wa-law.org > bill > 2025-26 > HB 2606 > Original Bill
The office of privacy and data protection is created within the agency. The purpose of the office of privacy and data protection is to serve as a central point of contact for state agencies on policy matters involving data privacy and data protection.
The director shall appoint the chief privacy officer, who is the director of the office of privacy and data protection.
The primary duties of the office of privacy and data protection with respect to state agencies are:
To conduct an annual privacy review;
To conduct an annual privacy training for state agencies and employees;
To articulate privacy principles and best practices;
To coordinate data protection in cooperation with the agency; and
To participate with the agency in the review of major state agency projects involving personally identifiable information, including projects using artificial intelligence.
The office of privacy and data protection must serve as a resource to local governments and the public on data privacy and protection concerns by:
Developing and promoting the dissemination of best practices for the collection and storage of personally identifiable information, including establishing and conducting a training program or programs for local governments; and
Educating consumers about the use of personally identifiable information on mobile and digital networks and measures that can help protect this information.
By December 1, 2016, and every four years thereafter, the office of privacy and data protection must prepare and submit to the legislature a report evaluating its performance. The office of privacy and data protection must establish performance measures in its 2016 report to the legislature and, in each report thereafter, demonstrate the extent to which performance results have been achieved. These performance measures must include, but are not limited to, the following:
Improvement of privacy and data protection policies and practices by state agencies and, when available, local governments, following participation in the office of privacy and data protection's trainings, and for state agencies, annual review;
The extent of the office of privacy and data protection's coordination with international and national experts in the fields of data privacy, data protection, and access equity;
c.
Data on contacts with the public, including how many members of the public contact the office of privacy and data protection, the nature of the contact, and the office of privacy and data protection's response, including providing referrals and technical assistance;
d. Results of direct evaluation from participants of the office of privacy and data protection's trainings, including in-person or virtual formats. The report shall also include how many trainings were completed, topics, and how many participants attended;
e. The number and nature of technical assistance requests by state agencies and local governments;
f. The office of privacy and data protection's staff continuing education activities or certifications in emerging technologies, evolving best practices, and state or federal policies; and
g. The number of privacy threshold analyses completed, and the number of privacy impact assessments completed.