wa-law.org > bill > 2025-26 > HB 1671 > Substitute Bill
The definitions in this section apply throughout this chapter unless the context clearly requires otherwise.
"Affiliate" has the same meaning as defined in RCW 19.373.010.
[Empty]
"Affirmative consent" or "consent" means a clear affirmative act signifying a consumer's freely given, specific, informed, revokable, and unambiguous authorization for an act or practice after having been informed, in response to a specific request from a controller, provided that:
The request is provided to the consumer in a clear and conspicuous stand-alone disclosure;
The request includes a description of the processing purpose for which the consumer's consent is sought and (A) clearly distinguishes between an act or practice that is necessary to fulfill a request of the consumer and an act or practice that is for another purpose, (B) clearly states the specific categories of personal data that the controller intends to collect, process, or transfer under each act or practice, and (C) is written in easy to understand language and includes a prominent heading that would enable a reasonable consumer to identify and understand each act or practice;
The request clearly explains the consumer's rights related to consent;
The request is made in a manner reasonably accessible to and usable by consumers with disabilities;
The request is made available to the consumer in each language in which the controller provides a product or service for which authorization is sought;
The option to refuse to give consent is at least as prominent and takes the same number of steps or fewer as the option to give consent; and
Affirmative consent to an act or practice is not inferred from the inaction of the consumer or the consumer's continued use of a service or product provided by the controller.
"Affirmative consent" does not include:
Acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information;
Hovering over, muting, pausing, or closing a given piece of content;
Agreement obtained through the use of a false, fraudulent, or materially misleading statement or representation; or
Agreement obtained through the use of dark patterns.
"Authenticate" means to use reasonable means to determine that a request to exercise any of the rights afforded in this chapter is being made by, or on behalf of, the consumer who is entitled to exercise such rights with respect to the personal data at issue.
"Biometric data" has the same meaning as defined in RCW 19.373.010.
"Child" means a consumer under the age of 13 years old.
"Collect" means buying, renting, gathering, obtaining, receiving, accessing, or otherwise acquiring personal data by any means.
"Consumer" means a natural person who is a Washington resident and who acts only in an individual or household context, however identified, including by any unique identifier. The location of a person in Washington state creates a presumption that the person is a Washington resident. "Consumer" does not include an individual acting in an employment context.
[Empty]
"Consumer health data" means personal data that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status.
For the purposes of this definition, physical or mental health status includes, but is not limited to:
Individual health conditions, treatment, diseases, or diagnosis;
Social, psychological, behavioral, and medical interventions;
Health-related surgeries or procedures;
Use or purchase of prescribed medication;
Bodily functions, vital signs, symptoms, or measurements of such information;
Diagnoses or diagnostic testing, treatment, or medication;
Gender-affirming care information;
Reproductive or sexual health information;
ix. Biometric data;
Precise geolocation information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies;
Data that identifies a consumer seeking health care services; or
Any information that a controller or processor processes to associate or identify a consumer with the data described in (b)(i) through (xii) of this subsection that is derived or extrapolated from nonhealth information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning).
"Consumer health data" does not include personal data that is used to engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, human subjects research ethics review board, or a similar independent oversight entity that determines that the controller or processor has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification.
[Empty]
"Contextual advertising" means displaying or presenting an advertisement that does not vary based on the identity of the individual recipient and is based solely on the immediate content of a web page or online service within which the advertisement appears, or on a specific request of the consumer for information or feedback, if displayed in proximity to the results of such request for information.
A controller may use the following types of personal data to display a contextual advertisement, provided that the personal data is not used to make inferences about the consumer, profile the consumer, or for any other purpose, and that the consumer may use technical means to obfuscate or change the consumer's physical location and specify a language preference:
Technical specifications that are necessary for the ad to be delivered and displayed properly on a given device;
A consumer's immediate presence in a geographic area with a radius no smaller than 10 miles, or an area reasonably estimated to include online activity from at least 5,000 users, but not including precise geolocation data; or
The consumer's language preferences, as inferred from context, browser settings, or user settings.
"Controller" means the natural or legal person who, alone or jointly with others, determines the purposes and means of collecting or processing of personal data.
"Dark pattern" means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making or choice.
"Decisions that produce legal or similarly significant effects concerning the consumer" means decisions that result in access to, or the provision or denial by the controller of financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services, or access to essential goods or services.
"Deidentified data" means data that does not identify and cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such individual, if the controller that possesses the data:
Takes reasonable physical, administrative, and technical measures to ensure that the data cannot be associated with an individual, or be used to reidentify an individual or device that identifies or is linked or reasonably linkable to an individual;
Publicly commits to process the data only in a deidentified fashion and not attempt to reidentify the data; and
Contractually obligates any recipients of the data to comply with (a) and (b) of this subsection.
