BillTracker

Protecting the privacy and security of internet users.

Requires a broadband internet access service provider to: (1) Notify its customers of its privacy policies; (2) Provide existing customers with advance notice of one or more material changes to the carrier's privacy policies; (3) Obtain opt-out approval from a customer to use, disclose, or permit access to the customer's nonsensitive customer proprietary information; and (4) Take reasonable measures to protect customer personal information from unauthorized use, disclosure, or access. Requires the office of the attorney general, in consultation with the utilities and transportation commission, the office of data and privacy protection, and the department of commerce, to review and analyze additional opportunities to increase consumer privacy transparency, control, and protection. Creates the consumer privacy and security account.

1ST SUBSTITUTE COMPARED TO ORIGINAL:
The restricted activities involving customer PI are changed to be the sale or transfer of such information, or advertisement to a customer based on the customer's PI. The required approval for all restricted activities is changed to opt-in approval. The restriction on financial incentives and waivers is modified, with specifications removed. The UTC is authorized to adopt rules further defining the definitions and prescribing customer notice to be provided.
Sections dealing with the following are removed:
-notice requirements;
-data security requirements;
-specific incorporation of BIAS providers to the existing data breach notification requirements;
-and the reporting requirement from the Office of the Attorney General.
The definition of "customer PI" is changed to refer directly to specific categories of information, instead of subcategories. "Biometric identifiers" are added to the definition and "customer proprietary network information" is removed from the definition. The effective date of all substantive sections is changed to July 1, 2018.

EFFECT OF HOUSE STRIKER AMENDMENT:
Removes "biometric identifiers" from the definition of customer proprietary information and modifies the definition of "optin approval." Specifies that a BIAS provider must obtain approval for changes in, and provide a mechanism to change approval for, certain activities restricted under the act. Specifies that "transfer" does not include use or disclosure in the provision of internet service. Specifies an exception for the sale or transfer of customer proprietary information in the course of a merger, acquisition, sale of company assets, or transition of service. Creates an expiration date contingent upon the establishment of federal customer protections standards substantially equivalent to those provided in the act. Changes the effective date of substantive provisions to December 31, 2018.

Hearing Date: Wednesday, April 12, 2017 -- 8:00 am

WA State Legislature Link:
http://app.leg.wa.gov/billsummary?BillNumber=2200&Year=2017    (opens a new browser tab)