Office of Privacy and Data Protection

Executive summary

In 2016, the Legislature directed the Joint Legislative Audit and Review Committee (JLARC) to conduct a program and fiscal review of the Office of Privacy and Data Protection (OPDP or "the office").

OPDP's responsibilities include providing state agency support, serving as a resource to local governments, and educating the public on privacy issues.

OPDP advises state agencies on managing personal information. 82% of state agency staff who use OPDP resources said it met all or most of their needs.

OPDP is part of Washington Technology Services (WaTech), the executive branch’s technology agency. The chief privacy officer, appointed by WaTech’s director, leads the office. For the majority of JLARC’s audit of OPDP, which took place between February and June of 2025, OPDP had 3.5 employees, including the chief privacy officer.

Washington was one of the first states to have a statewide chief privacy officer. The state created OPDP to serve as the central point of contact for state agencies on privacy and data protection issues.

Statute gave the office five specific duties to serve state agencies. As shown in Figure 1, it has met these responsibilities.

Figure 1: OPDP meets its five statutory responsibilities to state agencies

Source: RCW 43.105.369 and JLARC staff analysis.

Another office within WaTech, the Office of Cybersecurity, handles cybersecurity for state government. While there is overlap between cybersecurity and privacy, the two functions are distinct. Cybersecurity involves protecting networks, systems, and data from unauthorized use or access. Privacy ensures the proper handling and protection of personal information.

State agencies are satisfied with services

JLARC staff surveyed state agencies to learn how their staff access OPDP resources and whether they find the resources helpful. The survey found that 82% of state agency staff who use OPDP resources said the office met all or most of their privacy and data protection needs.

Figure 2: 82% of state agency staff who use OPDP resources said the office met all or most of their privacy and data protection needs

Note: Percentages do not total 100% due to rounding.
Source: JLARC staff analysis.

In both the survey and interviews, JLARC staff found that respondents from smaller (fewer than 100 employees) state agencies reported less direct interaction with OPDP than respondents from larger agencies.

In the 2024 supplemental budget, WaTech requested and received funding for an additional OPDP employee to support small agencies. This employee will help small agencies integrate privacy into their policies and processes.

OPDP connects local governments to federal and state resources to increase privacy awareness

State law requires that OPDP develop best practices and training on privacy for local governments. OPDP provides resources, meets with local government associations, participates on committees, and offers workshops and training.

OPDP also works to raise privacy awareness through the federally funded State and Local Cybersecurity Grant Program (SLCGP).

Since 2020, OPDP has focused more on supporting state and local governments and less on public outreach

Between 2016 and 2020, OPDP focused more of its resources on public education.

In 2020, OPDP identified a growing need for outreach to state agencies and local governments through the office's annual privacy review and feedback from local governments. At the same time, the COVID-19 pandemic limited OPDP's ability to continue in-person public outreach. In response, OPDP adjusted its priorities to focus on state and local government support.

In the 2021-23 budget, OPDP requested funding for an employee to support local governments and another to support public education. The Legislature funded the local government position but not the public education position.

OPDP has some resources specifically intended for the public. It also directs public complaints about privacy to agencies with appropriate enforcement authority.

Other organizations, including libraries and state-funded programs, provide the public with educational resources that address or discuss privacy.

OPDP stopped publishing a broadband equity report because the Legislature created another agency that is responsible for broadband development, access, and reporting

If resources allow, statute directs OPDP to submit a broadband equity report to the Legislature at least every four years.

Another state agency, the Washington State Broadband Office (WSBO) has a similar reporting requirement. A key difference is that WSBO's report does not have an equity component.

OPDP stopped producing its broadband equity report after the 2019 Legislature established WSBO and its reporting requirement. WSBO's mandate better aligns with the responsibility of producing the report.

The Office of Financial Management proposed legislation to remove OPDP's broadband equity reporting requirement. Legislation to remove OPDP's reporting requirement has not passed.

OPDP measures its performance, but its metrics do not fully align with its new focus or assess whether its efforts improve privacy and data protection in the state

As required by state law, OPDP published an initial performance report in 2017, and subsequent reports in 2020 and 2024. However, given OPDP's current focus, the required measures in these reports may no longer fully capture OPDP's activities.

