Skip to main content

HB 2606

Signed

House

Office of privacy and data

Concerning performance measures, duties, and reporting requirements for the office of privacy and data protection.

How does a bill become law?
  1. Introduced: The bill is filed and assigned a number.
  2. Committee: A subject-matter committee holds hearings, takes public testimony, and decides whether to advance the bill.
  3. Floor Vote: The full chamber (House or Senate) debates and votes on the bill.
  4. Opposite Chamber: The bill repeats the committee and floor vote process in the other chamber.
  5. Governor: The Governor reviews the bill and decides whether to sign or veto it.
  6. Signed: The bill has been signed into law.
Introduced: January 20, 2026
Last Action: March 9, 2026
Status: C 9 L 26

AI Analysis

This analysis was generated by AI and may contain errors. It is not legal advice. Always refer to the official bill text for authoritative information.
People & CommunitiesPeople-leaningCorporate & Wealthy Interests

This bill strengthens the Office of Privacy and Data Protection by clarifying its duties, expanding its reporting requirements, and shifting performance metrics to focus on outcomes — like improved agency practices and public engagement — rather than just activity counts. It also formalizes the office’s role in reviewing AI and PII-related projects across state and local government.

  • Formally establishes the Office of Privacy and Data Protection within the Washington State Office of the Chief Information Officer to serve as a central hub for data privacy and protection policy.
  • Requires the office to conduct annual privacy reviews of state agencies and annual privacy training for agency staff.
  • Mandates the office to develop and share privacy best practices, coordinate data protection efforts with agencies, and review major projects involving personally identifiable information (PII) — including those using artificial intelligence.
  • Tasks the office with supporting local governments and the public by offering training, educational materials, and technical assistance on data privacy and protection.
  • Requires the office to submit a performance report to the legislature every four years, including new metrics on training outcomes, public outreach, technical assistance requests, and completed privacy threshold analyses and impact assessments.
  • Adds new performance measures to track real-world impact — such as improvements in agency policies, public engagement, and staff certifications — rather than just counting training attendance.

Who is affected

  • State agenciesState agencies must participate in annual privacy reviews and training, and consult with the office on projects involving personally identifiable information (PII), including AI systems.
  • State employeesState employees must complete annual privacy training and follow updated privacy policies and practices guided by the office.
  • Local governmentsLocal governments receive guidance, training, and technical assistance from the office on collecting and protecting PII, and may request support for privacy-related initiatives.
  • General publicWashington residents benefit from increased transparency and protection of their personal data, and can contact the office for education or to report concerns.
Effective: July 28, 2025Fiscal impact: The bill does not specify new funding or cost savings; it relies on existing resources and staff to carry out new reporting and coordination duties. Fiscal impact would depend on whether additional staffing or training resources are needed to meet expanded responsibilities.
Model: Intel/Qwen3-Coder-Next-int4-AutoRoundGenerated: Mar 19, 2026 at 8:09 PM

Pro/Con Analysis

Stronger case for benefits

Potential Benefits (5)
  • By requiring the office to develop and disseminate privacy best practices—including training for local governments—and educate the public on protecting PII, the bill enhances transparency and empowers residents to safeguard their personal data, reducing risks of identity theft and misuse.

    Public SafetyPeopleRef: Sec. 1(4)(a), (b)
  • The shift to outcome-based performance metrics—such as improvements in agency policies, training participant evaluations, and completion of privacy threshold analyses and impact assessments—creates measurable accountability for protecting residents’ data and ensures that training and outreach translate into real-world protections.

    Public SafetyPeopleRef: Sec. 1(5)(a), (d), (e), (g)
  • Mandating annual privacy reviews, training, and best-practice development for state agencies ensures consistent, government-wide standards for handling PII—reducing data breach risks and increasing public trust in how personal information is managed.

    Public SafetyPeopleRef: Sec. 1(3)(a), (b), (c), (d)
  • The requirement to provide training and educational materials to local governments and the public—especially on digital and mobile PII protection—builds broader digital literacy and equips residents with tools to protect themselves, particularly in underserved communities.

    EducationPeopleRef: Sec. 1(4)(a)
  • By formally requiring review of major projects—including AI systems—that involve PII, the bill helps prevent harmful or biased algorithmic deployments in state and local services (e.g., welfare eligibility, policing, housing), protecting vulnerable populations from automated discrimination.

    Public SafetyPeopleRef: Sec. 1(3)(e)
Potential Concerns (3)
  • Local governments are required to engage with the Office of Privacy and Data Protection on projects involving PII—including AI—though the bill does not mandate formal consultation or impose penalties for noncompliance, creating potential ambiguity in implementation and added administrative burden without dedicated funding.

    Local GovernmentLean peopleRef: Sec. 1(3)(e)
  • The bill shifts performance metrics away from activity counts (e.g., number of trainings) toward outcomes like policy improvements and technical assistance requests—but these metrics require significant data collection and reporting from local governments, increasing administrative overhead without guaranteed state reimbursement.

    Local GovernmentLean peopleRef: Sec. 1(5)(a), (d), (e), (g)
  • The bill explicitly states it relies on existing resources and staff to carry out expanded duties, meaning no new funding is allocated—potentially straining current staffing and diverting resources from other local priorities.

    Local GovernmentRef: Fiscal Impact section

Who Is Most Affected

State agenciesMixed Impact

State agencies benefit from centralized privacy guidance and standardized training, reducing legal and compliance risks—but must allocate staff time for annual reviews and training, which may strain limited resources.

State employeesMixed Impact

State employees gain standardized, mandatory privacy training that improves data-handling practices and protects them from liability—but may perceive the training as burdensome if not well-designed or relevant to their roles.

Local governmentsMixed Impact

Local governments receive valuable technical assistance and training on PII protection, especially helpful for smaller jurisdictions with limited legal or IT staff—but may face added reporting and consultation obligations without new funding.

General publicPositive Impact

The general public gains stronger protections against misuse of personal data, especially from AI systems and digital services—and gains clearer avenues to report concerns or access education—making this a broadly positive impact.

Vulnerable populationsMixed Impact

Vulnerable populations (e.g., low-income, elderly, non-English speakers) benefit from enhanced data protections and public education efforts, but may be less able to access training or reporting mechanisms without targeted outreach.

Sponsors

Representative Barnard(Republican)District 8Primary
Representative Ryu(Democrat)District 32Secondary
Representative Nance(Democrat)District 23Secondary
Representative Timmons(Democrat)District 42Secondary