually obligates any recipients of the data to comply 7
with (a) and (b) of this subsection. 8
(14) "First party" means a consumer-facing controller with which 9
the consumer intends or expects to interact. 10
(15)(a) "First-party advertising" means processing by a first 11
party of its own first-party data for the purposes of advertising and 12
marketing and is carried out: 13
(i) Through direct communications with a consumer, such as direct 14
mail, email, or text message communications; 15
(ii) In a physical location operated by the first party; or16
(iii) Through display or presentation of an advertisement on the 17
first party's own website, application, or its other online content.18
(b) "First-party advertising" includes marketing measurement 19
related to such advertising and marketing. 20
(16) "First-party data" means personal data collected directly 21
from a consumer by a first party, including based on a visit by the 22
consumer to or use by the consumer of a website, a physical location, 23
or an online service operated by the first party. 24
(17) "Gender-affirming care information" means personal data 25
relating to seeking or obtaining past, present, or future gender-26
affirming care services. "Gender-affirming care information" 27
includes, but is not limited to: 28
(a) Precise geolocation information that could reasonably 29
indicate a consumer's attempt to acquire or receive gender-affirming 30
care services; 31
(b) Efforts to research or obtain gender-affirming care services; 32
or 33
(c) Any gender-affirming care information that is derived, 34
extrapolated, or inferred, including from nonhealth information, such 35
as proxy, derivative, inferred, emergent, or algorithmic data.36
(18) "Gender-affirming care services" has the same meaning as in 37
RCW 19.373.010. 38
(19) "Identified or identifiable individual" means an individual 39
who can be readily identified, directly or indirectly.40
p. 5 HB 1671
(20) "Marketing measurement" means measuring and reporting on 1
marketing performance or media performance by the controller, 2
including processing personal data for measurement and reporting of 3
frequency, attribution, and performance. 4
(21) "Minor" means any consumer who is younger than 18 years of 5
age. 6
(22) "Person" means an individual, association, company, limited 7
liability company, corporation, partnership, sole proprietorship, 8
trust, or any other legal entity. 9
(23) "Personal data" means any information that identifies or is 10
reasonably capable of being associated or linked, directly or 11
indirectly, with a particular consumer. "Personal data" includes, but 12
is not limited to, derived data and data associated with a persistent 13
unique identifier, such as a cookie ID, an IP address, a device 14
identifier, or any other form of persistent unique identifier. 15
"Personal data" does not include publicly available information or 16
deidentified data. 17
(24)(a) "Precise geolocation data" means information derived from 18
technology including, but not limited to, latitude and longitude 19
coordinates from global positioning system mechanisms or other 20
similar positional data, that reveals the past or present physical 21
location of an individual or device that identifies or is linked or 22
reasonably linkable to one or more individuals with precision and 23
accuracy within a radius of 1,750 feet. 24
(b) "Precise geolocation information" does not include the 25
content of communications, a photograph or video, metadata associated 26
with a photograph or video that cannot be linked to an individual, or 27
any data generated by or connected to advanced utility metering 28
infrastructure systems or equipment for use by a utility.29
(25) "Process" or "processing" means any operation or set of 30
operations performed, whether by manual or automated means, on 31
personal data or on sets of personal data, such as the use, storage, 32
disclosure, analysis, deletion, or modification of personal data.33
(26) "Processor" means a person that collects, processes, or 34
transfers personal data on behalf of, and at the direction of, a 35
controller or another processor, or a federal, state, tribal, or 36
local government entity. 37
(27) "Profiling" means any form of processing performed on 38
personal data to evaluate, analyze, or predict personal aspects, 39
including an individual's economic situation, health, personal 40
p. 6 HB 1671
preferences, interests, reliability, behavior, location, or 1
movements. 2
(28)(a) "Publicly available information" means information that 3
has been lawfully made available to the general public from:4
(i) Federal, state, or municipal government records, if the 5
person collects, processes, and transfers such information in 6
accordance with any restrictions or terms of use placed on the 7
information by the relevant government entity; 8
(ii) Widely distributed media; or 9
(iii) A disclosure to the general public as required by federal, 10
state, or local law. 11
(b) "Publicly available information" does not include:12
(i) Any obscene visual depiction, as defined in 18 U.S.C. Sec. 13
1460; 14
(ii) Any inference made exclusively from multiple independent 15
sources of publicly available information that reveals sensitive data 16
with respect to a consumer; 17
(iii) Biometric data; 18
(iv) Personal data that is created through the combination of 19
personal data with publicly available information;20
(v) Genetic data, unless otherwise made publicly available by the 21
individual to whom the information pertains; 22
(vi) Information made available by a consumer on a website or 23
online service made available to all members of the public, for free 24
or for a fee, where the consumer has restricted the information to a 25
specific audience; or 26
(vii) Intimate images and fabricated intimate images disclosed 27
without consent of the depicted individual. For the purposes of this 28
subsection, "intimate image," "fabricated intimate image," and 29
"depicted individual" have the same meaning as defined in RCW 30
7.110.010. 31
(29) "Reproductive or sexual health information" means personal 32
data relating to seeking or obtaining past, present, or future 33
reproductive or sexual health services. "Reproductive or sexual 34
health information" includes, but is not limited to:35
(a) Precise geolocation information that could reasonably 36
indicate a consumer's attempt to acquire or receive reproductive or 37
sexual health services; 38
(b) Efforts to research or obtain reproductive or sexual health 39
services; or 40
p. 7 HB 1671
(c) Any reproductive or sexual health information that is 1
derived, extrapolated, or inferred, including from nonhealth 2
information, such as proxy, derivative, inferred, emergent, or 3
algorithmic data. 4
(30) "Reproductive or sexual health services" has the same 5
meaning as defined in RCW 19.373.010. 6
(31)(a) "Sale of personal data" means the exchange of personal 7
data for monetary or other valuable consideration by the controller 8
to a third party. 9
(b) "Sale of personal data" does not include: 10
(i) The disclosure of personal data to a processor that processes 11
the personal data on behalf of the controller; 12
(ii) The disclosure of personal data to a third party for 13
purposes of providing a product or service requested by the consumer;14
(iii) The disclosure or transfer of personal data to an affiliate 15
of the controller; 16