OPDP's current measures do not reflect long-term outcomes or assess whether efforts effectively improve privacy and data protection in the state. Best practices suggest that agencies connect their performance measures to outcomes. This would allow OPDP to assess the effect of its activities on privacy in the state.

Legislative Auditor's recommendations

1. In consultation with OPDP, the Legislature should review and update OPDP statute to align with its current capacity and focus.
2. OPDP should develop and use performance measures to evaluate its long-term effect on privacy and data protection for Washington residents.

You can find additional information in the Recommendations section.

Part 1.
OPDP overview

The 2016 Legislature established the Office of Privacy and Data Protection (OPDP or "the office"). The Legislature intended OPDP to serve as a central point of contact for state agencies on policy matters involving privacy and data protection. Washington was one of the first states to have a statewide chief privacy officer.

The bill also directed JLARC to conduct a program and fiscal review of OPDP.

State law requires OPDP to fulfill seven responsibilities, which fall into three categories:

• Providing state agency support.
• Serving as a resource to local governments.
• Educating the public on privacy issues.

Privacy and data protection refers to how agencies collect and manage the use of personal information. This includes the right of an individual to control the use of their personal information as well as the policies and safeguards in place to protect the collected data. Personal information is information that is identifiable, directly or indirectly, to a specific individual.

In this report "privacy" refers to privacy and data protection.

OPDP's responsibilities are discussed in more detail below:

• State agencies (Part 2).
• Local governments (Part 3).
• The public (Part 4).

Figure 3: Per state law, OPDP has seven responsibilities to state agencies, local governments, and the public

Source: RCW 43.105.369.

OPDP is part of the executive branch's technology agency

OPDP is an office within Washington Technology Solutions (WaTech). WaTech manages the state's digital infrastructure and sets technology policy. WaTech's director appoints the chief privacy officer, who manages OPDP.

JLARC's review of the office occurred between February and June of 2025. Throughout JLARC's audit OPDP had a staff of 3.5 employees, including the chief privacy officer. In the 2024 supplemental budget, WaTech requested and received funding for an additional OPDP employee. OPDP's staff increased to 4.5 employees on July 1, 2025.

To fulfill its responsibilities, OPDP publishes the resources and training it develops on WaTech's website. The information is publicly available. OPDP also helps WaTech develop its privacy-related policies and procedures.

OPDP expenditures align with its requirements in state law

From 2016 until 2021, WaTech supported OPDP from its overall appropriation. The Legislature set a dedicated appropriation for OPDP of $2,960,000 in the 2021-23 biennium. The Legislature set a dedicated appropriation for OPDP of $2,737,000 in the 2023-25 biennium.

Over the last two biennia, $2,558,000 of OPDP's spending was on salaries and benefits. OPDP staff work directly with state and local agencies, as required by law. Another $1,585,000 was spent on administrative costs, including overhead expenses to WaTech, conference travel, and goods and services, such as office supplies. OPDP spent $637,000 on contractors to develop educational materials and resources for state and local governments. Of that, $599,000 was spent in the 2021-23 biennium.

Figure 4: OPDP's expenditures per category for the last two biennia align with its statutory requirements

Note: Data for the 2023-25 biennium is incomplete because it was reported before the close of the biennium. WaTech administration expenditures include goods and services, travel, capital outlays, and overhead or indirect expenses.
Source: JLARC staff analysis of OPDP fiscal data from the 2021-23 and 2023-25 biennia, as of July 10, 2025.

A separate office within WaTech handles cybersecurity

While there is overlap between privacy and cybersecurity, the functions are distinct. Cybersecurity involves protecting networks, systems, and collected data, like personal information, from unauthorized use or access. Privacy ensures the proper handling and protection of personal information.

OPDP is tasked with providing resources to help ensure Washington residents' data is private. It does this by helping the state develop privacy policies and procedures. The Office of Cybersecurity, also within WaTech, protects state government from cyber threats. It also creates cybersecurity standards and policies.

OPDP and the Office of Cybersecurity collaborate using shared processes and procedures with the goal of ensuring residents' personal information is secure, private, and handled responsibly.

