Compliantly Using Biometric Data in Washington

Compliantly Using Biometric Data in Washington

Exponential leaps forward in technological advancement have brought companies to the point that they are rapidly unlocking shocking and, to some, frightening ways to use biometric data.

Although proponents tout the many benefits, especially to the security sector and law enforcement, there is a risk. Critics decry the dangers inherent in who controls that data, how that data is used, and how it could lead to the violation of civil liberties, the likes of which the world has never seen.

Yet, just as there was a move to pass comprehensive privacy legislation regarding data processing and security over the past few years (especially in an online environment), privacy and civil liberties advocates have also pushed lawmakers to curb the potential abuse of biometric data.

In this article, we'll be taking a look specifically at H.B. 1493, Washington state's effort at protecting the biometric data of its residents. Before we get to that, though, let's take a look at what biometric data usually encompasses.


Biometric Data Overview

Biometric information is by and large composed of such things as voiceprints, fingerprints, retinal scans, and scans of face and hand geometry. Each of these is now used regularly for identification and authentication. For instance, facial and finger biometric recognition is commonly used to authenticate credit card transactions or to login to a smartphone.

Commercial settings also use biometric information in other ways. A few examples might be using bio-data to make boarding more efficient at airports, authenticating user IDs for mobile and computer logins, tracking an employee's attendance, and verifying passenger identities.

To make that more personal, think of the following:

If you own an iPhone, every time you ask Siri to give you a weather update, unlock your phone with facial recognition, or get into your bank account by using your fingerprint, you are using biometrics to access these features.

Consider also the uses to which law enforcement can put biometric data. For instance, the police may collect fingerprints and DNA at a crime scene. They might use video or audio footage to analyze someone face, voice, or the way someone walks.

When it comes to healthcare, there may be genetic tests, retinal scans, and more.

Yet, consider the inherent danger if that data is stolen. Arguably, the theft of biometric information could be more of an issue than when personal data of other types is stolen. If biometric data is compromised, there is no way to restore its use as a security and authentication mechanism.

Specific Biometric Data Types

  • Behavior Characteristics: The way you interact with computer systems, such as the way you walk, the way you use your mouse, handwriting, keystrokes, other movements all judge how familiar you are with the data you are entering or assess who you are.
  • Hand Geometry: Measures and records the thickness, width, length, and surface area of your hand. Devices that measure this biometric data date all the way back to the 1980's. They were used almost exclusively for security purposes.
  • Voice Recognition: Measures the sound waves in a person's voice. This technology has been used to verify a person's identity when calling to ask about their bank accounts. Amazon uses this biometric technology today when you give instructions to Alexa.
  • Fingerprint Scanner: This tech captures the unique valleys and ridges on an individual's finger. Some laptops and most smartphones use fingerprints to unlock screens or as a type of password.
  • Iris Recognition: Not widely used in the consumer market, but is used widely in security applications.(You see this type of biometric technology in spy movies all the time.) It identifies the patterns of a person's iris, which is the colored area surrounding the pupil of the eye.
  • Facial Recognition: Measures the patterns of an individual's face by analyzing and comparing facial contours. This type of biometric information is often used to unlock smartphones and laptops but is also used in law enforcement and security.

Washington State's Biometric Privacy Law

Washington State's Biometric Privacy Law

In 2017, the state of Washington enacted a biometric privacy law known as H.B. 1493 to safeguard its residents from organizations or individuals who would enter biometric information into a database without gaining consent, providing notice, or supplying a way to prevent the use of biometric data for commercial purposes.

TermsFeed is the world's leading generator of legal agreements for websites and apps.

This really is the most incredible service that most website owners should consider using.

Easy to generate custom policies in minutes & having the peace of mind & protection these policies can offer is priceless. Will definitely recommend it to others. Thank you.

- Bluesky's review for TermsFeed. Read all our testimonials here.

With TermsFeed, you can generate:

Data produced by automatic measurements of biological characteristics, such as voiceprints, fingerprints, eye retinas, irises, or other unique features or physical patterns used to identify a specific person, is defined as a "biometric identifier" under the law.

Most privacy advocates believe that Washington's law is much weaker and does not protect the state's residents nearly to the same degree as statutes in Illinois and Texas.

The reason for the advocates' belief is that H.B. 1493 excludes "physical or digital photographs, video or audio recording or data generated therefrom," and scans of facial geometry (e.g., facial recognition data) or records from its definition of biometric identifiers.

Moreover, the Washington privacy law also does not include specific health-related data that are processed according to 1996's Health Insurance Portability and Accountability Act (HIPAA).

