Frankfurt Kurnit Klein & Selz

July 11th, 2017

Third State Adopts Biometric Privacy Law

On June 1, 2017, Washington State joined Illinois and Texas as the third state to pass a biometric privacy law. The law, H.B. 1493, which goes into effect July 23, 2017, covers any business entity that collects biometric identifiers for commercial purposes.

What is Biometric Information?

The law defines biometric information as automatically measured fingerprint, voiceprint, retina or iris scan or other unique biological identifier. The definition explicitly states it does not include photographs, basic audio recordings, or anything generated for healthcare purposes.

Biometric identifiers are also different than user IDs and passwords. Two people can have the same password, even on the same protected computer network. As anyone who has tried to sign up for a Gmail account can attest, two people can definitely have the same user ID. However, no two people have the same biometrics; they are entirely unique to one individual.

What Does the Law Address?

The law prohibits a person from enrolling "a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose." The statute allows for an opt-out of subsequent commercial use as a substitute, in some instances, for notice and consent for general collection and use. However, if a company collecting the biometric identifier wants to sell, lease, or disclose the biometric identifier, notice and consent is generally required. The consent required by the statute is "context-dependent," which is flexible by design and likely welcome by web and application developers. Mirroring Federal Trade Commission guidelines, the law also requires covered entities to protect biometric identifiers with reasonable security measures, and to maintain biometric identifiers only as long as reasonably required.

Special Considerations in the Law.

There is no private right of action under the Washington law. As with the Texas biometric law, H.B. 1493 does not create a private right of action to allow for suits by individual plaintiffs. Instead, only the Washington Attorney General can enforce the requirements. The Illinois law currently is the only state biometric statute that includes a private right of action.

Takeaway.

As the new Washington legislation makes clear, regulators are increasingly focusing on the storage and distribution of biometric data. To reduce business and regulatory risk, businesses that collect biometric data will need to establish or amend their privacy and data protection policies. If you have any questions about the rules governing biometric data, or about any other privacy and data security issues, contact S. Gregory Boyd at (212) 826 5581 or gboyd@fkks.com, Tanya Forsheit at (310) 579 9615 or tforsheit@fkks.com, Jeremy Goldman at (310) 579 9611 or jgoldman@fkks.com, Terri Seligman at (212) 826 5580 or tseligman@fkks.com, or any other member of the Frankfurt Kurnit Privacy & Data Security Group.