Part 2.
State agencies

Per state law, OPDP has five responsibilities related to serving state agencies:

1. Conduct an annual privacy review of state agencies.
2. Conduct annual privacy training for state agencies.
3. Articulate privacy principles and best practices.
4. Help coordinate data protection efforts.
5. Review state agency projects with personal information.

The office conducts an annual privacy review of state agencies

The annual privacy review is a survey that assesses state agencies' privacy practices. Agency responses help OPDP develop future resources and training. Survey results from 2020 onward are available on WaTech's website.

The annual privacy review asks state agencies about whether they have:

• Mandatory privacy training.
• Dedicated privacy staff.
• Privacy policies (how information is collected, used, and shared in an agency).

In 2020, OPDP began investing more in privacy training and resource development. Privacy review results show that between 2020 and 2024, state agency privacy programs grew (see Figure 5).

In the 2024 annual privacy review, 70 agencies reported to OPDP that they collect personal information.

Figure 5: Between 2020 and 2024, state agency privacy programs grew

Source: JLARC staff analysis of OPDP annual privacy review data from 2020 and 2024.

OPDP provides privacy training for state agencies

OPDP's training includes:

• Monthly webinars on privacy topics. OPDP records the webinars and posts them to YouTube. Between 2020 and 2024, OPDP posted 63 webinars with 5,847 views.
• Two-day workshops for government employees on how to develop a privacy program. To date, 93 public agency employees attended workshops.
• Online trainings on the Department of Enterprise Services' Learning Center.
• Grant-funded vouchers for public agency employees to earn privacy certification. OPDP received $85,000 to support 100 vouchers.
• Two ongoing discussion groups for privacy professionals and for state agency staff.

OPDP created the Washington State Agency Privacy Principles

With state agency input, OPDP published the Washington State Agency Privacy Principles (Privacy Principles). The Privacy Principles aim to establish a common understanding of how to implement privacy. State agencies use these principles as guidance when developing their internal privacy policies and procedures.

According to OPDP, it embedded equity considerations into the Privacy Principles. For example, under the "lawful, fair, and responsible use" principle, agencies should consider stricter standards when collecting and managing information from vulnerable populations.

OPDP has additional guidance available on WaTech's website, including:

• A data-breach assessment for state and local government.
• A template for data-sharing agreements between state agencies.
• The state's enterprise privacy and data protection policy.

With WaTech, the office helps coordinate data protection efforts

In coordination with WaTech, OPDP staff serve on state workgroups and committees, including the state's Artificial Intelligence Task Force. OPDP also integrated key privacy processes, including the annual privacy review and its privacy assessment process, into WaTech policies and procedures. Per WaTech policy, the chief privacy officer participates in state incident-response efforts, including data-breach responses, along with other members of WaTech leadership.

OPDP reviews state agency projects that include personal information

OPDP reviews all new state agency IT projects or updates that involve the use and collection of personal information.

The privacy assessment process includes two parts: the privacy threshold analysis and the privacy impact assessment.

• The privacy threshold analysis is a brief, initial review to decide if a project has heightened privacy risks. For example, a project may have heightened risk if the agency plans to collect information about minors.
• The privacy impact assessment occurs if OPDP finds heightened risk. The assessment helps the project implementor do the following:
  • Incorporate the Privacy Principles.
  • Identify and document privacy risks.
  • Select appropriate strategies to mitigate risk.

An agency cannot move forward with a project until OPDP reviews the project's privacy threshold analysis. However, an agency can move forward while its privacy impact assessment is outstanding.

As of February 2025, OPDP reviewed 306 privacy threshold analyses. Thirty-eight required privacy impact assessments.

State agency staff who use OPDP resources report satisfaction with the office

JLARC staff surveyed state employees who had interacted with OPDP.

JLARC staff reached out to 287 staff from 78 agencies. One hundred twenty-seven staff from 49 agencies responded, a 44% response rate. JLARC staff also selected six survey respondents for in-depth interviews. Details about the approach and methods are in Appendix B.

The survey found that 82% of state agency staff who use OPDP resources said the office met all or most of their privacy and data protection needs. No respondent indicated that few or none of their needs were met.

Figure 6: 82% of state agency staff who use OPDP resources said the office met all or most of their privacy and data protection needs

Note: Percentages do not total 100% due to rounding.
Source: JLARC staff analysis.

