- Published Articles
- In the Press
- Press Releases
Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
July 11th, 2017
Third State Adopts Biometric Privacy Law
On June 1, 2017, Washington State joined Illinois and Texas as the third state to pass a biometric privacy law. The law, H.B. 1493, which goes into effect July 23, 2017, covers any business entity that collects biometric identifiers for commercial purposes.
What is Biometric Information?
The law defines biometric information as automatically measured fingerprint, voiceprint, retina or iris scan or other unique biological identifier. The definition explicitly states it does not include photographs, basic audio recordings, or anything generated for healthcare purposes.
Biometric identifiers are also different than user IDs and passwords. Two people can have the same password, even on the same protected computer network. As anyone who has tried to sign up for a Gmail account can attest, two people can definitely have the same user ID. However, no two people have the same biometrics; they are entirely unique to one individual.
What Does the Law Address?
The law prohibits a person from enrolling "a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose." The statute allows for an opt-out of subsequent commercial use as a substitute, in some instances, for notice and consent for general collection and use. However, if a company collecting the biometric identifier wants to sell, lease, or disclose the biometric identifier, notice and consent is generally required. The consent required by the statute is "context-dependent," which is flexible by design and likely welcome by web and application developers. Mirroring Federal Trade Commission guidelines, the law also requires covered entities to protect biometric identifiers with reasonable security measures, and to maintain biometric identifiers only as long as reasonably required.
Special Considerations in the Law.
There is no private right of action under the Washington law. As with the Texas biometric law, H.B. 1493 does not create a private right of action to allow for suits by individual plaintiffs. Instead, only the Washington Attorney General can enforce the requirements. The Illinois law currently is the only state biometric statute that includes a private right of action.
As the new Washington legislation makes clear, regulators are increasingly focusing on the storage and distribution of biometric data. To reduce business and regulatory risk, businesses that collect biometric data will need to establish or amend their privacy and data protection policies. If you have any questions about the rules governing biometric data, or about any other privacy and data security issues, contact S. Gregory Boyd at (212) 826 5581 or firstname.lastname@example.org, Tanya Forsheit at (310) 579 9615 or email@example.com, Jeremy Goldman at (310) 579 9611 or firstname.lastname@example.org, Terri Seligman at (212) 826 5580 or email@example.com, or any other member of the Frankfurt Kurnit Privacy & Data Security Group.
Other Privacy & Data Security Law Alerts
Privacy Shield: Year One Updates You Need To Know
This month we're celebrating Privacy Shield's first birthday with an update on everything Privacy Shield. There have been a number of developments on the Privacy Shield-front that companies certified or seeking self-certification under Privacy Shield need to know.
October 17 2017
Class Action Lawsuits Over Alleged COPPA Violations Reinforce Importance of Compliance
Earlier this month, three class action lawsuits were filed against companies for alleged violations of the Children's Online Privacy Protection Act ("COPPA").
August 22 2017
Children’s Privacy: FTC Issues New COPPA Guidance for IoT and Connected Devices
Last week, the Federal Trade Commission ("FTC") released a new report, Six-Step Compliance Plan for Your Business, to help companies understand their obligations under the Children's Online Privacy Protection Act ("COPPA").
June 28 2017