"First party" means a consumer-facing controller with which the consumer intends or expects to interact.
[Empty]
"First-party advertising" means processing by a first party of its own first-party data for the purposes of advertising and marketing and is carried out:
Through direct communications with a consumer, such as direct mail, email, or text message communications;
In a physical location operated by the first party; or
Through display or presentation of an advertisement on the first party's own website, application, or its other online content.
"First-party advertising" includes marketing measurement related to such advertising and marketing.
"First-party data" means personal data collected directly from a consumer by a first party, including based on a visit by the consumer to or use by the consumer of a website, a physical location, or an online service operated by the first party.
"Gender-affirming care information" means personal data relating to seeking or obtaining past, present, or future gender-affirming care services. "Gender-affirming care information" includes, but is not limited to:
Precise geolocation information that could reasonably indicate a consumer's attempt to acquire or receive gender-affirming care services;
Efforts to research or obtain gender-affirming care services; or
Any gender-affirming care information that is derived, extrapolated, or inferred, including from nonhealth information, such as proxy, derivative, inferred, emergent, or algorithmic data.
"Gender-affirming care services" has the same meaning as in RCW 19.373.010.
"Identified or identifiable individual" means an individual who can be readily identified, directly or indirectly.
"Marketing measurement" means measuring and reporting on marketing performance or media performance by the controller, including processing personal data for measurement and reporting of frequency, attribution, and performance.
"Minor" means any consumer who is younger than 18 years of age.
"Person" means an individual, association, company, limited liability company, corporation, partnership, sole proprietorship, trust, or any other legal entity.
"Personal data" means any information that identifies or is reasonably capable of being associated or linked, directly or indirectly, with a particular consumer. "Personal data" includes, but is not limited to, derived data and data associated with a persistent unique identifier, such as a cookie ID, an IP address, a device identifier, or any other form of persistent unique identifier. "Personal data" does not include publicly available information or deidentified data.
[Empty]
"Precise geolocation data" means information derived from technology including, but not limited to, latitude and longitude coordinates from global positioning system mechanisms or other similar positional data, that reveals the past or present physical location of an individual or device that identifies or is linked or reasonably linkable to one or more individuals with precision and accuracy within a radius of 1,750 feet.
"Precise geolocation information" does not include the content of communications, a photograph or video, metadata associated with a photograph or video that cannot be linked to an individual, or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.
"Process" or "processing" means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the use, storage, disclosure, analysis, deletion, or modification of personal data.
"Processor" means a person that collects, processes, or transfers personal data on behalf of, and at the direction of, a controller or another processor.
"Profiling" means any form of processing performed on personal data to evaluate, analyze, or predict personal aspects, including an individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
[Empty]
"Publicly available information" means information that has been lawfully made available to the general public from:
Federal, state, or municipal government records, if the person collects, processes, and transfers such information in accordance with any restrictions or terms of use placed on the information by the relevant government entity;
Widely distributed media; or
A disclosure to the general public as required by federal, state, or local law.
"Publicly available information" does not include:
Any obscene visual depiction, as defined in 18 U.S.C. Sec. 1460;
Any inference made exclusively from multiple independent sources of publicly available information that reveals sensitive data with respect to a consumer;
Biometric data;
Personal data that is created through the combination of personal data with publicly available information;
Genetic data, unless otherwise made publicly available by the individual to whom the information pertains;
Information made available by a consumer on a website or online service made available to all members of the public, for free or for a fee, where the consumer has restricted the information to a specific audience; or
Intimate images and fabricated intimate images disclosed without consent of the depicted individual. For the purposes of this subsection, "intimate image," "fabricated intimate image," and "depicted individual" have the same meaning as defined in RCW 7.110.010.
"Reproductive or sexual health information" means personal data relating to seeking or obtaining past, present, or future reproductive or sexual health services. "Reproductive or sexual health information" includes, but is not limited to:
Precise geolocation information that could reasonably indicate a consumer's attempt to acquire or receive reproductive or sexual health services;
Efforts to research or obtain reproductive or sexual health services; or
Any reproductive or sexual health information that is derived, extrapolated, or inferred, including from nonhealth information, such as proxy, derivative, inferred, emergent, or algorithmic data.
"Reproductive or sexual health services" has the same meaning as defined in RCW 19.373.010.
[Empty]
"Sale of personal data" means the exchange of personal data for monetary or other valuable consideration by the controller to a third party.
"Sale of personal data" does not include:
The disclosure of personal data to a processor that processes the personal data on behalf of the controller;
The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
The disclosure or transfer of personal data to an affiliate of the controller;
With the consumer's affirmative consent, the disclosure of personal data where the consumer affirmatively directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party; or
The disclosure of personal data that the consumer intentionally made available to the general public via a channel of mass media and did not restrict to a specific audience.