Responses from open-ended survey questions and interviewees reflected respondents' satisfaction with OPDP. Agency staff reported that OPDP:

• Supported their work.
• Responded to issues.
• Worked effectively as a team.

When asked about other privacy resources, 75% of the 122 agency staff who answered the question said no other resources gave them the same kind of information as OPDP.

The survey also asked agency staff about changes they had made after using OPDP's resources. Of the 124 agency staff who responded to the question, 67% said they made changes to the way they manage privacy.

Agency staff reported making the following changes after using OPDP's resources:

• Developing formal privacy programs.
• Implementing privacy training.
• Updating privacy policies and procedures.

OPDP hired additional staff to help address small state agencies' privacy needs

In both the survey and interviews, JLARC staff found that respondents from smaller state agencies reported less direct interaction with OPDP than respondents from larger agencies.

OPDP recognizes the need for more small agency support. In the 2024 supplemental budget, WaTech requested and received funding for an additional OPDP employee to support small state agencies.

The role of this employee will be to do the following:

• Help small agencies adopt privacy practices.
• Serve as the privacy officer for the 19 agencies taking part in WaTech's Small Agency IT Support Services program. This program provides enterprise IT support to agencies with fewer than 50 employees.

OPDP filled the position, which began on July 1, 2025.

Part 3.
Local governments

OPDP has one statutory responsibility for serving local governments: develop best practices and training on privacy. Statute defines local governments as all municipal and quasi-municipal subdivisions. This includes counties, cities, towns, and special districts.

OPDP shares privacy resources with local governments through communication and direct support

OPDP uses a "whole-of-state" approach to provide resources to local governments. This means it partners with all levels of government to encourage collaboration and share privacy resources across the state, including best practices, resources, and trainings.

OPDP's outreach is through committee participation and communications. OPDP communicates via its two privacy-focused discussion groups and its e-newsletter. It advertises privacy trainings and workshops through its e-newsletter.

In one case, Snohomish County contacted OPDP about designing its own privacy training. OPDP shared resources with the county that it could use as the basis of the training.

OPDP collaborates with the Office of Cybersecurity on privacy awareness among local governments. OPDP found that:

• Local governments tend to prioritize cybersecurity before privacy.
• Few local governments have dedicated privacy staff.

OPDP staff provide resources related to topics where privacy and cybersecurity overlap, such as data breaches.

OPDP engages local governments through membership on cross-jurisdictional committees.

• State and Local Government Collaboration: These quarterly meetings are for WaTech and participants to provide updates on state policies and grant programs. The February 2025 meeting drew 82 participants from 53 organizations, including local school districts, fire departments, cities, and counties.
• State Interoperability Executive Committee: This committee focuses on emergency responder communication across all government levels. At the December 2024 meeting, nearly one-third of the 16 organizations represented local governments.

OPDP presented on a cybersecurity grant program and artificial intelligence at both committees. Additionally, OPDP presents at meetings of the Association of County and City Information Systems, Washington Association of County Officials, and Washington Public Utility Districts Association.

Cybersecurity Grant Program allows OPDP to reach local governments statewide

WaTech co-administers Washington's Planning Committee for the State and Local Cybersecurity Grant Program (SLCGP). The committee selects projects to apply for federal cybersecurity grant funding. As of August 2024, 30% of all 839 projects funded by the federal grant program were in Washington, representing approximately $18 million in funding.

OPDP manages the program and plays a key role in achieving the committee's goal of increasing the state's privacy capacity at the local level.

OPDP received SLCGP grants to cover the costs of International Association of Privacy Professionals certifications for public agency employees. Out of 100 vouchers, 32 went to local governments and higher education institutions. The remainder went to state agencies.

Other entities provide similar but generic supports to local governments. Some of them want to collaborate with OPDP to share resources.

JLARC staff spoke with seven local governments and related associations about their interactions with OPDP.

The Association of County and City Information Systems (ACCIS) and the Municipal Research and Services Center (MRSC) provide training and material to local governments. Both ACCIS and MRSC noted that privacy is not a primary focus, but they do provide material such as privacy guidelines. WaTech and OPDP produced some of the privacy-related tools and information that MRSC distributes via its website and webinars.

