The Washington state consumer data privacy commission is created and vested with administrative powers and rule-making and administrative enforcement authority to implement and enforce chapter 19.--- RCW (the new chapter created in section 20, chapter . . . (Engrossed Second Substitute Senate Bill No. 5062 (S- . . . . /22)), Laws of 2022) and the rules adopted by the commission.
[Empty]
The commission is composed of three commissioners appointed by the governor, with the consent of the senate. The commission has the authority and duties set forth in this chapter.
Of the persons initially appointed to the commission by the governor, one must be appointed to serve three years, one to serve five years, and one to serve seven years. Upon expiration of the original terms, subsequent appointments are for five-year terms. Any vacancies occurring in the membership of the commission must be filled for the remainder of the unexpired term in the same manner as the original appointments. A commissioner is eligible for reappointment. The governor shall designate one of the commissioners to be chair of the commission during the term of the governor.
Each commissioner shall:
Have qualifications, experience, and skills, in particular in the areas of privacy and technology, required to perform the duties of the commission and exercise its powers and authority;
Maintain the confidentiality of information that has come to their knowledge in the course of the performance of their tasks or exercise of their powers, except to the extent that disclosure is required by chapter 42.56 RCW;
Remain free from external influence, whether direct or indirect, and neither seek nor take instructions from another;
Refrain from any action incompatible with their duties or engage in any incompatible occupation, whether gainful or not, during their term;
Have the right of access to all information made available by the commission to the chair of the commission;
Be precluded, for a period of one year after leaving office, from accepting employment with a controller or processor that was subject to an enforcement action or civil action under this chapter during the member's tenure or during the five-year period preceding the member's appointment; and
Be precluded for a period of two years after leaving office from acting, for compensation, as an agent or attorney for, or otherwise representing, any other person in a matter pending before the commission if the purpose is to influence an action of the commission.
Each commissioner must receive a salary as may be fixed by the governor in accordance with the provisions of RCW 43.03.040.
The commission must appoint an executive director and set, within the limits established by the office of financial management under RCW 43.03.028, the executive director's compensation. The executive director shall perform such duties and have such powers as the commission may prescribe and delegate to implement and enforce this chapter efficiently and effectively. The commission may not delegate its authority to:
Adopt, amend, or rescind rules;
Determine that a violation of chapter 19.--- RCW (the new chapter created in section 20, chapter . . . (Engrossed Second Substitute Senate Bill No. 5062 (S- . . . . /22)), Laws of 2022) has occurred; or
Assess penalties for violations.
The commission may employ technical, administrative, and other staff as necessary to carry out the commission's duties and powers as prescribed in this chapter. The Washington utilities and transportation commission shall provide all administrative staff support for the Washington state consumer data privacy commission, which shall otherwise retain its independence in exercising its powers, functions, and duties and its supervisory control over nonadministrative staff.
