Can I skip obtaining consent to disclose personal information for a business purpose in Washington? What are the requirements?

Disclosure of Personal Information for Business Purpose in Washington

In Washington, a person or business that conducts business in the state and owns or licenses data that includes personal information shall disclose any breach of the security of the system to any resident of this state whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the personal information was not secured ^[1.1].

However, a licensee may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless the licensee has provided to the consumer an initial notice as required under WAC 284-04-200, an opt-out notice as required in WAC 284-04-215, and the consumer does not opt-out ^[2.4].

Requirements for Disclosing Personal Information for Business Purpose in Washington

To disclose personal information for a business purpose in Washington, the following requirements must be met:

• For disclosing personal information that includes personal information such as a user name or password, notice may be provided electronically or by email. The notice must comply with subsections (6), (7), and (8) of this section and must inform the person whose personal information has been breached to promptly change his or her password and security question or answer, as applicable, or to take other appropriate steps to protect the online account with the person or business and all other online accounts for which the person whose personal information has been breached uses the same user name or email address and password or security question or answer ^[1.1].
• A licensee may not disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless the licensee has provided to the consumer an initial notice as required under WAC 284-04-200, an opt-out notice as required in WAC 284-04-215, and the consumer does not opt-out ^[2.4].
• A licensee may disclose nonpublic personal financial information from a nonaffiliated financial institution under an exception in WAC 284-04-405 or 284-04-410, but the licensee’s disclosure and use of that information is limited ^[2.5].

Exceptions to Disclosing Personal Information for Business Purpose in Washington

There are certain exceptions to the requirement of obtaining consent to disclose personal information for a business purpose in Washington. These exceptions include:

• With the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction ^[2.1].
• To protect the confidentiality or security of a licensee’s records pertaining to the consumer, service, product or transaction; to protect against or prevent actual or potential fraud or unauthorized transactions; for required institutional risk control or for resolving consumer disputes or inquiries; to persons holding a legal or beneficial interest relating to the consumer; or to persons acting in a fiduciary or representative capacity on behalf of the consumer ^[2.1].
• To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating a licensee, persons that are assessing the licensee’s compliance with industry standards, and the licensee’s attorneys, accountants and auditors ^[2.1].
• To comply with federal, state or local laws, rules and other applicable legal requirements; to comply with a properly authorized civil, criminal or regulatory investigation, or subpoena or summons by federal, state or local authorities; to respond to judicial process or government regulatory authorities having jurisdiction over a licensee for examination, compliance or other purposes as authorized by law ^[2.1].
• For purposes related to the replacement of a group benefit plan, a group health plan, a group welfare plan or a workers’ compensation plan ^[2.1].

Conclusion

In Washington, personal information can be disclosed for a business purpose, but certain requirements must be met. For disclosing personal information that includes personal information such as a user name or password, notice may be provided electronically or by email. A licensee may not disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless the licensee has provided to the consumer an initial notice as required under WAC 284-04-200, an opt-out notice as required in WAC 284-04-215, and the consumer does not opt-out. A licensee may disclose nonpublic personal financial information from a nonaffiliated financial institution under an exception in WAC 284-04-405 or 284-04-410, but the licensee’s disclosure and use of that information is limited. There are certain exceptions to the requirement of obtaining consent to disclose personal information for a business purpose in Washington. These exceptions include with the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction; to protect the confidentiality or security of a licensee’s records pertaining to the consumer, service, product or transaction; to protect against or prevent actual or potential fraud or unauthorized transactions; for required institutional risk control or for resolving consumer disputes or inquiries; to persons holding a legal or beneficial interest relating to the consumer; or to persons acting in a fiduciary or representative capacity on behalf of the consumer.

Source(s):

• [1.1] Personal information—Notice of security breaches.
• [2.1] Other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information.
• [2.4] Limits on disclosure of nonpublic personal financial information to nonaffiliated third parties.
• [2.5] Limits on redisclosure and reuse of nonpublic personal financial information.

Jurisdiction

Washington

• Privacy