(iv) With the consumer's affirmative consent, the disclosure of 17
personal data where the consumer affirmatively directs the controller 18
to disclose the personal data or intentionally uses the controller to 19
interact with a third party; or 20
(v) The disclosure of personal data that the consumer 21
intentionally made available to the general public via a channel of 22
mass media and did not restrict to a specific audience.23
(32) "Sensitive data" means personal data that includes:24
(a) Data revealing racial or ethnic origin, religious beliefs, 25
mental or physical health condition or diagnosis, status as pregnant, 26
sex life, sexual orientation, status as transgender or nonbinary, 27
union membership, income level or indebtedness, or citizenship or 28
immigration status; 29
(b) Consumer health data; 30
(c) Genetic or biometric data; 31
(d) Personal data of a consumer that a controller knows, or 32
willfully disregards, is a minor; 33
(e) Precise geolocation data; 34
(f) A government-issued identifier, including a social security 35
number, passport number, or driver's license number, that is not 36
required by law to be displayed in public; or 37
(g) The online activities of a consumer or device linked or 38
reasonably linkable to a consumer over time and across websites, 39
p. 8 HB 1671
online applications, or mobile applications that do not share common 1
branding, or data generated by profiling performed on such data.2
(33)(a) "Targeted advertising" means presenting an online 3
advertisement to a consumer, to a device identified by a unique 4
persistent identifier, or to a group of consumers or devices 5
identified by unique persistent identifiers, if the advertisement is 6
selected based, in whole or in part, on known or predicted 7
preferences, characteristics, behavior, or interests associated with 8
the consumer or a device identified by a unique persistent 9
identifier. 10
(b) "Targeted advertising" includes displaying or presenting an 11
online advertisement for a product or service based on the previous 12
interaction of a consumer or a device identified by a unique 13
persistent identifier with such product or service on a website or 14
online service that does not share common branding with the website 15
or online service displaying or presenting the advertisement, and 16
marketing measurement related to such advertisements.17
(c) "Targeted advertising" does not include first-party 18
advertising or contextual advertising. 19
(34) "Third party" means a person that collects personal data 20
from another person that is not the consumer to whom the data 21
pertains and is not a processor with respect to such data. "Third 22
party" does not include a person that collects personal data from 23
another entity if the two entities are affiliates.24
(35) "Transfer" means to disclose, release, disseminate, make 25
available, license, rent, or share personal data to a third party 26
orally, in writing, electronically, or by any other means.27
(36)(a) "Unique persistent identifier" means a technologically 28
created identifier to the extent that such identifier is reasonably 29
linkable to a consumer or a device that identifies or is linked or 30
reasonably linkable to one or more consumers. 31
(b) "Unique persistent identifier" includes device identifiers, 32
internet protocol addresses, cookies, beacons, pixel tags, mobile ad 33
identifiers or similar technology customer numbers, unique 34
pseudonyms, user aliases, telephone numbers, or other forms of 35
persistent or probabilistic identifiers that are linked or reasonably 36
linkable to one or more consumers or devices. 37
(c) "Unique persistent identifier" does not include an identifier 38
assigned by a controller for the sole purpose of giving effect to the 39
exercise of affirmative consent or opt out by a consumer with respect 40
p. 9 HB 1671
to the collecting, processing, and transfer of personal data, or with 1
respect to otherwise limiting the collecting, processing, or transfer 2
of personal data. 3
NEW SECTION. Sec. 2. APPLICABILITY AND SCOPE. (1) This chapter 4
applies to persons that conduct business in Washington state or 5
produce products or services that are targeted to residents of 6
Washington state, and that collect or process the personal data of 7
consumers.8
(2) This chapter does not apply to any federal, state, tribal, 9
territorial, or local government entity, such as a body, authority, 10
board, bureau, commission, district, or agency, of this state or of 11
any political subdivision of this state. 12
(3) This chapter does not apply to the following information and 13
data: 14
(a) Protected health information that a covered entity or 15
business associate collects or processes in accordance with, or 16
documents that a covered entity or business associate creates for the 17
purpose of complying with, the federal health insurance portability 18
and accountability act of 1996 and its implementing regulations;19
(b) Health care information collected, used, or disclosed in 20
accordance with chapter 70.02 RCW; 21
(c) Patient identifying information as defined by 42 C.F.R. Part 22
2, established pursuant to 42 U.S.C. Sec. 290dd-2;23
(d) Identifiable private information for purposes of: The federal 24
policy for the protection of human subjects under 45 C.F.R. Part 46, 25
identifiable private information that is otherwise information 26
collected as part of human subjects research pursuant to the good 27
clinical practice guidelines issued by the international council for 28
harmonization of technical requirements for pharmaceuticals for human 29
use, the protection of human subjects under 21 C.F.R. Parts 6, 50, 30
and 56, personal data used or shared in research as defined in 45 31
C.F.R. 164.501 that is conducted in accordance with one or more of 32
the requirements set forth in this subsection, or other research 33
conducted in accordance with applicable law; 34
(e) Information and documents created specifically for, and 35
collected and maintained by: 36
(i) A quality improvement committee for purposes of RCW 37
43.70.510, 70.230.080, or 70.41.200; 38
(ii) A peer review committee for purposes of RCW 4.24.250;39
p. 10 HB 1671
(iii) A quality assurance committee for purposes of RCW 74.42.640 1
or 18.20.390; 2
(iv) A hospital, as defined in RCW 43.70.056, for reporting of 3
health care-associated infections for purposes of RCW 43.70.056, a 4
notification of an incident for purposes of RCW 70.56.040(5), or 5
reports regarding adverse events for purposes of RCW 70.56.020(2)(b); 6
or 7
(v) A manufacturer, as defined in 21 C.F.R. Sec. 820.3 (o), when 8
collected, used, or disclosed for purposes specified in chapter 70.02 9
RCW; 10
(f) Information and documents created for purposes of the federal 11
health care quality improvement act of 1986, and related regulations;12
(g) Patient safety work product for purposes of the federal 13
patient safety and quality improvement act, 42 U.S.C. Sec. 299b-21 et 14
seq.; 15
(h) Information that is deidentified in accordance with the 16
requirements for deidentification set forth in 45 C.F.R. Part 164 and 17
derived from any of the health care-related information identified in 18
this subsection; 19
(i) Information originating from, and intermingled so as to be 20
indistinguishable with, information described in (a) through (h) of 21
this subsection that is maintained by: 22
(i) A covered entity or business associate as defined by the 23