"Sensitive data" means personal data that includes:
Data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, status as pregnant, sex life, sexual orientation, status as transgender or nonbinary, union membership, income level or indebtedness, or citizenship or immigration status;
Consumer health data;
Genetic or biometric data;
Personal data of a consumer that a controller knows, or willfully disregards, is a minor;
Precise geolocation data;
A government-issued identifier, including a social security number, passport number, or driver's license number, that is not required by law to be displayed in public; or
The online activities of a consumer or device linked or reasonably linkable to a consumer over time and across websites, online applications, or mobile applications that do not share common branding, or data generated by profiling performed on such data.
[Empty]
"Targeted advertising" means presenting an online advertisement to a consumer, to a device identified by a unique persistent identifier, or to a group of consumers or devices identified by unique persistent identifiers, if the advertisement is selected based, in whole or in part, on known or predicted preferences, characteristics, behavior, or interests associated with the consumer or a device identified by a unique persistent identifier.
"Targeted advertising" includes displaying or presenting an online advertisement for a product or service based on the previous interaction of a consumer or a device identified by a unique persistent identifier with such product or service on a website or online service that does not share common branding with the website or online service displaying or presenting the advertisement, and marketing measurement related to such advertisements.
"Targeted advertising" does not include first-party advertising or contextual advertising.
"Third party" means a person that collects personal data from another person that is not the consumer to whom the data pertains and is not a processor with respect to such data. "Third party" does not include a person that collects personal data from another entity if the two entities are affiliates.
"Transfer" means to disclose, release, disseminate, make available, license, rent, or share personal data to a third party orally, in writing, electronically, or by any other means.
[Empty]
"Unique persistent identifier" means a technologically created identifier to the extent that such identifier is reasonably linkable to a consumer or a device that identifies or is linked or reasonably linkable to one or more consumers.
"Unique persistent identifier" includes device identifiers, internet protocol addresses, cookies, beacons, pixel tags, mobile ad identifiers or similar technology customer numbers, unique pseudonyms, user aliases, telephone numbers, or other forms of persistent or probabilistic identifiers that are linked or reasonably linkable to one or more consumers or devices.
"Unique persistent identifier" does not include an identifier assigned by a controller for the sole purpose of giving effect to the exercise of affirmative consent or opt out by a consumer with respect to the collecting, processing, and transfer of personal data, or with respect to otherwise limiting the collecting, processing, or transfer of personal data.
This chapter applies to persons that conduct business in Washington state or produce products or services that are targeted to residents of Washington state, and that collect or process the personal data of consumers.
This chapter does not apply to any federal, state, tribal, territorial, or local government entity, such as a body, authority, board, bureau, commission, district, or agency, of this state or of any political subdivision of this state, or a contracted service provider when processing personal data on behalf of a government entity.
This chapter does not apply to the following information and data:
Protected health information that a covered entity or business associate collects or processes in accordance with, or documents that a covered entity or business associate creates for the purpose of complying with, the federal health insurance portability and accountability act of 1996 and its implementing regulations;
Health care information collected, used, or disclosed in accordance with chapter 70.02 RCW;
Patient identifying information as defined by 42 C.F.R. Part 2, established pursuant to 42 U.S.C. Sec. 290dd-2;
Identifiable private information for purposes of: The federal policy for the protection of human subjects under 45 C.F.R. Part 46, identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the international council for harmonization of technical requirements for pharmaceuticals for human use, the protection of human subjects under 21 C.F.R. Parts 6, 50, and 56, personal data used or shared in research as defined in 45 C.F.R. 164.501 that is conducted in accordance with one or more of the requirements set forth in this subsection, or other research conducted in accordance with applicable law;
Information and documents created specifically for, and collected and maintained by:
A quality improvement committee for purposes of RCW 43.70.510, 70.230.080, or 70.41.200;
A peer review committee for purposes of RCW 4.24.250;
A quality assurance committee for purposes of RCW 74.42.640 or 18.20.390;
A hospital, as defined in RCW 43.70.056, for reporting of health care-associated infections for purposes of RCW 43.70.056, a notification of an incident for purposes of RCW 70.56.040(5), or reports regarding adverse events for purposes of RCW 70.56.020(2)(b); or
A manufacturer, as defined in 21 C.F.R. Sec. 820.3(o), when collected, used, or disclosed for purposes specified in chapter 70.02 RCW;
Information and documents created for purposes of the federal health care quality improvement act of 1986, and related regulations;
Patient safety work product for purposes of the federal patient safety and quality improvement act, 42 U.S.C. Sec. 299b-21 et seq.;