The Washington state consumer data privacy commission must:
Review and investigate consumer complaints, or complaints initiated on its own, of alleged violations of chapter 19.--- RCW (the new chapter created in section 20, chapter . . . (Engrossed Second Substitute Senate Bill No. 5062 (S- . . . . /22)), Laws of 2022) pursuant to section 3 of this act;
Adopt, amend, and rescind suitable rules under chapter 34.05 RCW, the administrative procedure act, to carry out the purposes and provisions of sections 3 and 5 of this act and chapter 19.--- RCW (the new chapter created in section 20, chapter . . . (Engrossed Second Substitute Senate Bill No. 5062 (S- . . . . /22)), Laws of 2022);
Administer, implement, and enforce through administrative actions chapter 19.--- RCW (the new chapter created in section 20, chapter . . . (Engrossed Second Substitute Senate Bill No. 5062 (S- . . . . /22)), Laws of 2022) and rules adopted by the commission;
Develop guidance for consumers regarding their rights under chapter 19.--- RCW (the new chapter created in section 20, chapter . . . (Engrossed Second Substitute Senate Bill No. 5062 (S- . . . . /22)), Laws of 2022) and for controllers and processors regarding their obligations under chapter 19.--- RCW (the new chapter created in section 20, chapter . . . (Engrossed Second Substitute Senate Bill No. 5062 (S- . . . . /22)), Laws of 2022);
Provide technical assistance and advice to the legislature, upon request, with respect to privacy-related legislation;
Monitor relevant developments relating to the protection of personal data, and in particular, the development of information and communication technologies and commercial practices;
Cooperate with other jurisdictions with similar consumer data privacy laws to ensure consistent application of consumer data privacy protections;
Periodically review statutory definitions and make recommendations to the legislature to update the definitions based on changes in the industry;
Conduct an analysis of any global privacy control mechanism or any similar mechanism required by law or regulation in the United States, including specifications for informing consumers about available opt-out choices and authenticating consumer requests, or requests made by a third party designated by a consumer, to opt out of processing for the purpose of targeted advertising or the sale of personal data pursuant to chapter 19.--- RCW (the new chapter created in section 20, chapter . . . (Engrossed Second Substitute Senate Bill No. 5062 (S- . . . . /22)), Laws of 2022). Additional stakeholders with relevant expertise may be consulted when conducting the analysis. The commission shall provide this analysis and any findings to the governor and the appropriate committees of the legislature by December 1, 2023;
Establish and collect an annual fee pursuant to section 5 of this act;
Perform all other acts necessary and appropriate in the exercise of its power, authority, and jurisdiction to protect consumer rights pursuant to chapter 19.--- RCW (the new chapter created in section 20, chapter . . . (Engrossed Second Substitute Senate Bill No. 5062 (S- . . . . /22)), Laws of 2022) and seek to balance the goals of strengthening protections for consumers' fundamental right to privacy while giving attention to the impact on controllers and processors; and
Establish and maintain a page on its internet website where the information provided by controllers under chapter 19.--- RCW (the new chapter created in section 20, chapter . . . (Engrossed Second Substitute Senate Bill No. 5062 (S- . . . . /22)), Laws of 2022) is accessible to the public.
The commission may consult with the office of privacy and data protection created in RCW 43.105.369 in the provisions of subsection (1)(d) through (i) of this section.
The commission may order a controller or processor to provide any information the commission requires for the performance of its duties pursuant to this chapter, including access to a controller's or processor's premises and data processing equipment and means.
The commission may subpoena witnesses, compel their attendance, administer oaths, take the testimony of any person under oath, and require by subpoena the production of any books, papers, records, or other items material to the performance of the commission's duties or exercise of its powers including, but not limited to, its power to audit a controller's or processor's compliance with chapter 19.--- RCW (the new chapter created in section 20, chapter . . . (Engrossed Second Substitute Senate Bill No. 5062 (S- . . . . /22)), Laws of 2022) and any rules adopted by the commission pursuant to subsection (1)(b) of this section.
Upon the complaint of a consumer or on its own initiative, the Washington state consumer data privacy commission may investigate alleged violations by a controller or processor of chapter 19.--- RCW (the new chapter created in section 20, chapter . . . (Engrossed Second Substitute Senate Bill No. 5062 (S- . . . . /22)), Laws of 2022) or any rules issued by the commission. The commission may decide not to investigate a complaint. In making a decision not to investigate or provide more time to cure, the commission may consider the following:
Lack of intent to violate chapter 19.--- RCW (the new chapter created in section 20, chapter . . . (Engrossed Second Substitute Senate Bill No. 5062 (S- . . . . /22)), Laws of 2022) or any rules issued by the commission; and
Voluntary efforts undertaken by the controller or processor to cure the alleged violation prior to being notified by the commission of the complaint.
The commission shall provide written notification to the consumer who made the complaint of the action, if any, the commission has taken or plans to take on the complaint, together with the reasons for that action or nonaction.