health insurance portability and accountability act of 1996 and 24
related regulations; 25
(ii) A health care facility or health care provider as defined in 26
RCW 70.02.010; or 27
(iii) A program or a qualified service organization as defined by 28
42 C.F.R. Part 2, established pursuant to 42 U.S.C. Sec. 290dd-2;29
(j) Information used only for public health activities and 30
purposes as described in 45 C.F.R. Sec. 164.512 or that is part of a 31
limited data set, as defined, and is used, disclosed, and maintained 32
in the manner required, by 45 C.F.R. Sec. 164.514;33
(k) Identifiable data collected, used, or disclosed in accordance 34
with chapter 43.371 RCW or RCW 69.43.165; 35
(l) Personal information that is governed by and collected, 36
processed, sold, or disclosed pursuant to the following regulations, 37
parts, titles, or acts: 38
(i) The Gramm-Leach-Bliley act, 15 U.S.C. Sec. 6801 et seq., and 39
implementing regulations; 40
p. 11 HB 1671
(ii) Part C of Title XI of the social security act, 42 U.S.C. 1
1320d et seq.; 2
(iii) The fair credit reporting act, 15 U.S.C. 1681 et seq.;3
(iv) The family educational rights and privacy act, 20 U.S.C. 4
1232g; 34 C.F.R. Part 99; 5
(v) The Washington health benefit exchange and applicable 6
statutes and regulations, including 45 C.F.R. Sec. 155.260 and 7
chapter 43.71 RCW; 8
(vi) Privacy rules adopted by the office of the insurance 9
commissioner pursuant to chapter 48.02 or 48.43 RCW;10
(vii) The federal driver's privacy protection act of 1994, 18 11
U.S.C. Sec. 2721 et seq.; 12
(viii) The federal family educational rights and privacy act, 20 13
U.S.C. Sec. 1232g et seq.; or 14
(ix) The federal farm credit act of 1971, 12 U.S.C. Sec. 2001 et 15
seq.; 16
(m) Personal data collected, processed, sold, or disclosed in 17
relation to price, route, or service, as such terms are used in the 18
airline deregulation act, 49 U.S.C. 40101 et seq., by an air carrier 19
subject to the act, to the extent this chapter is preempted by the 20
airline deregulation act, 49 U.S.C. 41713; or 21
(n) Data processed or maintained: 22
(i) In the course of an individual applying to, employed by, or 23
acting as an agent or independent contractor of a controller, 24
processor, or third party, to the extent that the data is collected 25
and used within the context of that role; 26
(ii) As the emergency contact information of the individual under 27
this chapter used for emergency contact purposes; or28
(iii) That is necessary to retain to administer benefits for 29
another individual relating to the individual who is the subject of 30
the information under (n)(i) of this subsection and used for the 31
purposes of administering such benefits. 32
(4) Controllers that are in compliance with the verifiable 33
parental consent requirements under the children's online privacy 34
protection act, 15 U.S.C. Sec. 6501 through 6506 and its implementing 35
regulations, are deemed compliant with any obligation to obtain 36
parental consent under this chapter. 37
NEW SECTION. Sec. 3. CONSUMER RIGHTS. (1) A consumer has the 38
right to:39
p. 12 HB 1671
(a) Confirm whether a controller is collecting or processing 1
personal data concerning the consumer, access such personal data, and 2
confirm whether or not the consumer's personal data is used to 3
profile the consumer for the purpose of automated decision making;4
(b) Obtain from a controller a list of specific third parties, 5
other than natural persons, to which the controller has transferred 6
either the consumer's personal data or any personal data;7
(c) Correct inaccuracies in the consumer's personal data, taking 8
into account the nature of the personal data and the purposes of the 9
processing of the consumer's personal data; 10
(d) Delete personal data concerning the consumer, including 11
personal data the consumer provided to the controller, personal data 12
the controller obtained from another source, and derived data;13
(e) Obtain a copy of the consumer's personal data collected or 14
processed by the controller, in a portable and, to the extent 15
technically feasible, readily usable format that allows the consumer 16
to transmit the data to another controller without hindrance, where 17
the processing is carried out by automated means; and18
(f) Opt out of the processing of the personal data for purposes 19
of: 20
(i) Targeted advertising; 21
(ii) The sale of personal data; or 22
(iii) Profiling in furtherance of solely automated decisions that 23
produce legal or similarly significant effects concerning the 24
consumer. 25
(2)(a) If a consumer's personal data is profiled in furtherance 26
of decisions that produce legal effects concerning a consumer or 27
similarly significant effects concerning a consumer, the consumer has 28
the right to question the result of such profiling, to be informed of 29
the reason why the profiling resulted in the decision, and, if 30
feasible, to be informed of what actions the consumer might have 31
taken to secure a different decision and the actions that the 32
consumer might take to secure a different decision in the future.33
(b) The consumer has the right to review the consumer's personal 34
data used in the profiling. 35
(c) If the decision is determined to have been based upon 36
inaccurate personal data, the consumer has the right to have the data 37
corrected and the profiling decision reevaluated based upon the 38
corrected data. 39
p. 13 HB 1671
NEW SECTION. Sec. 4. EXERCISING CONSUMER RIGHTS. (1) A consumer 1
may exercise rights under this chapter by a secure and reliable means 2
established by the controller and described to the consumer in the 3
controller's privacy notice.4
(2)(a) A consumer may designate another person to serve as the 5
consumer's authorized agent, and act on the consumer's behalf, to 6
exercise rights specified in section 3 of this act.7
(b) A controller must comply with a consumer's request received 8
from an authorized agent if the controller is able to verify, with 9
commercially reasonable effort, the identity of the consumer and the 10
authorized agent's authority to act on the consumer's behalf.11
(3) In the case of personal data of a known child, the parent or 12
legal guardian of the known child may exercise the rights of this 13
chapter on the child's behalf. 14
(4) In the case of personal data concerning a consumer subject to 15
guardianship, conservatorship, or other protective arrangement, the 16
guardian or the conservator of the consumer may exercise the rights 17
of this chapter on the consumer's behalf. 18
NEW SECTION. Sec. 5. RESPONDING TO CONSUMER REQUESTS. Except as 19
otherwise provided in this chapter, a controller shall comply with a 20
request by a consumer to exercise the consumer rights authorized in 21
this chapter in accordance with this section.22
(1) A controller shall respond to the consumer without undue 23
delay, but not later than 45 days after receipt of the request. The 24
response period may be extended once by 45 additional days when 25
reasonably necessary, taking into account the complexity and number 26
of the consumer's requests, so long as the controller informs the 27
consumer of any such extension within the initial 45-day response 28
period, together with the reason for the extension.29
(2) If a controller declines to take action regarding the 30
consumer's request, the controller shall inform the consumer without 31
undue delay, but not later than 45 days after receipt of the request, 32
