Read the full stored bill text
AN ACT Relating to performance measures, duties, and reporting 1
requirements for the office of privacy and data protection; and 2
amending RCW 43.105.369. 3
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:4
Sec. 1. RCW 43.105.369 and 2024 c 54 s 16 are each amended to 5
read as follows: 6
(1) The office of privacy and data protection is created within 7
the agency. The purpose of the office of privacy and data protection 8
is to serve as a central point of contact for state agencies on 9
policy matters involving data privacy and data protection.10
(2) The director shall appoint the chief privacy officer, who is 11
the director of the office of privacy and data protection.12
(3) The primary duties of the office of privacy and data 13
protection with respect to state agencies are: 14
(a) To conduct an annual privacy review; 15
(b) To conduct an annual privacy training for state agencies and 16
employees; 17
(c) To articulate privacy principles and best practices;18
(d) To coordinate data protection in cooperation with the agency; 19
and 20
H-2923.1
HOUSE BILL 2606
State of Washington 69th Legislature 2026 Regular Session
By Representatives Barnard, Ryu, Nance, and Timmons
Read first time 01/21/26. Referred to Committee on Technology,
Economic Development, & Veterans.
p. 1 HB 2606
(e) To participate with the agency in the review of major state 1
agency projects involving personally identifiable information , 2
including projects using artificial intelligence. 3
(4) The office of privacy and data protection must serve as a 4
resource to local governments and the public on data privacy and 5
protection concerns by: 6
(a) Developing and promoting the dissemination of best practices 7
for the collection and storage of personally identifiable 8
information, including establishing and conducting a training program 9
or programs for local governments; and 10
(b) Educating consumers about the use of personally identifiable 11
information on mobile and digital networks and measures that can help 12
protect this information. 13
(5) By December 1, 2016, and every four years thereafter, the 14
office of privacy and data protection must prepare and submit to the 15
legislature a report evaluating its performance. The office of 16
privacy and data protection must establish performance measures in 17
its 2016 report to the legislature and, in each report thereafter, 18
demonstrate the extent to which performance results have been 19
achieved. These performance measures must include, but are not 20
limited to, the following: 21
(a) ((The number of state agencies and employees who have 22
participated in the annual privacy training )) Improvement of privacy 23
and data protection policies and practices by state agencies and, 24
when available, local governments, following participation in the 25
office of privacy and data protection's trainings, and for state 26
agencies, annual review; 27
(b) ((A report on the )) The extent of the office of privacy and 28
data protection's coordination with international and national 29
experts in the fields of data privacy, data protection, and access 30
equity; 31
(c) ((A report on the implementation of data protection measures 32
by state agencies attributable in whole or in part to the office of 33
privacy and data protection's coordination of efforts; and34
(d) A report on consumer education efforts, including but not 35
limited to the number of consumers educated through public outreach 36
efforts, as indicated by how frequently educational documents were 37
accessed, the office of privacy and data protection's participation 38
in outreach events, and inquiries received back from consumers via 39
telephone or other media )) Data on contacts with the public, 40
p. 2 HB 2606
including how many members of the public contact the office of 1
privacy and data protection, the nature of the contact, and the 2
office of privacy and data protection's response, including providing 3
referrals and technical assistance; 4
(d) Results of direct evaluation from participants of the office 5
of privacy and data protection's trainings, including in-person or 6
virtual formats. The report shall also include how many trainings 7
were completed, topics, and how many participants attended;8
(e) The number and nature of technical assistance requests by 9
state agencies and local governments;10
(f) The office of privacy and data protection's staff continuing 11
education activities or certifications in emerging technologies, 12
evolving best practices, and state or federal policies; and13
(g) The number of privacy threshold analyses completed, and the 14
number of privacy impact assessments completed. 15
(((6) Within one year of June 9, 2016, the office of privacy and 16
data protection must submit to the joint legislative audit and review 17
committee for review and comment the performance measures developed 18
under subsection (5) of this section and a data collection plan.19
(7) The office of privacy and data protection shall submit a 20
report to the legislature on the: (a) Extent to which 21
telecommunications providers in the state are deploying advanced 22
telecommunications capability; and (b) existence of any inequality in 23
access to advanced telecommunications infrastructure experienced by 24
residents of tribal lands, rural areas, and economically distressed 25
communities. The report may be submitted at a time within the 26
discretion of the office of privacy and data protection, at least 27
once every four years, and only to the extent the office of privacy 28
and data protection is able to gather and present the information 29
within existing resources.))30
--- END ---
p. 3 HB 2606