Notice and Consent Requirements of H.B. 1493

To make it simple, the use of biometric identifiers in a commercial setting requires organizations to:

  • Provide notice to the individual
  • Obtain consent
  • Provide a mechanism to prevent subsequent use of the biometric identifier for commercial purposes

Interestingly, Washington's biometric privacy law doesn't even detail what kind of notice companies need to provide to state residents before "enrolling" (collecting and using) an individual's biometric identifiers. According to the law, "the exact notice and type of consent' is "context-dependent."

Further, the law gives businesses a lot of leeway by stating that when "enrolling" biometric data, any notice the company provides must simply be "reasonably designed to be readily available to affected individuals."

This is in stark contrast to Illinois' Biometric Information Privacy Act (BIPA), which demands that written notice and release must be acquired before an organization collects any biometric identifiers or information.

H.B. 1493 exempts organizations from the need to provide notice or gain consent if the use of an individual's biometric identifiers is related to a "security purpose" and fraud prevention.

The definition of "security purpose" is broad and vague, although it does cover misappropriation and theft, preventing shoplifting, and other purposes, which may advance an organization's overall security.

Additionally, H.B. 1493 provides exemptions for the use of biometric data in ways that clash with the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act. Law enforcement is also exempt.

Organizations will not need to gain consent before leasing or disclosing enrolled biometric data, or before selling that information if the lease, disclosure, or sale is:

  • Consistent with the demands of the biometric law
  • Made to respond or participate in the judicial process
  • Made to get ready for litigation
  • Made to third-parties who contractually promise that the biometric information will not be disclosed further or be enrolled in a database for commercial purposes that are not consistent with the law
  • Specifically authorized or required by a federal or state statute
  • Specifically authorized or required by a court order
  • Necessary to provide a service or product requested by, subscribed to, or specifically authorized by the individual
  • Necessary to administer, effect, complete, or enforce a financial transaction initiated, authorized, or requested by the individual and where the recipient keeps the confidentiality of the biometric identifier and does not disclose it further

Security and Retention Requirements

Security and Retention Requirements

The law requires that:

  • Organizations must take reasonable care to safeguard against the unauthorized acquisition of or access to biometric data
  • Organizations must ensure that they retain biometric information for no longer than they must to comply with the law, protect against criminal activity, liability, security threats, fraud, or to supply the service which the biometric identifier was enrolled for

No Private Right of Action

The law's requirements may only be enforced by Washington's Attorney General. H.B. 1493 doesn't create a private right of action.

Again, this is in stark contrast to Illinois' BIPA, where class action lawsuits have been filed against organizations.

Compliance with Washington's Biometric Privacy Law

Compliance with Washington's Biometric Privacy Law

Experts are increasingly suggesting that businesses adopt a comprehensive, common framework when it comes to complying with biometric privacy laws.

For instance, the Sans Institute, which is a cooperative research and education organization in the cyber and information security space, put out a research paper detailing how organizations can become compliant with the biometric privacy laws enacted in the United States.

The theory goes that by implementing solutions that will put them in compliance with the strictest of these laws, businesses will be in compliance with all (including Washington's) by default.

Speaking of strict, in February 2019 there were over 200 class actions filed under BIPA. Additionally, Google and Facebook have both faced lawsuits charging that they violated BIPA by tagging the faces of users in photographs and then making suggestions to link those faces to specific individuals.

David Todd, writing for the Sans Institute, suggests that businesses can avoid the penalties faced by the organizations listed in the class action lawsuits mentioned above by adopting the Institute's Biometric Compliance Framework.

There are some key takeaways that, if implemented, can put your business on the path to compliance in all states that have laws pertaining to biometric identifiers.

It's recommended that you:

  • Create a comprehensive, documented plan for your company.
  • Provide individuals with a thorough, written policy (such as a Privacy Policy). Make that policy publicly available. Ensure that it includes information on the specific purposes for which you'll be collecting biometric data. Detail in full how that information will be used. Cover how the data will be disclosed and to whom. State clearly how long the data will be used, kept, and stored.
  • Be completely transparent, in writing, as to when and how their biometric data will be destroyed.
  • Ensure that strict security protocols to protect an individual's biometric data are implemented.
  • Obtain explicit consent for the collection of an individual's biometric information.
  • Ensure that provisions are placed in vendor contracts to make sure they;re complying with existing laws. Additionally, ensure that you have the right to be notified if there is a suspected data breach.

Best Practices

It's a good bet that more states will begin passing their own biometric privacy laws as we near 2021. Indeed, as California moves to become a leader in the realm of privacy and data protection, and as the U.S. federal government begins to seriously take on the task of addressing national privacy legislation, businesses would do well to start taking a hard look at their overall privacy practices.

If trends continue, it will only become more difficult and more imperative for businesses to stay current and up-to-date with compliance efforts.

With that in mind, companies are encouraged to review and revise Privacy Policies and Terms and Conditions agreements to make sure they cover developments in existing privacy law as well as new biometric privacy laws.

William B.

William B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.