of the justification for declining to take action and instructions 33
for how to appeal the decision. 34
(3) Information provided in response to a consumer request must 35
be provided by the controller, free of charge, twice per consumer 36
during any 12-month period. If requests from a consumer are 37
manifestly unfounded, excessive, or repetitive, the controller may 38
charge the consumer a reasonable fee to cover the administrative 39
p. 14 HB 1671
costs of complying with the request or decline to act on the request. 1
The controller bears the burden of demonstrating the manifestly 2
unfounded, excessive, or repetitive nature of the request.3
(4)(a) If a controller is unable to authenticate the request 4
using commercially reasonable efforts, the controller is not required 5
to comply with a request to exercise any of the rights under section 6
3 of this act and may request that the consumer provide additional 7
information reasonably necessary to authenticate the consumer and the 8
consumer's request. 9
(b) A controller may not require authentication of an opt-out 10
request, but a controller may deny an opt-out request if the 11
controller has a good-faith, reasonable, and documented belief that 12
such request is fraudulent. If a controller denies an opt-out request 13
because the controller believes the request is fraudulent, the 14
controller shall send notice to the person who made the request, 15
stating that the controller believes the request to be fraudulent, 16
why the controller believes the request to be fraudulent, and that 17
the controller will not comply with the request. 18
(5) A controller that has obtained personal data about a consumer 19
from a source other than the consumer is deemed in compliance with a 20
consumer's request to delete such data pursuant to section 3 (1)(d) of 21
this act by deleting the consumer's personal data retained by the 22
controller and retaining a record of the deletion request and the 23
minimum data necessary for the purpose of ensuring the consumer's 24
personal data remains deleted from the controller's records and not 25
using such retained data for any other purpose pursuant to this 26
chapter. 27
(6) A controller shall establish a process for a consumer to 28
appeal the controller's refusal to take action on a request within a 29
reasonable period of time after the consumer's receipt of the 30
decision. The appeal process must be conspicuously available and 31
similar to the process for submitting consumer rights requests. 32
Within 45 days of receipt of an appeal, a controller shall inform the 33
consumer in writing of any action taken or not taken in response to 34
the appeal, including a written explanation of the reasons for the 35
decisions. If the appeal is denied, the controller shall also provide 36
the consumer with an online mechanism, if available, or other method 37
through which the consumer may contact the attorney general to submit 38
a complaint. 39
p. 15 HB 1671
(7) A controller may not condition, effectively condition, 1
attempt to condition, or attempt to effectively condition the 2
exercise of a consumer right described in section 3 of this act 3
through the use of dark patterns or any false, fictitious, 4
fraudulent, or materially misleading statement or representation.5
(8) A controller may not require a consumer to create a new 6
account in order to exercise consumer rights, but may require a 7
consumer to use an existing account. 8
(9) A controller shall establish, and describe in the 9
controller's privacy notice, one or more secure and reliable means 10
for consumers to submit a request to exercise their consumer rights 11
pursuant to this chapter. Such means must take into account the ways 12
in which consumers normally interact with the controller, the need 13
for secure and reliable communication of such requests, and the 14
ability of the controller to verify the identity of the consumer 15
making the request. Such means must include: 16
(a) Providing a clear and conspicuous link on the controller's 17
internet website to an internet web page that enables a consumer, or 18
an agent of the consumer, to opt out of the targeted advertising, the 19
sale of the consumer's personal data, and profiling in furtherance of 20
solely automated decisions that produce legal or similarly 21
significant effects concerning the consumer; and 22
(b) Not later than December 31, 2025, allowing a consumer to opt 23
out of any collection or processing of the consumer's personal data 24
for the purposes of targeted advertising, or any sale of the 25
consumer's personal data, through an opt-out preference signal that 26
is sent, with the consumer's consent, by a platform, technology, or 27
mechanism to the controller and that indicates the consumer's intent 28
to opt out of any processing or sale. The platform, technology, or 29
mechanism must: 30
(i) Be consumer friendly and easy to use by the average consumer; 31
and 32
(ii) Enable the controller to reasonably determine that the 33
consumer is a Washington resident or a resident of a different state 34
whose data is collected in Washington state, and whether the consumer 35
has made a legitimate request to opt out of any sale of such 36
consumer's personal data or targeted advertising. For purposes of 37
this subsection, the use of an internet protocol address to estimate 38
the consumer's location shall be considered sufficient to reasonably 39
determine residency. 40
p. 16 HB 1671
(10) If a consumer's decision to opt out of any processing of the 1
consumer's personal data for the purposes of targeted advertising, or 2
any sale of the consumer's personal data, through an opt-out 3
preference signal sent in accordance with subsection (9) of this 4
section conflicts with the consumer's existing controller specific 5
privacy setting or voluntary participation in a controller's 6
financial incentive program, the controller shall comply with the 7
consumer's opt-out preference signal, but may notify the consumer of 8
the conflict and provide to the consumer the choice to confirm the 9
controller specific privacy setting or participation in the program.10
(11) If a controller responds to the consumer opt-out requests 11
received pursuant to subsection (9) of this section by informing the 12
consumer of a change in the price, rate, level, quality, or selection 13
of goods or services, the controller shall present the terms of any 14
financial incentive offered pursuant to section 6 (7) of this act for 15
the retention, use, sale, or sharing of the consumer's personal data.16
NEW SECTION. Sec. 6. RESPONSIBILITIES OF CONTROLLERS. (1)(a) 17
Except as specified in (b) of this subsection, a controller shall 18
limit the collection, processing, and transfer of personal data to 19
what is strictly necessary in relation to provide or maintain:20
(i) A specific product or service requested by the consumer to 21
whom the data pertains, including any routine administrative, 22
operational, or account-servicing activity, such as billing, 23
shipping, delivery, storage, or accounting; or 24
(ii) A communication, that is not an advertisement, by the 25
controller to the consumer reasonably anticipated within the context 26
of the relationship between the controller and the consumer.27
(b) A controller may only collect and transfer consumer health 28
data in accordance with RCW 19.373.030. 29
