HB 2606
SignedHouse
Office of privacy and data
Concerning performance measures, duties, and reporting requirements for the office of privacy and data protection.
How does a bill become law?
- Introduced: The bill is filed and assigned a number.
- Committee: A subject-matter committee holds hearings, takes public testimony, and decides whether to advance the bill.
- Floor Vote: The full chamber (House or Senate) debates and votes on the bill.
- Opposite Chamber: The bill repeats the committee and floor vote process in the other chamber.
- Governor: The Governor reviews the bill and decides whether to sign or veto it.
- Signed: The bill has been signed into law.
AI Analysis
This bill strengthens the Office of Privacy and Data Protection by clarifying its duties, expanding its reporting requirements, and shifting performance metrics to focus on outcomes — like improved agency practices and public engagement — rather than just activity counts. It also formalizes the office’s role in reviewing AI and PII-related projects across state and local government.
- Formally establishes the Office of Privacy and Data Protection within the Washington State Office of the Chief Information Officer to serve as a central hub for data privacy and protection policy.
- Requires the office to conduct annual privacy reviews of state agencies and annual privacy training for agency staff.
- Mandates the office to develop and share privacy best practices, coordinate data protection efforts with agencies, and review major projects involving personally identifiable information (PII) — including those using artificial intelligence.
- Tasks the office with supporting local governments and the public by offering training, educational materials, and technical assistance on data privacy and protection.
- Requires the office to submit a performance report to the legislature every four years, including new metrics on training outcomes, public outreach, technical assistance requests, and completed privacy threshold analyses and impact assessments.
- Adds new performance measures to track real-world impact — such as improvements in agency policies, public engagement, and staff certifications — rather than just counting training attendance.
Who is affected
- State agencies — State agencies must participate in annual privacy reviews and training, and consult with the office on projects involving personally identifiable information (PII), including AI systems.
- State employees — State employees must complete annual privacy training and follow updated privacy policies and practices guided by the office.
- Local governments — Local governments receive guidance, training, and technical assistance from the office on collecting and protecting PII, and may request support for privacy-related initiatives.
- General public — Washington residents benefit from increased transparency and protection of their personal data, and can contact the office for education or to report concerns.
Pro/Con Analysis
Stronger case for benefits
Potential Benefits (5)
By requiring the office to develop and disseminate privacy best practices—including training for local governments—and educate the public on protecting PII, the bill enhances transparency and empowers residents to safeguard their personal data, reducing risks of identity theft and misuse.
Public SafetyPeopleRef: Sec. 1(4)(a), (b)The shift to outcome-based performance metrics—such as improvements in agency policies, training participant evaluations, and completion of privacy threshold analyses and impact assessments—creates measurable accountability for protecting residents’ data and ensures that training and outreach translate into real-world protections.
Public SafetyPeopleRef: Sec. 1(5)(a), (d), (e), (g)Mandating annual privacy reviews, training, and best-practice development for state agencies ensures consistent, government-wide standards for handling PII—reducing data breach risks and increasing public trust in how personal information is managed.
Public SafetyPeopleRef: Sec. 1(3)(a), (b), (c), (d)The requirement to provide training and educational materials to local governments and the public—especially on digital and mobile PII protection—builds broader digital literacy and equips residents with tools to protect themselves, particularly in underserved communities.
EducationPeopleRef: Sec. 1(4)(a)By formally requiring review of major projects—including AI systems—that involve PII, the bill helps prevent harmful or biased algorithmic deployments in state and local services (e.g., welfare eligibility, policing, housing), protecting vulnerable populations from automated discrimination.
Public SafetyPeopleRef: Sec. 1(3)(e)
Potential Concerns (3)
Local governments are required to engage with the Office of Privacy and Data Protection on projects involving PII—including AI—though the bill does not mandate formal consultation or impose penalties for noncompliance, creating potential ambiguity in implementation and added administrative burden without dedicated funding.
Local GovernmentLean peopleRef: Sec. 1(3)(e)The bill shifts performance metrics away from activity counts (e.g., number of trainings) toward outcomes like policy improvements and technical assistance requests—but these metrics require significant data collection and reporting from local governments, increasing administrative overhead without guaranteed state reimbursement.
Local GovernmentLean peopleRef: Sec. 1(5)(a), (d), (e), (g)The bill explicitly states it relies on existing resources and staff to carry out expanded duties, meaning no new funding is allocated—potentially straining current staffing and diverting resources from other local priorities.
Local GovernmentRef: Fiscal Impact section
Who Is Most Affected
State agencies benefit from centralized privacy guidance and standardized training, reducing legal and compliance risks—but must allocate staff time for annual reviews and training, which may strain limited resources.
State employees gain standardized, mandatory privacy training that improves data-handling practices and protects them from liability—but may perceive the training as burdensome if not well-designed or relevant to their roles.
Local governments receive valuable technical assistance and training on PII protection, especially helpful for smaller jurisdictions with limited legal or IT staff—but may face added reporting and consultation obligations without new funding.
The general public gains stronger protections against misuse of personal data, especially from AI systems and digital services—and gains clearer avenues to report concerns or access education—making this a broadly positive impact.
Vulnerable populations (e.g., low-income, elderly, non-English speakers) benefit from enhanced data protections and public education efforts, but may be less able to access training or reporting mechanisms without targeted outreach.