[Empty]
The commission may not make a finding that there is reason to believe that a violation has occurred unless, at least 30 days prior to the commission's consideration of the alleged violation, the alleged violator is:
Notified of the alleged violation by service of process or registered mail with return receipt requested;
Provided with a summary of the evidence; and
Informed of their right to be present in person and represented by counsel at any proceeding of the commission held for the purpose of considering whether there is reason to believe that a violation has occurred.
Notice to the alleged violator is deemed made on the date of service, the date the registered mail receipt is signed, or if the registered mail receipt is not signed, the date returned by the post office.
A proceeding held for the purpose of considering whether there is reason to believe that a violation has occurred is private unless the alleged violator files with the commission a written request that the proceeding be public.
[Empty]
If the commission determines there is reason to believe that chapter 19.--- RCW (the new chapter created in section 20, chapter . . . (Engrossed Second Substitute Senate Bill No. 5062 (S- . . . . /22)), Laws of 2022) or a rule adopted by the commission has been violated, prior to holding a hearing pursuant to subsection (5) of this section, the commission shall issue to the controller or processor a warning letter identifying specific provisions of chapter 19.--- RCW (the new chapter created in section 20, chapter . . . (Engrossed Second Substitute Senate Bill No. 5062 (S- . . . . /22)), Laws of 2022) the commission believes have been or are being violated.
Within 30 days of the issuance of the warning letter, the controller or processor shall provide the commission with a written response to explain that the alleged violation has not been committed or to summarize how the violation has been cured.
Upon the receipt of the controller's or processor's response, the commission shall make a written finding as to whether a violation has been committed and whether the violation has been cured. If the commission finds that no violation has been committed, the commission shall close the matter. If the commission finds the violation has not been cured, the commission may proceed with the administrative hearing pursuant to subsection (5) of this section.
[Empty]
When the commission determines there is reason to believe that chapter 19.--- RCW (the new chapter created in section 20, chapter . . . (Engrossed Second Substitute Senate Bill No. 5062 (S- . . . . /22)), Laws of 2022) or a rule adopted by the commission has been violated and that the violation has not been cured pursuant to subsection (4) of this section, it shall hold a hearing to determine if a violation has occurred. Notice must be given and the hearing conducted in accordance with chapter 34.05 RCW, the administrative procedure act. The commission shall have all the powers granted by that chapter.
[Empty]
(A) Cease and desist the violation; or
(B) Pay an administrative fine of up to $2,500 for each violation, or up to $7,500 for each intentional violation and each violation involving the personal data of a child.
ii. In addition to any other remedies provided by law, the commission's order issued pursuant to this subsection (5)(b) may be enforced in accordance with chapter 34.05 RCW.
c. [Empty]
i. If the commission determines on the basis of the hearing conducted pursuant to (a) of this subsection that a violation has occurred, the commission shall then determine if that consumer suffered actual damages as a result of the violation. If the commission determines, pursuant to this subsection, the consumer suffered actual damages as a result of the violation, that consumer may bring a civil action under the consumer protection act, chapter 19.86 RCW, to obtain injunctive relief and for recovery of those actual damages and reasonable attorneys' fees.
ii. For the purposes of this subsection (5)(c), "actual damages" means demonstrable economic loss or physical harm to the consumer as a result of the violation.
d. [Empty]
i. After the commission issues a cease and desist order pursuant to (b)(i) of this subsection, on its own initiative or upon the complaint of a consumer who initiated the complaint from which that order originated, the commission may determine whether or not a violator has complied with that order. If the commission determines that the violator has not complied with that order and the consumer suffered actual damages due to noncompliance, then that consumer may bring a civil action under the consumer protection act, chapter 19.86 RCW, to obtain only injunctive relief and for recovery of those actual damages and reasonable attorneys' fees.
ii. For the purposes of this subsection (5)(d), "actual damages" means demonstrable economic loss or physical harm to the consumer as a result of the violation.
e. All receipts from the imposition of administrative fines under this section must be deposited into the consumer privacy account created in RCW 19.---.--- (section 16, chapter . . . (Engrossed Second Substitute Senate Bill No. 5062 (S- . . . . /22)), Laws of 2022).
f. When the commission determines that no violation has occurred, it shall publish a declaration so stating.