(c) Except with respect to sensitive data, a controller may 30
process or transfer personal data collected under this subsection to 31
provide first-party advertising or targeted advertising. However, 32
this subsection does not permit the processing or transfer of 33
personal data for targeted advertising to a consumer who has opted 34
out of such advertising pursuant to this chapter or to a consumer 35
under circumstances where the controller has knowledge, or willfully 36
disregards, that the consumer is a minor. 37
(2) Except as specified in RCW 19.373.030, a controller may not 38
transfer sensitive data concerning a consumer without obtaining the 39
p. 17 HB 1671
consumer's affirmative consent, or, in the case of the collection or 1
processing of sensitive data of a known child, without collecting or 2
processing such data in accordance with the children's online privacy 3
protection act, 15 U.S.C. Sec. 6501 through 6506 and its implementing 4
regulations. 5
(3) A controller may not sell sensitive data, with the exception 6
of consumer health data, which may be sold in accordance with RCW 7
19.373.070. 8
(4) A controller shall establish, implement, and maintain 9
administrative, technical, and physical data security practices that, 10
at a minimum, satisfy reasonable standard of care within the 11
controller's industry to protect the confidentiality, integrity, and 12
accessibility of personal data appropriate to the volume and nature 13
of the personal data at issue, including disposing of personal data 14
in accordance with a retention schedule that requires the deletion of 15
personal data when the data is required to be deleted by law or is no 16
longer necessary for the purpose for which the data was collected, 17
processed, or transferred. 18
(5) A controller shall provide an effective mechanism for a 19
consumer to revoke the consumer's affirmative consent that is at 20
least as easy as the mechanism by which the consumer provided the 21
consumer's affirmative consent. Upon revocation of the consumer's 22
affirmative consent, the controller shall cease to process the data 23
as soon as practicable, but not later than 15 days after the receipt 24
of the revocation. 25
(6) A controller may not process the personal data of a consumer 26
for purposes of targeted advertising or sell the consumer's personal 27
data under the circumstances where a controller has actual knowledge, 28
or willfully disregards, that the consumer is a minor.29
(7)(a) A controller may not discriminate or retaliate against a 30
consumer for exercising any of the consumer rights contained in this 31
chapter, or for refusing to agree to the collection or processing of 32
personal data for a separate product or service, including by denying 33
goods or services, charging different prices or rates for goods or 34
services, or providing a different level of quality of goods or 35
services to the consumer. 36
(b) Nothing in this subsection may be construed to require a 37
controller to provide a product or service that requires the personal 38
data of a consumer which the controller does not collect or maintain.39
p. 18 HB 1671
(c)(i) Nothing in this subsection may be construed to prohibit a 1
controller from offering a different price, rate, level, quality, or 2
selection of goods or services to a consumer, including offering 3
goods or services for no fee, if the offering is in connection with a 4
consumer's voluntary participation in a financial incentive program, 5
such as a bona fide loyalty, rewards, premium features, discounts, or 6
club card program, provided that the controller may not transfer 7
personal data to a third party as part of such a program unless:8
(A) The transfer is functionally necessary to enable the third 9
party to provide a benefit to which the consumer is entitled;10
(B) The transfer of personal data to the third party is clearly 11
disclosed in the terms of the program; and 12
(C) The third party uses the personal data only for purposes of 13
facilitating a benefit to which the consumer is entitled and does not 14
process or transfer the personal data for any other purpose.15
(ii) The sale of personal data must not be considered 16
functionally necessary to provide a financial incentive program. A 17
controller may not use financial incentive practices that are unjust, 18
unreasonable, coercive, or usurious in nature. 19
(8)(a) A controller or processor may not collect, process, or 20
transfer personal data in a manner that discriminates against an 21
individual or class of individuals, or otherwise makes unavailable 22
the equal enjoyment of goods or services, on the basis of an 23
individual's or class of individuals' actual or perceived race, 24
color, sex, sexual orientation, gender identity, disability, 25
religion, ancestry, or national origin. 26
(b) This subsection does not apply to: 27
(i) The collection, processing, or transfer of personal data for 28
the sole purpose of a controller's or processor's self-testing to 29
prevent or mitigate unlawful discrimination or otherwise to ensure 30
compliance with state or federal law, or for the sole purpose of 31
diversifying an applicant, participant, or customer pool; or32
(ii) A private establishment, as described in 42 U.S.C. Sec. 33
2000a(e). 34
(9)(a) A controller must provide consumers with a reasonably 35
accessible, clear, and meaningful privacy notice that includes:36
(i) The categories of personal data collected and processed by 37
the controller, including a separate list of categories of sensitive 38
data collected and processed by the controller, described in a level 39
p. 19 HB 1671
of detail that provides consumers a meaningful understanding of the 1
type of personal data collected or processed; 2
(ii) The categories of sources from which the consumer health 3
data is collected; 4
(iii) The purpose for collecting and processing each category of 5
personal data the controller collects or processes, described in a 6
way that gives consumers a meaningful understanding of how each 7
category of the consumers' personal data will be used;8
(iv) How consumers may exercise their consumer rights included in 9
section 3 of this act, including how a consumer may appeal a 10
controller's decision with regard to the consumer's request;11
(v) The categories of personal data that the controller transfers 12
to third parties, if any, and the purposes for those transfers;13
(vi) The categories of third parties, if any, to which the 14
controller transfers personal data; 15
(vii) The length of time the controller intends to retain each 16
category of personal data, or, if it is not possible to identify the 17
length of time, the criteria used to determine the length of time the 18
controller intends to retain categories of personal data; and19
(viii) An active email address or other online mechanism that the 20
consumer may use to contact the controller. 21
(b) If a controller makes a material change to its privacy 22
notice, the controller shall notify each consumer affected by the 23
material change before implementing the material change with respect 24
to prospectively collected personal data and provide a reasonable 25
opportunity for each consumer to withdraw consent. A controller 26
should provide a reasonable opportunity for each consumer to 27
affirmatively consent to further materially different processing or 28
transfer of previously collected personal data under the changed 29
