Can I collect personal information from my customers in California in Washington? What are the requirements?

Collecting Personal Information from Customers in California while in Washington

If you are collecting personal information from customers in California while in Washington, you must comply with the privacy laws of both states.

California Requirements

Under California law, businesses that collect personal information from California residents must comply with the California Consumer Privacy Act (CCPA) ^[3.1]. The CCPA applies to businesses that meet certain criteria, including those that have annual gross revenues of over $25 million, buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices, or derive 50 percent or more of their annual revenues from selling California residents’ personal information ^[3.1].

If your business is subject to the CCPA, you must provide California residents with a notice at collection that includes the following information ^[3.1]:

• The categories of personal information that you collect
• The purposes for which you collect the personal information
• The categories of third parties with whom you share the personal information
• The right to request deletion of personal information
• The right to opt-out of the sale of personal information
• The right to access personal information

You must also obtain explicit consent from California residents before collecting their personal information ^[3.1].

Washington Requirements

Washington state law requires businesses to provide an annual privacy notice to customers that accurately reflects its privacy policies and practices ^[1.1]. The notice must be provided to customers not less than annually during the continuation of the customer relationship ^[1.1].

If you provide nonpublic information to nonaffiliated third parties only in accordance with certain criteria and have not changed your policies and practices with regard to disclosing nonpublic information, you are not required to provide an annual disclosure until the time you fail to comply with any criteria described in this subsection ^[1.1].

Limits on Disclosure and Reuse of Nonpublic Personal Financial Information

Washington state law also limits the disclosure and reuse of nonpublic personal financial information ^[1.2][1.3]. If you receive nonpublic personal financial information from a nonaffiliated financial institution, you may only disclose and use that information in accordance with certain criteria ^[1.2]. You must also provide customers with an initial notice and opt-out notice before disclosing their nonpublic personal financial information to nonaffiliated third parties ^[1.3].

Conclusion

If you are collecting personal information from California residents while in Washington, you must comply with both California and Washington state privacy laws. Under California law, you must comply with the CCPA and provide California residents with a notice at collection and obtain explicit consent before collecting their personal information. Under Washington state law, you must provide an annual privacy notice to customers that accurately reflects your privacy policies and practices. Additionally, if you receive nonpublic personal financial information from a nonaffiliated financial institution, you must comply with Washington state law regarding the disclosure and reuse of that information and provide customers with an initial notice and opt-out notice before disclosing their nonpublic personal financial information to nonaffiliated third parties.

Source(s):

• [1.1] Annual privacy notice to customers required.
• [1.2] Limits on redisclosure and reuse of nonpublic personal financial information.
• [3.1] Restrictions on the Collection and Use of Personal Information.
• [1.3] Limits on disclosure of nonpublic personal financial information to nonaffiliated third parties.

Jurisdiction

California, Washington

• Privacy