Information that is deidentified in accordance with the requirements for deidentification set forth in 45 C.F.R. Part 164 and derived from any of the health care-related information identified in this subsection;
Information originating from, and intermingled so as to be indistinguishable with, information described in (a) through (h) of this subsection that is maintained by:
A covered entity or business associate as defined by the health insurance portability and accountability act of 1996 and related regulations;
A health care facility or health care provider as defined in RCW 70.02.010; or
A program or a qualified service organization as defined by 42 C.F.R. Part 2, established pursuant to 42 U.S.C. Sec. 290dd-2;
Information used only for public health activities and purposes as described in 45 C.F.R. Sec. 164.512 or that is part of a limited data set, as defined, and is used, disclosed, and maintained in the manner required, by 45 C.F.R. Sec. 164.514;
Identifiable data collected, used, or disclosed in accordance with chapter 43.371 RCW or RCW 69.43.165;
Personal information that is governed by and collected, processed, sold, or disclosed pursuant to the following regulations, parts, titles, or acts:
The Gramm-Leach-Bliley act, 15 U.S.C. Sec. 6801 et seq., and implementing regulations;
Part C of Title XI of the social security act, 42 U.S.C. Sec. 1320d et seq.;
The fair credit reporting act, 15 U.S.C. Sec. 1681 et seq.;
The family educational rights and privacy act, 20 U.S.C. 1232g; 34 C.F.R. Part 99;
The Washington health benefit exchange and applicable statutes and regulations, including 45 C.F.R. Sec. 155.260 and chapter 43.71 RCW;
Privacy rules adopted by the office of the insurance commissioner pursuant to chapter 48.02 or 48.43 RCW;
The federal driver's privacy protection act of 1994, 18 U.S.C. Sec. 2721 et seq.;
The federal family educational rights and privacy act, 20 U.S.C. Sec. 1232g et seq.; or
ix. The federal farm credit act of 1971, 12 U.S.C. Sec. 2001 et seq.;
Personal data collected, processed, sold, or disclosed in relation to price, route, or service, as such terms are used in the airline deregulation act, 49 U.S.C. Sec. 40101 et seq., by an air carrier subject to the act, to the extent this chapter is preempted by the airline deregulation act, 49 U.S.C. Sec. 41713;
Data processed or maintained:
In the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role;
As the emergency contact information of the individual under this chapter used for emergency contact purposes; or
That is necessary to retain to administer benefits for another individual relating to the individual who is the subject of the information under (n)(i) of this subsection and used for the purposes of administering such benefits;
Personal data collected and processed solely for the journalistic purposes of gathering or reporting of news or information to the public by news media as defined in RCW 5.68.010, if the controller reasonably believes that the collection and processing of such data is in the public interest and that the journalistic purpose served by the collection and processing is incompatible with this chapter; or
Information collected by or disclosed to the national insurance crime bureau, the national association of insurance commissioners, or a similar organization under RCW 48.135.050.
Controllers that are in compliance with the verifiable parental consent requirements under the children's online privacy protection act, 15 U.S.C. Secs. 6501 through 6506 and its implementing regulations, are deemed compliant with any obligation to obtain parental consent under this chapter.
A consumer has the right to:
Confirm whether a controller is collecting or processing personal data concerning the consumer, access such personal data, and confirm whether or not the consumer's personal data is used to profile the consumer for the purpose of automated decision making;
Obtain from a controller a list of specific third parties, other than natural persons, to which the controller has transferred either the consumer's personal data or any personal data;
Correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data;
Delete personal data concerning the consumer, including personal data the consumer provided to the controller, personal data the controller obtained from another source, and derived data;
Obtain a copy of the consumer's personal data collected or processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means; and
Opt out of the processing of the personal data for purposes of:
Targeted advertising;
The sale of personal data; or
Profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
[Empty]
If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of such profiling, to be informed of the reason why the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future.
The consumer has the right to review the consumer's personal data used in the profiling.
If the decision is determined to have been based upon inaccurate personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data.
A consumer may exercise rights under this chapter by a secure and reliable means established by the controller and described to the consumer in the controller's privacy notice.
[Empty]
A consumer may designate another person to serve as the consumer's authorized agent, and act on the consumer's behalf, to exercise rights specified in section 3 of this act.
A controller must comply with a consumer's request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf.
In the case of personal data of a known child, the parent or legal guardian of the known child may exercise the rights of this chapter on the child's behalf.
In the case of personal data concerning a consumer subject to guardianship, conservatorship, or other protective arrangement, the guardian or the conservator of the consumer may exercise the rights of this chapter on the consumer's behalf.
Except as otherwise provided in this chapter, a controller shall comply with a request by a consumer to exercise the consumer rights authorized in this chapter in accordance with this section.