policy. The controller shall take all reasonable electronic measures 30
to provide direct notification regarding material changes to the 31
privacy notice to each affected consumer, taking into account 32
available technology and the nature of the relationship.33
(10) If a controller sells personal data to third parties or 34
processes personal data for targeted advertising, the controller 35
shall clearly and conspicuously disclose such selling or processing, 36
as well as the manner in which a consumer may exercise the right to 37
opt out of such selling or processing. The sale of consumer health 38
data must comply with RCW 19.373.030. 39
p. 20 HB 1671
NEW SECTION. Sec. 7. RESPONSIBILITIES OF PROCESSORS. (1) A 1
processor shall adhere to the instructions of a controller and shall 2
assist the controller in meeting the controller's obligations under 3
this chapter. A processor's assistance must include:4
(a) Taking into account the nature of processing and the 5
information available to the processor, by appropriate technical and 6
organizational measures, insofar as is reasonably practicable, 7
assisting the controller in fulfilling the controller's obligation to 8
respond to consumer rights requests; 9
(b) Taking into account the nature of processing and the 10
information available to the processor, assisting the controller in 11
meeting the controller's obligation in relation to the security of 12
processing the personal data and in relation to the notification of a 13
breach of the security of the processor's system in order to meet the 14
controller's obligations; and 15
(c) Providing necessary information to enable the controller to 16
conduct and document data protection assessments. 17
(2) The processor's data processing procedures with respect to 18
processing performed on behalf of the controller must be governed by 19
a contract between a controller and a processor. The contract must be 20
binding and must clearly set forth instructions for processing data, 21
the nature and purpose of processing, the type of data subject to 22
processing, the duration of processing, and the rights and 23
obligations of both parties. The processor shall adhere to the 24
instructions of the controller and only process and transfer data it 25
receives from the controller to the extent necessary to provide a 26
service requested by the controller, as set out in the contract. The 27
contract must also require that the processor: 28
(a) Ensure that each person processing personal data is subject 29
to a duty of confidentiality with respect to that data;30
(b) At the controller's direction, delete or return all personal 31
data to the controller as requested at the end of the provision of 32
services, unless retention of the personal data is required by law;33
(c) Upon the reasonable request of the controller, make available 34
to the controller all information in its possession necessary to 35
demonstrate the processor's compliance with this chapter;36
(d) After providing the controller an opportunity to object, 37
engage any subcontractor pursuant to a written contract that requires 38
the subcontractor to meet the obligations of the processor with 39
respect to the personal data; 40
p. 21 HB 1671
(e) Be prohibited from combining personal data that the processor 1
receives from or on behalf of a controller with personal data that 2
the processor receives from or on behalf of another person or 3
collects from the interaction of the processor with an individual; 4
and 5
(f) Allow and cooperate with reasonable assessments by the 6
controller or the controller's designated assessor or arrange for a 7
qualified and independent assessor to conduct an assessment of the 8
processor's policies and technical and organizational measures in 9
support of the obligations under this chapter, using an appropriate 10
and accepted control standard or framework and assessment procedure 11
for such assessments. The processor shall provide a report of such 12
assessment to the controller upon request. 13
(3) A processor shall establish, implement, and maintain 14
administrative, technical, and physical data security practices that, 15
at a minimum, satisfy reasonable standard of care within the 16
processor's industry to protect the confidentiality, integrity, and 17
accessibility of personal data appropriate to the volume and nature 18
of the personal data at issue. 19
(4) Nothing in this section may be construed to relieve a 20
controller or processor from the liabilities imposed on the 21
controller or processor by virtue of the controller's or processor's 22
role in the processing relationship, as described in this chapter.23
(5) Determining whether a person is acting as a controller or 24
processor with respect to a specific processing of personal data is a 25
fact-based determination that depends on the context in which 26
personal data is to be processed. A person who is not limited in the 27
processing of personal data pursuant to a controller's instructions, 28
or who fails to adhere to such instructions, is a controller and not 29
a processor with respect to that specific processing of personal 30
data. A processor that continues to adhere to a controller's 31
instructions with respect to a specific processing of personal data 32
remains a processor. If a processor begins, alone or jointly with 33
others, determining the purposes and means of the processing of 34
personal data, the processor is a controller with respect to such 35
processing and may be subject to an enforcement action under this 36
chapter. 37
NEW SECTION. Sec. 8. DATA PROTECTION ASSESSMENTS. (1) A 38
controller may not conduct processing that presents a heightened risk 39
p. 22 HB 1671
of harm to a consumer without conducting and documenting a data 1
protection assessment for each of the controller's processing 2
activities that presents the heightened risk of harm to a consumer. 3
For the purposes of this section, processing that presents a 4
heightened risk of harm to a consumer includes: 5
(a) The collection or processing of personal data for the 6
purposes of targeted advertising; 7
(b) The sale of personal data; 8
(c) The processing of personal data for the purposes of 9
profiling, where such profiling presents a reasonably foreseeable 10
risk of: 11
(i) Unfair or deceptive treatment of consumers or unlawful 12
disparate impact on consumers; 13
(ii) Financial, physical, or reputational injury to consumers;14
(iii) A physical or other intrusion upon the solitude, seclusion, 15
or the private affairs or concerns of consumers, where such intrusion 16
would be offensive to a reasonable person; or 17
(iv) Other substantial injury to consumers; and18
(d) The collection or processing of sensitive data.19
(2) Data protection assessments conducted pursuant to subsection 20
(1) of this section must identify the categories of personal data 21
collected, the purposes for collecting personal data, and whether 22
personal data is being transferred. Data protection assessments must 23
also identify and weigh the benefits that may flow, directly and 24
indirectly, from the processing to the controller, the consumer, 25
other stakeholders, and the public against the potential risks to the 26
rights of the consumer associated with such processing, as mitigated 27
by safeguards that are employed by the controller to reduce such 28
risks. The controller shall factor into any data protection 29