The local governments and associations that JLARC staff spoke with expressed an interest in collaborating more with OPDP. They mentioned using their existing communication channels to share resources and reach more of their membership. They also discussed the kinds of resources and outreach that they would find useful, such as information about privacy and data protection practices and examples relevant to local governments.

Part 4.
The public

State law requires OPDP to educate the public about privacy and protecting personal information online.

Between 2016 and 2020, OPDP:

• Held in-person meetings in communities across the state.
• Distributed privacy guides.
• Partnered with other agencies to do public education outreach.
• Provided training to librarians and presented at their professional associations.

In 2020, OPDP identified a growing need for outreach to state agencies and local governments through the office's annual privacy review and feedback from local governments. At the same time, the COVID-19 pandemic limited OPDP's ability to continue in-person public outreach. In response, OPDP adjusted its priorities to focus on state and local government support.

OPDP requested but did not receive additional funding for public outreach

In the 2021-23 budget, OPDP requested funding for an employee to support local governments and another to support public education. OPDP received funding for one staff member to support local governments. It did not receive funding for the second staff member.

OPDP makes its resources available to the public

The public can access OPDP's published guidance on WaTech's website and through its monthly e-newsletter. As of March 19, 2025, 23% of 723 addresses subscribed to OPDP's e-newsletter mailing list are not affiliated with state or local governments

OPDP offers resources specifically for the public about the following topics:

• Safely using public Wi-Fi.
• Video conferencing best practices.
• Privacy and equity.

OPDP maintains a dedicated email address that the public can contact with questions. While OPDP can provide guidance to the public about privacy practices, it cannot provide solutions for complaints related to privacy and data protection. It redirects those complaints to agencies with appropriate enforcement authority or resources that can help.

Other organizations also provide privacy-related resources to the public

Other organizations also provide the public with educational resources that address or discuss privacy:

• Washington State Broadband Office supported a digital navigator program that funded a variety of resources for the public. One resource provided information on accessing telehealth services and guidance on internet safety and privacy. The funding for the digital navigator program ended July 1, 2025.
• Secretary of State partners with library systems and community organizations across the state to offer free public access to digital literacy and skills courses. Some of these courses include privacy and data protection topics.

Part 5.
Reports

OPDP must publish a performance report every four years

As required by state law, OPDP published an initial performance report in 2017, and subsequent reports in 2020 and 2024. State law lists the four performance measures that OPDP must include but allows the office to design added measures as needed. The four measures include:

1. The number of state agencies and employees trained.
2. A report on the extent of OPDP's coordination with international and national experts on privacy, data protection, and access equity.
3. A report on the implementation of data protection measures by state agencies attributable at least in part to OPDP.
4. A report on public education efforts, including the number of people educated through public outreach efforts.

OPDP has changed the information it reports to reflect its priorities and operations

OPDP performance reports provide an overview of OPDP activities in the last four years. The measures required by state law are broad. This allows OPDP to design, add, and update measures as it sees fit.

OPDP adapts its reporting methods to reflect changing priorities and operations. For example, as it moved away from in-person public outreach, OPDP stopped reporting on the number of people reached through in-person contacts and website visits. Instead, it began reporting the number of people subscribed to its publicly available monthly e-newsletter and the e-newsletter's average open rate.

It also began to include local government staff in the number of agency employees it trains. It previously reported the two separately. Given OPDP's current focus, the required measures may no longer fully capture OPDP's activities. For example, OPDP no longer has much direct interaction with the public. In addition, there are no required measures focused on local government training. A description of the performance measures used in each four-year report is in Appendix C.

OPDP has begun tracking its performance annually

As part of a WaTech-wide initiative, OPDP published a privacy service action plan in January 2024. The plan is a list of measures and goals.

Plan measures overlap with those reported in OPDP's four-year performance report. However, unlike the performance report's measures, many of the plan's measures are quantitative or have identifiable annual goals. For example, the plan requires that OPDP conduct at least six webinars a year.

The process of reviewing its service action plan annually will allow OPDP to track its performance year-over-year. In 2024, OPDP met all but one of its 14 performance measures. OPDP planned to publish the results of its annual privacy review in February, but did not publish them until April. A description of 2024 service action plan metrics is in Appendix D.