A controller shall respond to the consumer without undue delay, but not later than 45 days after receipt of the request. The response period may be extended once by 45 additional days when reasonably necessary, taking into account the complexity and number of the consumer's requests, so long as the controller informs the consumer of any such extension within the initial 45-day response period, together with the reason for the extension.
If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but not later than 45 days after receipt of the request, of the justification for declining to take action and instructions for how to appeal the decision.
Information provided in response to a consumer request must be provided by the controller, free of charge, twice per consumer during any 12-month period. If requests from a consumer are manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive, or repetitive nature of the request.
[Empty]
If a controller is unable to authenticate the request using commercially reasonable efforts, the controller is not required to comply with a request to exercise any of the rights under section 3 of this act and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request.
A controller may not require authentication of an opt-out request, but a controller may deny an opt-out request if the controller has a good-faith, reasonable, and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes the request is fraudulent, the controller shall send notice to the person who made the request, stating that the controller believes the request to be fraudulent, why the controller believes the request to be fraudulent, and that the controller will not comply with the request.
A controller that has obtained personal data about a consumer from a source other than the consumer is deemed in compliance with a consumer's request to delete such data pursuant to section 3(1)(d) of this act by deleting the consumer's personal data retained by the controller and retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the controller's records and not using such retained data for any other purpose pursuant to this chapter.
A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision. The appeal process must be conspicuously available and similar to the process for submitting consumer rights requests. Within 45 days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the attorney general to submit a complaint.
A controller may not condition, effectively condition, attempt to condition, or attempt to effectively condition the exercise of a consumer right described in section 3 of this act through the use of dark patterns or any false, fictitious, fraudulent, or materially misleading statement or representation.
A controller may not require a consumer to create a new account in order to exercise consumer rights, but may require a consumer to use an existing account.
A controller shall establish, and describe in the controller's privacy notice, one or more secure and reliable means for consumers to submit a request to exercise their consumer rights pursuant to this chapter. Such means must take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to verify the identity of the consumer making the request. Such means must include:
Providing a clear and conspicuous link on the controller's internet website to an internet web page that enables a consumer, or an agent of the consumer, to opt out of the targeted advertising, the sale of the consumer's personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer; and
Not later than December 31, 2025, allowing a consumer to opt out of any collection or processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data, through an opt-out preference signal that is sent, with the consumer's consent, by a platform, technology, or mechanism to the controller and that indicates the consumer's intent to opt out of any processing or sale. The platform, technology, or mechanism must:
Be consumer friendly and easy to use by the average consumer; and
Enable the controller to reasonably determine that the consumer is a Washington resident and whether the consumer has made a legitimate request to opt out of any sale of such consumer's personal data or targeted advertising. For purposes of this subsection, the use of an internet protocol address to estimate the consumer's location shall be considered sufficient to reasonably determine residency.
If a consumer's decision to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data, through an opt-out preference signal sent in accordance with subsection (9) of this section conflicts with the consumer's existing controller specific privacy setting or voluntary participation in a controller's financial incentive program, the controller shall comply with the consumer's opt-out preference signal, but may notify the consumer of the conflict and provide to the consumer the choice to confirm the controller specific privacy setting or participation in the program.
If a controller responds to the consumer opt-out requests received pursuant to subsection (9) of this section by informing the consumer of a change in the price, rate, level, quality, or selection of goods or services, the controller shall present the terms of any financial incentive offered pursuant to section 6(7) of this act for the retention, use, sale, or sharing of the consumer's personal data.
[Empty]
Except as specified in (b) of this subsection, a controller shall limit the collection, processing, and transfer of personal data to what is strictly necessary in relation to provide or maintain:
A specific product or service requested by the consumer to whom the data pertains, including any routine administrative, operational, or account-servicing activity, such as billing, shipping, delivery, storage, or accounting; or
A communication, that is not an advertisement, by the controller to the consumer reasonably anticipated within the context of the relationship between the controller and the consumer.
A controller may only collect and transfer consumer health data in accordance with RCW 19.373.030.
Except with respect to sensitive data, a controller may process or transfer personal data collected under this subsection to provide first-party advertising or targeted advertising. However, this subsection does not permit the processing or transfer of personal data for targeted advertising to a consumer who has opted out of such advertising pursuant to this chapter or to a consumer under circumstances where the controller has knowledge, or willfully disregards, that the consumer is a minor.
Except as specified in RCW 19.373.030, a controller may not transfer sensitive data concerning a consumer without obtaining the consumer's affirmative consent, or, in the case of the collection or processing of sensitive data of a known child, without collecting or processing such data in accordance with the children's online privacy protection act, 15 U.S.C. Sec. 6501 through 6506 and its implementing regulations.