assessment the use of deidentified data and the reasonable 30
expectations of consumers, as well as the context of the processing 31
and the relationship between the controller and the consumer whose 32
personal data is being processed. 33
(3)(a) A controller shall submit a report of the data protection 34
assessment or evaluation to the attorney general upon request. The 35
report must include a summary of the data protection assessment, and 36
the controller shall make the summary publicly available in a place 37
that is easily accessible to consumers. 38
(b) The attorney general may require that a controller disclose 39
any data protection assessment that is relevant to an investigation 40
p. 23 HB 1671
conducted by the attorney general, and the controller shall make the 1
data protection assessment available to the attorney general upon 2
request. The attorney general may evaluate the data protection 3
assessment for compliance with the responsibilities set forth in this 4
chapter. To the extent any information contained in a data protection 5
assessment disclosed to the attorney general includes information 6
subject to attorney-client privilege or work product protection, the 7
disclosure does not constitute a waiver of such privilege or 8
protection. 9
(4) A single data protection assessment may address a comparable 10
set of processing operations that include similar activities.11
(5) If a controller conducts a data protection assessment for the 12
purpose of complying with another applicable law or regulation, the 13
data protection assessment is deemed to satisfy the requirements of 14
this section if the data protection assessment is reasonably similar 15
in scope and effect to the data protection assessment that would 16
otherwise be conducted pursuant to this section. 17
(6) A controller shall conduct and document a data protection 18
assessment before initiating a processing activity that presents a 19
heightened risk of harm to a consumer. Throughout the processing 20
activity's life cycle, the controller shall review and update the 21
data protection assessment as often as appropriate, taking into 22
consideration the type, amount, and sensitivity of personal data 23
collected or processed and the level of risk presented by the 24
processing, in order to: 25
(a) Monitor for harm caused by the processing and adjust 26
safeguards accordingly; and 27
(b) Ensure that data protection and privacy are considered as the 28
controller makes new decisions with respect to the processing.29
(7) The first data protection assessment required by this section 30
must be completed no later than one year after the effective date of 31
this section. 32
NEW SECTION. Sec. 9. DEIDENTIFIED DATA. (1) Any controller in 33
possession of deidentified data shall:34
(a) Take technical measures to ensure that the data cannot be 35
associated with an individual; 36
(b) Publicly commit to maintaining and using deidentified data 37
without attempting to reidentify the data; and 38
p. 24 HB 1671
(c) Contractually obligate any recipients of the deidentified 1
data to comply with all provisions of this chapter.2
(2) Nothing in this chapter may be construed to require a 3
controller or processor to: 4
(a) Reidentify deidentified data; 5
(b) Maintain data in an identifiable form; or 6
(c) Collect, obtain, retain, or access any data or technology in 7
order to be capable of associating an authenticated consumer request 8
with personal data. 9
(3) Nothing in this chapter may be construed to require a 10
controller or processor to comply with an authenticated consumer 11
rights request if the controller: 12
(a) Is not reasonably capable of associating the request with the 13
personal data or it would be unreasonably burdensome for the 14
controller to associate the request with the personal data; and15
(b) Does not use the personal data to recognize or respond to the 16
specific consumer who is the subject of the personal data, or 17
associate the personal data with other personal data about the same 18
specific consumer. 19
(4) A controller that transfers deidentified data shall exercise 20
reasonable oversight to monitor compliance with any contractual 21
commitments to which the deidentified data is subject and shall take 22
appropriate steps to address any breaches of those contractual 23
commitments. 24
NEW SECTION. Sec. 10. LIMITATIONS. (1) The obligations imposed 25
on controllers and processors under this chapter do not restrict a 26
controller's or processor's ability to:27
(a) Comply with federal, state, or local laws, rules, or 28
regulations, except as prohibited by the Washington shield law, 29
chapter 7.115 RCW; 30
(b) Comply with a civil, criminal, or regulatory inquiry, 31
investigation, subpoena, or summons by federal, state, local, or 32
other governmental authorities; 33
(c) Cooperate with law enforcement agencies concerning conduct or 34
activity that the controller or processor reasonably and in good 35
faith believes may violate federal, state, or local laws, rules, or 36
regulations; 37
(d) Investigate, establish, exercise, prepare for, or defend 38
legal claims; 39
p. 25 HB 1671
(e) Provide a product or service specifically requested by the 1
consumer; 2
(f) Perform under a contract to which a consumer is a party, 3
including fulfilling the terms of a written warranty;4
(g) Take steps at the request of a consumer prior to entering 5
into a contract; 6
(h) Take immediate steps to protect an interest that is essential 7
for the life or physical safety of the consumer or another 8
individual, and where the processing cannot be manifestly based on 9
another legal basis; 10
(i) Prevent, detect, protect against, or respond to security 11
incidents, identity theft, fraud, harassment, malicious or deceptive 12
activities, or any illegal activity targeted at or involving the 13
controller or processor or its services; preserve the integrity or 14
security of systems; or investigate, report, or prosecute those 15
responsible for any such action; 16
(j) Engage in public or peer-reviewed scientific or statistical 17
research in the public interest that adheres to all relevant laws and 18
regulations governing such research, if applicable, and is approved, 19
monitored, and governed by an institutional review board, human 20
subjects research ethics review board, or a similar independent 21
oversight entity that determines whether: 22
(i) The deletion of personal data requested by a consumer 23
pursuant to section 3 of this act is likely to provide substantial 24
benefits that do not exclusively accrue to the controller;25
(ii) The expected benefits of the research outweigh the privacy 26
risks; and 27
(iii) The controller has implemented reasonable safeguards to 28
mitigate privacy risks associated with research, including any risks 29
associated with reidentification; 30
(k) Assist another controller, processor, or third party with any 31
of the obligations under this chapter; 32
(l) Process personal data for reasons of public interest in the 33
area of public health, community health, or population health, but 34
solely to the extent that such processing is: 35
(i) Subject to suitable and specific measures to safeguard the 36
rights of the consumer whose personal data is being processed; and37
(ii) Under the responsibility of a professional subject to 38
confidentiality obligations under federal, state, or local law;39
p. 26 HB 1671
