Ask Reggi Your Question Now
Can I use third-party marketing automation tools that collect personal information in Washington? What are the requirements?
Using Third-Party Marketing Automation Tools in Washington
If you are planning to use third-party marketing automation tools that collect personal information in Washington, you must comply with the state’s regulations regarding the sharing of personal information for marketing purposes.
According to WAAC 284-04-310, a licensee shall not disclose a policy number or similar form of access number or access code for a consumer’s policy or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer, except under certain circumstances. Exceptions to this rule include disclosing a policy number or similar form of access number or access code to the licensee’s service provider solely to perform marketing for the licensee’s own products or services, to a licensee who is a producer solely to perform marketing for the licensee’s own products or services, or to a participant in an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program.
Therefore, if the third-party marketing automation tool is a service provider solely performing marketing for the licensee’s own products or services, then it may be permissible to disclose the policy number or similar form of access number or access code. However, the licensee must ensure that the service provider is not authorized to directly initiate charges to the account.
Requirements for Data Vendors
WAAC 82-75-410 outlines the requirements for data vendors in Washington State. Data vendors must enter into an agreement with the lead organization that contains provisions for ensuring compliance with all applicable federal and state laws, as well as the state’s security standards. The agreement must also include provisions for keeping logs and documentation on activities conducted pursuant to the security plan, as well as a detailed security process that includes security risk assessments and corrective action plans when deficiencies are discovered.
Additionally, data vendors must enter into a legally binding data use and confidentiality agreement with the lead organization that restricts access and use of data in the WA-APCD to that necessary for the operation and administration of the database as authorized by chapter 43.371 RCW. Data vendors must also engage the services of an independent third-party security auditor annually to conduct a security audit to verify compliance with federal and state laws, Washington state information technology security standards, and the contract with the lead organization.
Furthermore, data vendors must submit their latest HITRUST common security framework (CSF) report and the latest statement on standards for attestation engagements (SSAE) No. 16 service organization control 2 (SOC 2) Type II audit report covering the data vendor’s third-party data center to the office within thirty calendar days of receiving the final report. The data vendor must develop and implement an appropriate corrective action plan, including remediation timelines, when necessary, and provide the corrective action plan to the office or the office of the state chief information security officer upon request.
Limits on Redisclosure and Reuse of Nonpublic Personal Financial Information
If the third-party marketing automation tool collects nonpublic personal financial information, you must also comply with the limits on redisclosure and reuse of nonpublic personal financial information outlined in WAAC 284-04-305. The regulation specifies that if a licensee receives nonpublic personal financial information from a nonaffiliated financial institution under an exception in WAC 284-04-405 or 284-04-410, the licensee’s disclosure and use of that information is limited. The licensee may disclose the information to the affiliates of the financial institution from which the licensee received the information, to its affiliates, or pursuant to an exception in WAC 284-04-405 or 284-04-410, in the ordinary course of business to carry out the activity covered by the exception under which the licensee received the information.
If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution other than under an exception in WAC 284-04-405 or 284-04-410, the licensee may disclose the information only to the affiliates of the financial institution from which the licensee received the information, to its affiliates, or to any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which the licensee received the information.
Therefore, it is recommended that licensees carefully review the requirements outlined in the relevant regulations and consult with legal counsel to ensure compliance when using third-party marketing automation tools that collect personal information, including nonpublic personal financial information, in Washington State.
Source(s):
Jurisdiction
Washington