A controller may not sell sensitive data, with the exception of consumer health data, which may be sold in accordance with RCW 19.373.070.
A controller shall establish, implement, and maintain administrative, technical, and physical data security practices that, at a minimum, satisfy reasonable standard of care within the controller's industry to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue, including disposing of personal data in accordance with a retention schedule that requires the deletion of personal data when the data is required to be deleted by law or is no longer necessary for the purpose for which the data was collected, processed, or transferred.
A controller shall provide an effective mechanism for a consumer to revoke the consumer's affirmative consent that is at least as easy as the mechanism by which the consumer provided the consumer's affirmative consent. Upon revocation of the consumer's affirmative consent, the controller shall cease to process the data as soon as practicable, but not later than 15 days after the receipt of the revocation.
A controller may not process the personal data of a consumer for purposes of targeted advertising or sell the consumer's personal data under the circumstances where a controller has actual knowledge, or willfully disregards, that the consumer is a minor.
[Empty]
A controller may not discriminate or retaliate against a consumer for exercising any of the consumer rights contained in this chapter, or for refusing to agree to the collection or processing of personal data for a separate product or service, including by denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer.
Nothing in this subsection may be construed to require a controller to provide a product or service that requires the personal data of a consumer which the controller does not collect or maintain.
[Empty]
(A) The transfer is functionally necessary to enable the third party to provide a benefit to which the consumer is entitled;
(B) The transfer of personal data to the third party is clearly disclosed in the terms of the program; and
(C) The third party uses the personal data only for purposes of facilitating a benefit to which the consumer is entitled and does not process or transfer the personal data for any other purpose.
ii. The sale of personal data must not be considered functionally necessary to provide a financial incentive program. A controller may not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.
[Empty]
A controller or processor may not collect, process, or transfer personal data in a manner that discriminates against an individual or class of individuals, or otherwise makes unavailable the equal enjoyment of goods or services, on the basis of an individual's or class of individuals' actual or perceived race, color, sex, sexual orientation, gender identity, disability, religion, ancestry, or national origin.
This subsection does not apply to:
The collection, processing, or transfer of personal data for the sole purpose of a controller's or processor's self-testing to prevent or mitigate unlawful discrimination or otherwise to ensure compliance with state or federal law, or for the sole purpose of diversifying an applicant, participant, or customer pool; or
A private establishment, as described in 42 U.S.C. Sec. 2000a(e).
[Empty]
A controller must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
The categories of personal data collected and processed by the controller, including a separate list of categories of sensitive data collected and processed by the controller, described in a level of detail that provides consumers a meaningful understanding of the type of personal data collected or processed;
The categories of sources from which the consumer health data is collected;
The purpose for collecting and processing each category of personal data the controller collects or processes, described in a way that gives consumers a meaningful understanding of how each category of the consumers' personal data will be used;
How consumers may exercise their consumer rights included in section 3 of this act, including how a consumer may appeal a controller's decision with regard to the consumer's request;
The categories of personal data that the controller transfers to third parties, if any, and the purposes for those transfers;
The categories of third parties, if any, to which the controller transfers personal data;
The length of time the controller intends to retain each category of personal data, or, if it is not possible to identify the length of time, the criteria used to determine the length of time the controller intends to retain categories of personal data; and
An active email address or other online mechanism that the consumer may use to contact the controller.
If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such selling or processing, as well as the manner in which a consumer may exercise the right to opt out of such selling or processing. The sale of consumer health data must comply with RCW 19.373.030.
a. Taking into account the nature of processing and the information available to the processor, by appropriate technical and organizational measures, insofar as is reasonably practicable, assisting the controller in fulfilling the controller's obligation to respond to consumer rights requests;
b. Taking into account the nature of processing and the information available to the processor, assisting the controller in meeting the controller's obligation in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the processor's system in order to meet the controller's obligations; and
c. Providing necessary information to enable the controller to conduct and document data protection assessments.
The processor's data processing procedures with respect to processing performed on behalf of the controller must be governed by a contract between a controller and a processor. The contract must be binding and must clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The processor shall adhere to the instructions of the controller and only process and transfer data it receives from the controller to the extent necessary to provide a service requested by the controller, as set out in the contract. The contract must also require that the processor:
Ensure that each person processing personal data is subject to a duty of confidentiality with respect to that data;
At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with this chapter;
After providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data;
Be prohibited from combining personal data that the processor receives from or on behalf of a controller with personal data that the processor receives from or on behalf of another person or collects from the interaction of the processor with an individual; and
Allow and cooperate with reasonable assessments by the controller or the controller's designated assessor or arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter, using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the controller upon request.