(m) Ensure the data security and integrity of personal data as 1
required by this chapter, protect against spam, or protect and 2
maintain networks and systems, including through diagnostics, 3
debugging, and repairs; 4
(n) Transfer assets to a third party in the context of a merger, 5
acquisition, bankruptcy, or similar transaction when the third party 6
assumes control, in whole or in part, of the controller's assets, 7
provided that the controller, in a reasonable time prior to the 8
transfer, provides an affected consumer with notice describing the 9
transfer, including the name of the entity receiving the consumer's 10
personal data and the applicable privacy policies of such entity, and 11
a reasonable opportunity to withdraw previously provided consent 12
related to the consumer's personal data and to request the deletion 13
of the consumer's personal data; 14
(o) Effectuate a product recall pursuant to federal or state law, 15
or to fulfill a warranty; 16
(p) Conduct medical research in compliance with 45 C.F.R. Part 46 17
or 21 C.F.R. Part 50 or 56; or 18
(q) Process personal data previously collected in accordance with 19
this chapter such that the personal data becomes deidentified data, 20
including to: 21
(i) Conduct internal research to develop, improve, or repair 22
products, services, or technology; 23
(ii) Identify and repair technical errors that impair existing or 24
intended functionality; or 25
(iii) Perform internal operations that are reasonably aligned 26
with the expectations of the consumer or reasonably anticipated based 27
on the consumer's existing relationship with the controller, or are 28
otherwise compatible with processing data in furtherance of the 29
provision of a product or service specifically requested by a 30
consumer or the performance of a contract to which the consumer is a 31
party. 32
(2) The obligations imposed on controllers and processors under 33
this chapter do not apply where compliance by a controller or 34
processor would violate an evidentiary privilege under Washington law 35
and do not prevent a controller or processor from providing personal 36
data concerning a consumer to a person covered by an evidentiary 37
privilege under Washington law as part of a privileged communication.38
(3) A controller or processor that discloses personal data in 39
compliance with this chapter to a third-party controller or processor 40
p. 27 HB 1671
is not in violation of this chapter if the recipient processes such 1
personal data in violation of this chapter, provided that, at the 2
time of disclosing the personal data, the disclosing controller or 3
processor did not have actual knowledge that the recipient would 4
violate this chapter. A third-party controller or processor receiving 5
personal data in compliance with this chapter from a controller or 6
processor is likewise not in violation of this chapter for the 7
transgressions of the controller or processor from which it receives 8
the personal data. 9
(4) Nothing in this chapter may be construed to:10
(a) Impose any obligation on a controller or processor that 11
adversely affects the rights or freedoms of any persons including, 12
but not limited to, the rights of any person to freedom of speech or 13
freedom of the press guaranteed in the First Amendment to the United 14
States Constitution or under the Washington reporter shield law, 15
chapter 5.68 RCW; 16
(b) Apply to any person's collection or processing of personal 17
data in the course of the person's purely personal or household 18
activities; or 19
(c) For private schools approved by the state under chapter 20
28A.195 RCW and private institutions of higher education as defined 21
in 20 U.S.C. Sec. 1001 et seq., require deletion of personal data 22
that would unreasonably interfere with the provision of education 23
services by or the ordinary operation of the school or institution.24
(5)(a) Personal data collected or processed by a controller 25
pursuant to this section may be collected or processed to the extent 26
that the collection or processing is: 27
(i) Strictly necessary and proportionate to the purposes listed 28
in this section, or, in the case of consumer health data, is in 29
compliance with RCW 19.373.030; 30
(ii) Limited to what is strictly necessary in relation to the 31
specific purpose or purposes listed in this section, or, in the case 32
of consumer health data, in compliance with RCW 19.373.030; and33
(iii) Compliant with section 6 of this act. 34
(b) Personal data processed pursuant to subsection (1)(q) of this 35
section must, where applicable, take into account the nature and 36
purpose or purposes of the processing. Such data must be subject to 37
reasonable administrative, technical, and physical measures to 38
protect the confidentiality, integrity, and accessibility of the 39
p. 28 HB 1671
personal data, and to reduce reasonably foreseeable risks of harm to 1
consumers relating to such processing of personal data.2
(6) If a controller collects or processes personal data pursuant 3
to an exemption in this section, the controller bears the burden of 4
demonstrating that such collection or processing qualifies for the 5
exemption and complies with the requirements in subsection (5) of 6
this section. 7
NEW SECTION. Sec. 11. ADDITIONAL REQUIREMENTS. (1) Controllers 8
and processors that collect or process consumer health data may be 9
subject to additional data privacy requirements pursuant to chapter 10
19.373 RCW.11
(2) Controllers and processors that collect or process data that 12
is exempt from this chapter may still be considered regulated 13
entities or processors under chapter 19.373 RCW and may be required 14
to comply with obligations under chapter 19.373 RCW.15
NEW SECTION. Sec. 12. ENFORCEMENT. The legislature finds that 16
the practices covered by this chapter are matters vitally affecting 17
the public interest for the purpose of applying the consumer 18
protection act, chapter 19.86 RCW. A violation of this chapter is not 19
reasonable in relation to the development and preservation of 20
business and is an unfair or deceptive act in trade or commerce and 21
an unfair method of competition for the purpose of applying the 22
consumer protection act, chapter 19.86 RCW. 23
NEW SECTION. Sec. 13. OTHER ENFORCEMENT PRECLUDED. The rights 24
and obligations covered by this chapter may only be enforced pursuant 25
to section 12 of this act.26
NEW SECTION. Sec. 14. WAIVER OF RIGHTS. Any provision of a 27
contract or agreement of any kind that purports to waive, release, 28
limit in any way, or extinguish the rights of consumers under this 29
chapter is against public policy and is void and unenforceable.30
NEW SECTION. Sec. 15. A new section is added to chapter 19.373 31
RCW to read as follows: 32
A regulated entity, small business, or processor subject to the 33
requirements of this chapter may also be subject to data privacy 34
p. 29 HB 1671
requirements provided in chapter 19.--- RCW (the new chapter created 1
in section 17 of this act). 2
NEW SECTION. Sec. 16. If any provision of this act or its 3
application to any person or circumstance is held invalid, the 4
remainder of the act or the application of the provision to other 5
persons or circumstances is not affected.6
NEW SECTION. Sec. 17. Sections 1 through 14 of this act 7
constitute a new chapter in Title 19 RCW.8
NEW SECTION. Sec. 18. Section 12 of this act takes effect 9
August 1, 2026.10
--- END ---
p. 30 HB 1671