Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
July 11th, 2017
Third State Adopts Biometric Privacy Law
On June 1, 2017, Washington State joined Illinois and Texas as the third state to pass a biometric privacy law. The law, H.B. 1493, which goes into effect July 23, 2017, covers any business entity that collects biometric identifiers for commercial purposes.
What is Biometric Information?
The law defines biometric information as automatically measured fingerprint, voiceprint, retina or iris scan or other unique biological identifier. The definition explicitly states it does not include photographs, basic audio recordings, or anything generated for healthcare purposes.
Biometric identifiers are also different than user IDs and passwords. Two people can have the same password, even on the same protected computer network. As anyone who has tried to sign up for a Gmail account can attest, two people can definitely have the same user ID. However, no two people have the same biometrics; they are entirely unique to one individual.
What Does the Law Address?
The law prohibits a person from enrolling "a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose." The statute allows for an opt-out of subsequent commercial use as a substitute, in some instances, for notice and consent for general collection and use. However, if a company collecting the biometric identifier wants to sell, lease, or disclose the biometric identifier, notice and consent is generally required. The consent required by the statute is "context-dependent," which is flexible by design and likely welcome by web and application developers. Mirroring Federal Trade Commission guidelines, the law also requires covered entities to protect biometric identifiers with reasonable security measures, and to maintain biometric identifiers only as long as reasonably required.
Special Considerations in the Law.
There is no private right of action under the Washington law. As with the Texas biometric law, H.B. 1493 does not create a private right of action to allow for suits by individual plaintiffs. Instead, only the Washington Attorney General can enforce the requirements. The Illinois law currently is the only state biometric statute that includes a private right of action.
Takeaway.
As the new Washington legislation makes clear, regulators are increasingly focusing on the storage and distribution of biometric data. To reduce business and regulatory risk, businesses that collect biometric data will need to establish or amend their privacy and data protection policies. If you have any questions about the rules governing biometric data, or about any other privacy and data security issues, contact S. Gregory Boyd at (212) 826 5581 or gboyd@fkks.com, Jeremy Goldman at (310) 579 9611 or jgoldman@fkks.com, Terri Seligman at (212) 826 5580 or tseligman@fkks.com, or any other member of the Frankfurt Kurnit Privacy & Data Security Group.
Other Privacy & Data Security Law Alerts
Privacy News for Q2 2022
A summary of privacy news and trends we have seen in the first half of 2022. Read more.
June 2 2022
Does Your Loyalty Program Violate the CCPA?
California Attorney General Rob Bonta tweeted and released a statement that his office has sent warning letters to businesses in a variety of industries for alleged failure to comply with CCPA. Read more.
February 3 2022
iOS 15 Brings New Privacy Controls That Will Impact Advertising Initiatives
After months in beta, Apple is releasing iOS 15 to the public. Building upon the Privacy Nutrition Labels and App Tracking Transparency (ATT) framework introduced in iOS 14.5, iOS 15 introduces new privacy controls that will impact brand marketing initiatives and the ad tech ecosystem. Although these controls are not an iOS 14.5-caliber seismic event, they are yet another example of how platform providers have become de facto regulators of privacy. Read more.
September 20 2021