A processor shall establish, implement, and maintain administrative, technical, and physical data security practices that, at a minimum, satisfy reasonable standard of care within the processor's industry to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue.
Nothing in this section may be construed to relieve a controller or processor from the liabilities imposed on the controller or processor by virtue of the controller's or processor's role in the processing relationship, as described in this chapter.
Determining whether a person is acting as a controller or processor with respect to a specific processing of personal data is a fact-based determination that depends on the context in which personal data is to be processed. A person who is not limited in the processing of personal data pursuant to a controller's instructions, or who fails to adhere to such instructions, is a controller and not a processor with respect to that specific processing of personal data. A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains a processor. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor is a controller with respect to such processing and may be subject to an enforcement action under this chapter.
A controller may not conduct processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment for each of the controller's processing activities that presents the heightened risk of harm to a consumer. For the purposes of this section, processing that presents a heightened risk of harm to a consumer includes:
The collection or processing of personal data for the purposes of targeted advertising;
The sale of personal data;
The processing of personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of:
Unfair or deceptive treatment of consumers or unlawful disparate impact on consumers;
Financial, physical, or reputational injury to consumers;
A physical or other intrusion upon the solitude, seclusion, or the private affairs or concerns of consumers, where such intrusion would be offensive to a reasonable person; or
Other substantial injury to consumers; and
The collection or processing of sensitive data.
Data protection assessments conducted pursuant to subsection (1) of this section must identify the categories of personal data collected, the purposes for collecting personal data, and whether personal data is being transferred. Data protection assessments must also identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that are employed by the controller to reduce such risks. The controller shall factor into any data protection assessment the use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data is being processed.
[Empty]
A controller shall submit a report of the data protection assessment or evaluation to the attorney general upon request. The report must include a summary of the data protection assessment, and the controller shall make the summary publicly available in a place that is easily accessible to consumers.
The attorney general may require that a controller disclose any data protection assessment that is relevant to an investigation conducted by the attorney general, and the controller shall make the data protection assessment available to the attorney general upon request. The attorney general may evaluate the data protection assessment for compliance with the responsibilities set forth in this chapter. To the extent any information contained in a data protection assessment disclosed to the attorney general includes information subject to attorney-client privilege or work product protection, the disclosure does not constitute a waiver of such privilege or protection.
A single data protection assessment may address a comparable set of processing operations that include similar activities.
If a controller conducts a data protection assessment for the purpose of complying with another applicable law or regulation, the data protection assessment is deemed to satisfy the requirements of this section if the data protection assessment is reasonably similar in scope and effect to the data protection assessment that would otherwise be conducted pursuant to this section.
A controller shall conduct and document a data protection assessment before initiating a processing activity that presents a heightened risk of harm to a consumer. Throughout the processing activity's life cycle, the controller shall review and update the data protection assessment as often as appropriate, taking into consideration the type, amount, and sensitivity of personal data collected or processed and the level of risk presented by the processing, in order to:
Monitor for harm caused by the processing and adjust safeguards accordingly; and
Ensure that data protection and privacy are considered as the controller makes new decisions with respect to the processing.
The first data protection assessment required by this section must be completed no later than one year after the effective date of this section.
Any controller in possession of deidentified data shall:
Take technical measures to ensure that the data cannot be associated with an individual;
Publicly commit to maintaining and using deidentified data without attempting to reidentify the data; and
Contractually obligate any recipients of the deidentified data to comply with all provisions of this chapter.
Nothing in this chapter may be construed to require a controller or processor to:
Reidentify deidentified data;
Maintain data in an identifiable form; or
Collect, obtain, retain, or access any data or technology in order to be capable of associating an authenticated consumer request with personal data.
Nothing in this chapter may be construed to require a controller or processor to comply with an authenticated consumer rights request if the controller:
Is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; and
Does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer.
A controller that transfers deidentified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the deidentified data is subject and shall take appropriate steps to address any breaches of those contractual commitments.