Performance measures focus on outputs rather than outcomes

OPDP primarily measures its outputs. These measures show more immediate results from activities. For example, OPDP measures the number of privacy threshold analyses and privacy impact assessments it reviews.

OPDP's current measures:

• Do not reflect long-term outcomes.
• Do not assess whether efforts have effectively improved privacy protection, e.g., reduced privacy-related data incidents.

While outcomes may be outside of the office's control, best practices suggest that agencies connect their activities to outcomes. Doing so would allow OPDP to assess the effect of its activities on privacy in the state. An example of an outcome measure would be the number of agencies with privacy-related data incidents after implementing privacy policies based on OPDP's Privacy Principles.

By incorporating such outcome-based measures, OPDP could enhance the evaluation of its impact and give legislators a clearer understanding of its effectiveness.

OPDP no longer publishes a broadband equity report

If able to do so within existing resources, OPDP is required by state law to submit a broadband equity report to the Legislature at least every four years. The report must include information on telecommunications (broadband) development and inequities in access for residents of:

• Tribal lands.
• Rural areas.
• Economically distressed communities.

The broadband equity report is the only mention of broadband in OPDP's statute.

When this report was assigned to OPDP, there was no state broadband office. OPDP produced the broadband equity report in 2019. It has not produced another broadband equity report since then.

WSBO produces a broadband report that overlaps with OPDP's statute

In 2019, the Legislature established the Washington State Broadband Office (WSBO) within the Department of Commerce (Commerce). The Legislature established WSBO, in part, to improve broadband accessibility, particularly for unserved communities and populations.

WSBO's statute includes a broadband reporting requirement that overlaps with OPDP's statute. State law requires that OPDP and WSBO present the reports to the Legislature on a recurring basis and report on broadband development in Washington. WSBO's requirements for reporting on broadband development are more comprehensive than OPDP's requirements.

The broadband equity component in OPDP's report is not included in WSBO's report requirements. WSBO's 2020 report contained information about inequities specified in OPDP's mandate. WSBO's 2022 and 2024 reports did not.

WSBO and Commerce have produced other information that discusses broadband equity, including:

• The state digital equity plan.
• A report on broadband services to unserved areas.
• The digital equity dashboard.

OPDP does not currently produce a broadband equity report because:

• There is now an office explicitly charged with broadband access.
• OPDP staff consider the office's reporting requirement as redundant of WSBO's report.
• OPDP does not have the resources.

Since OPDP no longer produces its broadband equity report, there are no recurring reports that are required to include information about inequities in broadband access. WSBO has a mandate to improve broadband accessibility, so it is better situated than OPDP to produce information on broadband equity.

OFM proposed legislation to remove OPDP's broadband equity reporting requirement

In 2023, the Office of Financial Management (OFM) proposed HB 1362 to revise state laws related to reports produced by state agencies. As part of that effort, it requested that OPDP's broadband equity reporting requirement be removed as obsolete and struck from state law. The bill did not pass. OPDP's broadband equity reporting requirement remains in state law.

Recommendations

The Legislative Auditor makes one recommendation to the Legislature and one recommendation to OPDP.

Recommendation #1:
In consultation with OPDP, the Legislature should review and update OPDP statute to align with its current capacity and focus.

The Legislature could review requirements for OPDP's:

• Broadband equity reporting: Another agency now has responsibility for broadband development and is better positioned to publish information on broadband access and equity. In addition, the Office of Equity has since been established to focus on statewide equity issues. If the Legislature wishes to maintain a recurring broadband equity report, it should consider assigning that responsibility to a more appropriate agency.
• Public outreach: The Legislature could consider whether these requirements align with the office's current capacity and focus. The office does not have the resources to provide additional public outreach, and other Washington organizations provide similar public resources.
• Four-year performance measures: Current required measures may no longer align with the office's focus in recent years.

Legislation required: Yes

Fiscal impact: Yes

Implementation date: At the Legislature's discretion.

Agency response: To be included in proposed final report.

Recommendation #2:
OPDP should develop and use performance measures to evaluate its long-term effect on privacy and data protection for Washington residents.

