Can I share personal information about my customers with third parties in Washington? What are the requirements?

Sharing Personal Information with Third Parties in Washington

In Washington, you may share personal information about your customers with third parties under certain conditions. According to WAAC 284-04-300, a licensee may not disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless:

• The licensee has provided the consumer an initial notice as required under WAC 284-04-200;
• The licensee has provided the consumer an opt-out notice as required in WAC 284-04-215;
• The licensee has given the consumer a reasonable opportunity, before it discloses the information to the nonaffiliated third party, to opt out of the disclosure; and
• The consumer does not opt out.

A licensee provides a consumer with a reasonable opportunity to opt out if:

• By mail. The licensee mails the notices required in (a) of this subsection to the consumer and allows the consumer to opt out by mailing a form, calling a toll-free telephone number, or any other reasonable means within thirty days from the date the licensee mailed the notices.
• By electronic means. A customer opens an online account with a licensee and agrees to receive the notices required in (a) of this subsection electronically, and the licensee allows the customer to opt out by any reasonable means within thirty days after the date that the customer acknowledges receipt of the notices in conjunction with opening the account.
• Isolated transaction with consumer. For an isolated transaction such as providing the consumer with an insurance quote, a licensee provides the consumer with a reasonable opportunity to opt out if the licensee provides the notices required in (a) of this subsection at the time of the transaction and requests that the consumer decide, as a necessary part of the transaction, whether to opt out before completing the transaction.

Additionally, a licensee shall comply with this section, regardless of whether the licensee and the consumer have established a customer relationship. Unless a licensee complies with this section, the licensee may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer that the licensee has collected, regardless of whether the licensee collected it before or after receiving the direction to opt out from the consumer.

Exceptions to Disclosure Requirements

There are exceptions to the disclosure requirements for sharing personal information with third parties in Washington. According to WAAC 284-04-410, the requirements for initial notice to consumers, opt-out, and service providers and joint marketing do not apply when a licensee discloses nonpublic personal financial information:

• With the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction;
• To protect the confidentiality or security of a licensee’s records pertaining to the consumer, service, product, or transaction;
• To protect against or prevent actual or potential fraud or unauthorized transactions;
• For required institutional risk control or for resolving consumer disputes or inquiries;
• To persons holding a legal or beneficial interest relating to the consumer; or
• To persons acting in a fiduciary or representative capacity on behalf of the consumer.

A licensee may also allow a consumer to select certain nonpublic personal financial information or certain nonaffiliated third parties with respect to which the consumer wishes to opt out.

Information to be Included in Privacy Notices

If you plan to share personal information with third parties in Washington, you must provide an initial, annual, and revised privacy notice to consumers. According to WAAC 284-04-210 and WAAC 284-04-205, the privacy notices must include each of the following items of information:

• The categories of nonpublic personal financial information that the licensee collects;
• The categories of nonpublic personal financial information that the licensee discloses;
• The categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information, other than those parties to whom the licensee discloses information under WAC 284-04-405 and 284-04-410;
• The categories of nonpublic personal financial information about the licensee’s former customers that the licensee discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information about the licensee’s former customers, other than those parties to whom the licensee discloses information under WAC 284-04-405 and 284-04-410;
• If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under WAC 284-04-400 (and no other exception in WAC 284-04-405 and 284-04-410 applies to that disclosure), a separate description of the categories of information the licensee discloses and the categories of third parties with whom the licensee has contracted;
• An explanation of the consumer’s right under WAC 284-04-300(1) to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the methods by which the consumer may exercise that right at that time;
• Any disclosures that the licensee makes under section 603 (d)(2)(A)(iii) of the Federal Fair Credit Reporting Act (15 U.S.C. 1681a (d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of disclosures of information among affiliates);
• The licensee’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; and
• Any disclosure that the licensee makes under subsection (2) of this section.

If a licensee discloses nonpublic personal financial information as authorized under WAC 284-04-405 and 284-04-410, the licensee is not required to list those exceptions in the initial or annual privacy notices required by WAC 284-04-200 and 284-04-205. When describing the categories of parties to whom disclosure is made, the licensee is required to state only that it makes disclosures to other affiliated or nonaffiliated third parties, as applicable, as permitted by law.

Jurisdiction

Washington

• Privacy