The obligations imposed on controllers and processors under this chapter do not restrict a controller's or processor's ability to:
Comply with federal, state, or local laws, rules, or regulations, except as prohibited by the Washington shield law, chapter 7.115 RCW;
Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations;
Investigate, establish, exercise, prepare for, or defend legal claims;
Provide a product or service specifically requested by the consumer;
Perform under a contract to which a consumer is a party, including fulfilling the terms of a written warranty;
Take steps at the request of a consumer prior to entering into a contract;
Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or another individual, and where the processing cannot be manifestly based on another legal basis;
Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all relevant laws and regulations governing such research, if applicable, and is approved, monitored, and governed by an institutional review board, human subjects research ethics review board, or a similar independent oversight entity that determines whether:
The deletion of personal data requested by a consumer pursuant to section 3 of this act is likely to provide substantial benefits that do not exclusively accrue to the controller;
The expected benefits of the research outweigh the privacy risks; and
The controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification;
Assist another controller, processor, or third party with any of the obligations under this chapter;
Process personal data for reasons of public interest in the area of public health, community health, or population health, but solely to the extent that such processing is:
Subject to suitable and specific measures to safeguard the rights of the consumer whose personal data is being processed; and
Under the responsibility of a professional subject to confidentiality obligations under federal, state, or local law;
Ensure the data security and integrity of personal data as required by this chapter, protect against spam, or protect and maintain networks and systems, including through diagnostics, debugging, and repairs;
Transfer assets to a third party in the context of a merger, acquisition, bankruptcy, or similar transaction when the third party assumes control, in whole or in part, of the controller's assets, provided that the controller, in a reasonable time prior to the transfer, provides an affected consumer with notice describing the transfer, including the name of the entity receiving the consumer's personal data and the applicable privacy policies of such entity, and a reasonable opportunity to withdraw previously provided consent related to the consumer's personal data and to request the deletion of the consumer's personal data;
Effectuate a product recall pursuant to federal or state law, or to fulfill a warranty;
Conduct medical research in compliance with 45 C.F.R. Part 46 or 21 C.F.R. Part 50 or 56; or
Process personal data previously collected in accordance with this chapter such that the personal data becomes deidentified data, including to:
Conduct internal research to develop, improve, or repair products, services, or technology;
Identify and repair technical errors that impair existing or intended functionality; or
Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.
The obligations imposed on controllers and processors under this chapter do not apply where compliance by a controller or processor would violate an evidentiary privilege under Washington law and do not prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Washington law as part of a privileged communication.
A controller or processor that discloses personal data in compliance with this chapter to a third-party controller or processor is not in violation of this chapter if the recipient processes such personal data in violation of this chapter, provided that, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient would violate this chapter. A third-party controller or processor receiving personal data in compliance with this chapter from a controller or processor is likewise not in violation of this chapter for the transgressions of the controller or processor from which it receives the personal data.
Nothing in this chapter may be construed to:
Impose any obligation on a controller or processor that adversely affects the rights or freedoms of any persons including, but not limited to, the rights of any person to freedom of speech or freedom of the press guaranteed in the First Amendment to the United States Constitution or under the Washington reporter shield law, chapter 5.68 RCW;
Apply to any person's collection or processing of personal data in the course of the person's purely personal or household activities; or
For private schools approved by the state under chapter 28A.195 RCW and private institutions of higher education as defined in 20 U.S.C. Sec. 1001 et seq., require deletion of personal data that would unreasonably interfere with the provision of education services by or the ordinary operation of the school or institution.
[Empty]
Personal data collected or processed by a controller pursuant to this section may be collected or processed to the extent that the collection or processing is:
Strictly necessary and proportionate to the purposes listed in this section, or, in the case of consumer health data, is in compliance with RCW 19.373.030;
Limited to what is strictly necessary in relation to the specific purpose or purposes listed in this section, or, in the case of consumer health data, in compliance with RCW 19.373.030; and
Compliant with section 6 of this act.
Personal data processed pursuant to subsection (1)(q) of this section must, where applicable, take into account the nature and purpose or purposes of the processing. Such data must be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data, and to reduce reasonably foreseeable risks of harm to consumers relating to such processing of personal data.
If a controller collects or processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that such collection or processing qualifies for the exemption and complies with the requirements in subsection (5) of this section.
Controllers and processors that collect or process consumer health data may be subject to additional data privacy requirements pursuant to chapter 19.373 RCW.
Controllers and processors that collect or process data that is exempt from this chapter may still be considered regulated entities or processors under chapter 19.373 RCW and may be required to comply with obligations under chapter 19.373 RCW.
Before bringing an action under section 12 of this act, the attorney general shall notify a controller or processor of the alleged violation if the attorney general determines that a cure is possible. If the controller or processor fails to cure the violation within 30 days after receiving notice of the violation, the attorney general may bring a civil action without further notice.
This section expires August 1, 2027.
The rights and obligations created by this chapter may only be enforced pursuant to sections 12 and 13 of this act.
Any provision of a contract or agreement of any kind that purports to waive, release, limit in any way, or extinguish the rights of consumers under this chapter is against public policy and is void and unenforceable.
A regulated entity, small business, or processor subject to the requirements of this chapter may also be subject to data privacy requirements provided in chapter 19.--- RCW (the new chapter created in section 18 of this act).
If any provision of this act or its application to any person or circumstance is held invalid, the remainder of the act or the application of the provision to other persons or circumstances is not affected.
Sections 12 and 13 of this act take effect August 1, 2026.