Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance

Can I use third-party social media tools that collect personal information in Washington? What are the requirements?

October 18, 2023

Personal Information Collection and Disclosure in Washington State

If you are using third-party social media tools that collect personal information in Washington State, you must comply with the state’s data breach notification law, RCW 42.56.590 ^[1.1]. This law requires agencies that own or license data that includes personal information to disclose any breach of the security of the system to any resident of the state whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the personal information was not secured. Notice is not required if the breach of the security of the system is not reasonably likely to subject consumers to a risk of harm.

Under RCW 42.56.590, agencies that are required to issue notification pursuant to this section shall meet the following requirements:

The notification must be written in plain language.
The notification must include, at a minimum, the following information:
The name and contact information of the reporting agency subject to this section.
A list of the types of personal information that were or are reasonably believed to have been the subject of a breach.
A time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach.
The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed personal information.

Additionally, any agency that is required to issue a notification pursuant to this section to more than five hundred Washington residents as a result of a single breach shall notify the attorney general of the breach no more than thirty days after the breach was discovered.

It is important to note that personal information is exempt from public inspection and copying under certain circumstances ^[1.2]. Any waiver of the provisions of RCW 42.56.590 or 42.56.592 is contrary to public policy, and is void and unenforceable ^[1.3].

Source(s):

[1.1] Personal information—Notice of security breaches.
[1.2] Personal information.
[1.3] Personal information—Consumer protection.

Jurisdiction

Washington

Privacy