Ask Reggi Your Question Now
Can I use third-party customer service tools that collect personal information in Washington? What are the requirements?
Requirements for using third-party customer service tools that collect personal information in Washington
If you are using third-party customer service tools that collect personal information from consumers in Washington, you must comply with the requirements of the Washington Administrative Code (WAC) 284-04-300 and 284-04-215 [1.1].
Opt-out notice
WAC 284-04-215 requires that a licensee must provide an opt-out notice to the consumer that includes a clear and conspicuous statement that the consumer has the right to opt-out of the disclosure of nonpublic personal financial information to nonaffiliated third parties. The notice must also include a reasonable means for the consumer to opt-out, such as a toll-free telephone number, a form that can be mailed, or any other reasonable means.
Limits on redisclosure and reuse of nonpublic personal financial information
WAC 284-04-305 limits the redisclosure and reuse of nonpublic personal financial information. If you receive nonpublic personal financial information from a nonaffiliated financial institution, you may disclose the information only to the affiliates of the financial institution from which you received the information, to your affiliates, or to any other person if the disclosure would be lawful if made directly to that person by the financial institution from which you received the information [1.2].
Requirements for data vendor
If you are a data vendor, you must enter into an agreement with the lead organization that contains specific requirements, including provisions for ensuring compliance with all applicable federal and state laws, keeping logs and documentation on activities conducted pursuant to the security plan, and engaging the services of an independent third-party security auditor to conduct a security audit annually [2.1].
In summary, if you are using third-party customer service tools that collect personal information from consumers in Washington, you must provide an opt-out notice to the consumer and comply with the limits on redisclosure and reuse of nonpublic personal financial information. If you are a data vendor, you must enter into an agreement with the lead organization that contains specific requirements.
Source(s):
- [1.1] Limits on disclosure of nonpublic personal financial information to nonaffiliated third parties.
- [2.1] Requirements for data vendor.
- [1.2] Limits on redisclosure and reuse of nonpublic personal financial information.
Jurisdiction
Washington