Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
July 11th, 2017
Third State Adopts Biometric Privacy Law
On June 1, 2017, Washington State joined Illinois and Texas as the third state to pass a biometric privacy law. The law, H.B. 1493, which goes into effect July 23, 2017, covers any business entity that collects biometric identifiers for commercial purposes.
What is Biometric Information?
The law defines biometric information as automatically measured fingerprint, voiceprint, retina or iris scan or other unique biological identifier. The definition explicitly states it does not include photographs, basic audio recordings, or anything generated for healthcare purposes.
Biometric identifiers are also different than user IDs and passwords. Two people can have the same password, even on the same protected computer network. As anyone who has tried to sign up for a Gmail account can attest, two people can definitely have the same user ID. However, no two people have the same biometrics; they are entirely unique to one individual.
What Does the Law Address?
The law prohibits a person from enrolling "a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose." The statute allows for an opt-out of subsequent commercial use as a substitute, in some instances, for notice and consent for general collection and use. However, if a company collecting the biometric identifier wants to sell, lease, or disclose the biometric identifier, notice and consent is generally required. The consent required by the statute is "context-dependent," which is flexible by design and likely welcome by web and application developers. Mirroring Federal Trade Commission guidelines, the law also requires covered entities to protect biometric identifiers with reasonable security measures, and to maintain biometric identifiers only as long as reasonably required.
Special Considerations in the Law.
There is no private right of action under the Washington law. As with the Texas biometric law, H.B. 1493 does not create a private right of action to allow for suits by individual plaintiffs. Instead, only the Washington Attorney General can enforce the requirements. The Illinois law currently is the only state biometric statute that includes a private right of action.
Takeaway.
As the new Washington legislation makes clear, regulators are increasingly focusing on the storage and distribution of biometric data. To reduce business and regulatory risk, businesses that collect biometric data will need to establish or amend their privacy and data protection policies. If you have any questions about the rules governing biometric data, or about any other privacy and data security issues, contact S. Gregory Boyd at (212) 826 5581 or gboyd@fkks.com, Jeremy Goldman at (310) 579 9611 or jgoldman@fkks.com, Terri Seligman at (212) 826 5580 or tseligman@fkks.com, or any other member of the Frankfurt Kurnit Privacy & Data Security Group.
Other Privacy & Data Security Law Alerts
iOS 15 Brings New Privacy Controls That Will Impact Advertising Initiatives
After months in beta, Apple is releasing iOS 15 to the public. Building upon the Privacy Nutrition Labels and App Tracking Transparency (ATT) framework introduced in iOS 14.5, iOS 15 introduces new privacy controls that will impact brand marketing initiatives and the ad tech ecosystem. Although these controls are not an iOS 14.5-caliber seismic event, they are yet another example of how platform providers have become de facto regulators of privacy. Read more.
September 20 2021
New York City Restricts Collection of Biometric Identifiers
Major US municipalities are lining up to regulate business use of technologies to collect biometric identifiers and information. For example, Portland, Oregon, banned the use of face recognition technologies earlier this year. Now, New York City businesses must comply with a new law too: Effective July 9, 2021, any commercial establishment in New York City that collects, retains, converts, stores or shares biometric identifier information of customers must disclose such activity using clear and conspicuous signage near all customer entrances. Read more.
July 7 2021
Business Takeaways from the FTC $5 Billion Settlement with Facebook
On July 24, 2019, the FTC announced a $5 billion settlement with Facebook to address Facebook’s alleged violations of the FTC Act and its 2012 consent order with the FTC. Read more.
July 26 2019
