Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
July 11th, 2017
Third State Adopts Biometric Privacy Law
On June 1, 2017, Washington State joined Illinois and Texas as the third state to pass a biometric privacy law. The law, H.B. 1493, which goes into effect July 23, 2017, covers any business entity that collects biometric identifiers for commercial purposes.
What is Biometric Information?
The law defines biometric information as automatically measured fingerprint, voiceprint, retina or iris scan or other unique biological identifier. The definition explicitly states it does not include photographs, basic audio recordings, or anything generated for healthcare purposes.
Biometric identifiers are also different than user IDs and passwords. Two people can have the same password, even on the same protected computer network. As anyone who has tried to sign up for a Gmail account can attest, two people can definitely have the same user ID. However, no two people have the same biometrics; they are entirely unique to one individual.
What Does the Law Address?
The law prohibits a person from enrolling "a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose." The statute allows for an opt-out of subsequent commercial use as a substitute, in some instances, for notice and consent for general collection and use. However, if a company collecting the biometric identifier wants to sell, lease, or disclose the biometric identifier, notice and consent is generally required. The consent required by the statute is "context-dependent," which is flexible by design and likely welcome by web and application developers. Mirroring Federal Trade Commission guidelines, the law also requires covered entities to protect biometric identifiers with reasonable security measures, and to maintain biometric identifiers only as long as reasonably required.
Special Considerations in the Law.
There is no private right of action under the Washington law. As with the Texas biometric law, H.B. 1493 does not create a private right of action to allow for suits by individual plaintiffs. Instead, only the Washington Attorney General can enforce the requirements. The Illinois law currently is the only state biometric statute that includes a private right of action.
Takeaway.
As the new Washington legislation makes clear, regulators are increasingly focusing on the storage and distribution of biometric data. To reduce business and regulatory risk, businesses that collect biometric data will need to establish or amend their privacy and data protection policies. If you have any questions about the rules governing biometric data, or about any other privacy and data security issues, contact S. Gregory Boyd at (212) 826 5581 or gboyd@fkks.com, Jeremy Goldman at (310) 579 9611 or jgoldman@fkks.com, Terri Seligman at (212) 826 5580 or tseligman@fkks.com, or any other member of the Frankfurt Kurnit Privacy & Data Security Group.
Other Privacy & Data Security Law Alerts
New York Regulator Says Even One Access Control Failure Can Invalidate Years of Compliance Certifications
The New York Department of Financial Services (“NYDFS”) recently entered into a Consent Order (the “Consent Order”) with EyeMed Vision Care LLC (“EyeMed”) over violations of the agency’s Cybersecurity Requirements (23 NY CRR Part 500) (“Part 500”). Read more.
October 26 2022
Privacy News for Q2 2022
A summary of privacy news and trends we have seen in the first half of 2022. Read more.
June 2 2022
Does Your Loyalty Program Violate the CCPA?
California Attorney General Rob Bonta tweeted and released a statement that his office has sent warning letters to businesses in a variety of industries for alleged failure to comply with CCPA. Read more.
February 3 2022