Best practice states that agencies connect activities to outcomes. OPDP's current measures do not evaluate the long-term effects of its activities. The office should adopt performance measures that help it assess whether its activities have improved privacy and data protection. For example, OPDP could track:

• The number of agencies that have adopted privacy policies and whether those agencies are less likely to experience a privacy-related data incident than agencies without privacy policies.
• Whether agencies that complete OPDP's privacy impact assessment have fewer data incidents than agencies that are assigned an assessment but do not complete it.

Legislation required: None

Fiscal impact: None

Implementation date: December 2026

Agency response: To be included in proposed final report.

Agency response

To be included in proposed final report.

Current recommendation status

JLARC staff follow up on the status of Legislative Auditor recommendations to agencies and the Legislature for four years. The most recent responses from agencies and status of the recommendations in this report can be viewed on our Legislative Auditor Recommendations page.

Appendices

Appendix A: Applicable statutes | Appendix B: Feedback from agency staff | Appendix C: Performance measures | Appendix D: 2024 service action plan measures | Appendix E: Study questions & methods | Appendix F: Audit authority

Appendix A: Applicable statutes

RCW 43.105.369: Office of privacy and data protection.

RCW 43.105.020: Definitions.

RCW 43.330.532: Broadband office—Established—purpose.

RCW 43.330.538: Broadband office—Reports.

Appendix B: Feedback from agency staff

JLARC staff collected feedback from state agency staff who had:

• Signed up for OPDP's trainings, or
• Completed OPDP's 2024 annual privacy review.

This allowed JLARC staff to identify state agency employees who would be familiar with OPDP and able to provide feedback on their experiences using OPDP resources.

Survey method

JLARC staff conducted the survey with the identified sample of state agency staff between April 15, 2025, and May 1, 2025, via Survey Monkey.

The survey was approximately 17 questions. It asked participants about the following:

• The usefulness of OPDP and its resources.
• Areas of improvement for OPDP.
• Other privacy resources not provided by OPDP.

The survey was a mixture of multiple-choice and open-ended questions. The survey also asked questions about the respondent's role and agency.

JLARC staff surveyed 287 staff from 78 state agencies. One hundred twenty-seven staff from 49 agencies completed the survey, a 44% response rate. One hundred five respondents were from agencies with 100 or more employees. Twenty-two respondents were from agencies with 100 employees or fewer.

Interview method

JLARC staff selected six survey respondents for follow-up interviews. Interviewees were selected based on:

• Agency size.
• Whether the respondent served as their agency's privacy point of contact.
• How well OPDP met their needs.

Interviews were semi-structured. JLARC staff asked a set of questions of all interviewees but added other questions based on the interviewee's responses to the survey. Interviews lasted about 30 minutes.

Appendix C: Performance measures

JLARC staff compared statutorily required measures to information in OPDP's 2017, 2020, and 2024 performance reports. A description of the information OPDP provided for each required measure is listed below.

The number of state agencies and employees who have participated in annual training:

• 2017: 679 state employees from 12 agencies participated in OPDP training. OPDP conducted training with 416 local government employees.
• 2020: Between 2017 and 2020, OPDP reported training about 3,200 government employees.
• 2024: Between 2020 and 2024, 14,922 employees across 50 state agencies took the Privacy Basics Training. Eighty-two people from 32 agencies (state and local government) participated in the Privacy Primer Workshop. One hundred people from 55 agencies received International Association of Privacy Professionals certification training. OPDP's 63 webinars had 5,847 views.

A report on the extent of OPDP's coordination with international and national experts in the fields of privacy, data protection, and access equity:

• 2017: OPDP reported that it consulted with 531 experts worldwide. This number seems to have come from the total number of attendees at events OPDP attended.
• 2020: OPDP stated that it worked with outside experts to develop the Washington State Agency Privacy Principles.
• 2024: OPDP provided a narrative discussion of the external partners OPDP worked with over the last four years. Organizations include the National Association of State Chief Information Officers, the International Association of Privacy Professionals, and the National Governors Association.