Any decision of the commission with respect to a complaint or administrative fine is subject to judicial review in an action brought by a party to the complaint or administrative fine and is subject to an abuse of discretion standard.
Upon reviewing a complaint, the commission may refer the complaint to the attorney general for civil enforcement under the consumer protection act, chapter 19.86 RCW. The commission and the attorney general may consult prior to referral to determine the appropriate enforcement mechanism.
Except as provided in section 3(5) (c) and (d) of this act, nothing in this chapter creates an independent cause of action, except for the actions brought by the attorney general to enforce chapter 19.--- RCW (the new chapter created in section 20, chapter . . . (Engrossed Second Substitute Senate Bill No. 5062 (S- . . . . /22)), Laws of 2022). Except as provided in section 3(5) (c) and (d) of this act, no person, except for the attorney general, may enforce the rights and protections created by chapter 19.--- RCW (the new chapter created in section 20, chapter . . . (Engrossed Second Substitute Senate Bill No. 5062 (S- . . . . /22)), Laws of 2022) in any action. However, nothing in this chapter limits any other independent causes of action enjoyed by any person, including any constitutional, statutory, administrative, or common law rights or causes of action. The rights and protections in this chapter are not exclusive, and to the extent that a person has the rights and protections in this chapter because of another law other than this chapter, the person continues to have those rights and protections notwithstanding the existence of this chapter.
Beginning January 1, 2024, contingent on an interagency agreement between the commission and the department of revenue, and subject to RCW 82.32.330, every controller or processor that meets the jurisdictional thresholds as provided in RCW 19.--.--- (section 4, chapter . . . (Engrossed Second Substitute Senate Bill No. 5062 (S- . . . . /22)), Laws of 2022), shall file with the commission a statement on oath showing its gross operating revenue from intrastate operations for the preceding calendar year or portion thereof and pay to the commission a fee equal to one-tenth of one percent of intrastate gross operating revenue.
The gross revenue information submitted pursuant to this section is confidential and privileged. The commission or any other person may not disclose any statement or related information.
Any controller or processor with gross operating revenue from intrastate operations below $20,000,000 in the preceding calendar year is not required to pay the annual fee to the commission. The commission may by rule waive any or all of the minimum fee established pursuant to this section.
The fees collected under this section may not exceed, in aggregate, $10,000,000 annually.
The commission may establish tiers of entities based on intrastate annual gross revenue and specific rates for each tier. The commission may by rule reduce or increase the percentage of intrastate gross operating revenue that is used to determine any controller or processor's fees as needed to fund the agency while not exceeding, in aggregate, $10,000,000 annually. The percentage rates of gross operating revenue to be paid in any year may be reduced or increased by the commission by general order entered before March 1st of such year.
Any payment of the fee imposed by this section made after its due date must include a late fee of two percent of the amount due. Delinquent fees accrue interest at the rate of one percent per month.
For the purposes of compliance, the commission may contract with the department of revenue for the purposes of auditing and reviewing entities' intrastate gross revenues.
All receipts from the imposition of the annual fee under this section must be deposited into the consumer privacy account created in RCW 19.--.--- (section 16, chapter . . . (Engrossed Second Substitute Senate Bill No. 5062 (S- . . . . /22)), Laws of 2022), and may be used only for the operating expenses of the commission.
The definitions in chapter 19.--- RCW (the new chapter created in section 20, chapter . . . (Engrossed Second Substitute Senate Bill No. 5062 (S- . . . . /22)), Laws of 2022) apply throughout this chapter.
If specific funding for the purposes of this act, referencing this act by bill or chapter number, is not provided by June 30, 2022, in the omnibus appropriations act, this act is null and void.