A report on the implementation of data protection measures by state agencies contributable in whole or in part to OPDP's efforts:

• 2017: The 2017 report included findings and graphs from the 2016 annual privacy review survey. This included information about the types of agency privacy roles and whether agencies had data-sharing controls. The report also noted that its coordination with WaTech on data-protection efforts was ongoing.
• 2020: OPDP reported results from the 2020 annual privacy review survey. It reported the number of agencies that collected personal information, the number of agencies with a specific person dedicated to handling privacy policy, and the number of agencies with formal internal privacy policies. The report also provided a high-level overview of its coordination with the Office of Cybersecurity on data-protection efforts.
• 2024: In the 2024 performance report, OPDP expanded on the types of survey results reported from the annual privacy review. It also looked at how responses to questions changed between 2020 and 2024. Using graphs, OPDP reported how agencies ranked privacy importance, the types of privacy staff agencies have, and the number of agencies with formal privacy policies. As of February 2025, OPDP reviewed 306 privacy threshold analyses. Thirty-eight required privacy impact assessments. The report provided an overview of how OPDP works with the Office of Cybersecurity and other agencies on its data-incident efforts.

A report on public education efforts, as indicated by how frequently education documents were accessed, OPDP's participation in outreach events, and inquiries received back from consumers via telephone or other media:

• 2017: OPDP's consumer privacy website at the time (privacy.wa.gov) was accessed 60,432 times by 16,695 unique users. The report also described the privacy guide for Washington citizens, which OPDP distributed to libraries, senior centers, and other venues. OPDP also did in-person meetings with the public, but the number of participants was not quantified in the 2017 report. Instead, the number of in-person contacts is represented in a graph that combines in-person contacts, website visits, and public inquiries.
• 2020: Between 2017 and 2020, OPDP estimated that it reached about 27,100 people. This measure is represented in a graph and is a combination of in-person contacts and the number of visits to OPDP's website.
• 2024: The 2024 performance report introduced a new consumer outreach metric: the total number of subscribers and average open rate for OPDP's monthly Privacy Points e-newsletter. Subscribers increased by 308% since December 2020. The newsletter had an average open rate of 29%.

Appendix D: 2024 service action plan measures

Figure 7: OPDP's 2024 service action plan has 14 performance measures

Source: 2024 OPDP Service Action Plan Metric Report.

Appendix E: Study questions

This study aimed to answer the following questions (view here).

1. To what extent do OPDP's activities align with legislative intent?
2. How does OPDP measure its performance? How do its measures align with statutory requirements?
3. To what extent do OPDP's activities overlap with those of other entities?
4. What is OPDP doing to ensure equitable access to its resources for state agencies, local governments, and the public?

Methods

The methodology JLARC staff use when conducting analyses is tailored to the scope of each study, but generally includes the following:

• Interviews with stakeholders, agency representatives, and other relevant organizations or individuals.
• Site visits to entities that are under review.
• Document reviews, including applicable laws and regulations, agency policies and procedures pertaining to study objectives, and published reports, audits or studies on relevant topics.
• Data analysis, which may include data collected by agencies and/or data compiled by JLARC staff. Data collection sometimes involves surveys or focus groups.
• Consultation with experts when warranted. JLARC staff consult with technical experts when necessary to plan our work, to obtain specialized analysis from experts in the field, and to verify results.

The methods used in this study were conducted in accordance with Generally Accepted Government Auditing Standards.

More details about specific methods related to individual study objectives are described in the body of the report under the report details tab or in technical appendices.

Appendix F: Audit authority

The Joint Legislative Audit and Review Committee (JLARC) works to make state government operations more efficient and effective. The Committee is comprised of an equal number of House members and Senators, Democrats and Republicans.

JLARC's nonpartisan staff auditors, under the direction of the Legislative Auditor, conduct performance audits, program evaluations, sunset reviews, and other analyses assigned by the Legislature and the Committee.

The statutory authority for JLARC, established in Chapter 44.28 RCW, requires the Legislative Auditor to ensure that JLARC studies are conducted in accordance with Generally Accepted Government Auditing Standards, as applicable to the scope of the audit. This study was conducted in accordance with those applicable standards. Those standards require auditors to plan and perform audits to obtain sufficient, appropriate evidence to provide a reasonable basis for findings and conclusions based on the audit objectives. The evidence obtained for this JLARC report provides a reasonable basis for the enclosed findings and conclusions, and any exceptions to the application of audit standards have been explicitly disclosed in the body of this report.

JLARC members on publication date