Last updated on 25 August 2022 by William Blesch (Legal and data protection research writer at TermsFeed)
Exponential leaps forward in technological advancement have brought companies to the point that they are rapidly unlocking shocking and, to some, frightening ways to use biometric data.
Although proponents tout the many benefits, especially to the security sector and law enforcement, there is a risk. Critics decry the dangers inherent in who controls that data, how that data is used, and how it could lead to the violation of civil liberties, the likes of which the world has never seen.
Yet, just as there was a move to pass comprehensive privacy legislation regarding data processing and security over the past few years (especially in an online environment), privacy and civil liberties advocates have also pushed lawmakers to curb the potential abuse of biometric data.
In this article, we'll be taking a look specifically at H.B. 1493, Washington state's effort at protecting the biometric data of its residents. Before we get to that, though, let's take a look at what biometric data usually encompasses.
Biometric information is by and large composed of such things as voiceprints, fingerprints, retinal scans, and scans of face and hand geometry. Each of these is now used regularly for identification and authentication. For instance, facial and finger biometric recognition is commonly used to authenticate credit card transactions or to login to a smartphone.
Commercial settings also use biometric information in other ways. A few examples might be using bio-data to make boarding more efficient at airports, authenticating user IDs for mobile and computer logins, tracking an employee's attendance, and verifying passenger identities.
To make that more personal, think of the following:
If you own an iPhone, every time you ask Siri to give you a weather update, unlock your phone with facial recognition, or get into your bank account by using your fingerprint, you are using biometrics to access these features.
Consider also the uses to which law enforcement can put biometric data. For instance, the police may collect fingerprints and DNA at a crime scene. They might use video or audio footage to analyze someone face, voice, or the way someone walks.
When it comes to healthcare, there may be genetic tests, retinal scans, and more.
Yet, consider the inherent danger if that data is stolen. Arguably, the theft of biometric information could be more of an issue than when personal data of other types is stolen. If biometric data is compromised, there is no way to restore its use as a security and authentication mechanism.
In 2017, the state of Washington enacted a biometric privacy law known as H.B. 1493 to safeguard its residents from organizations or individuals who would enter biometric information into a database without gaining consent, providing notice, or supplying a way to prevent the use of biometric data for commercial purposes.
Data produced by automatic measurements of biological characteristics, such as voiceprints, fingerprints, eye retinas, irises, or other unique features or physical patterns used to identify a specific person, is defined as a "biometric identifier" under the law.
Most privacy advocates believe that Washington's law is much weaker and does not protect the state's residents nearly to the same degree as statutes in Illinois and Texas.
The reason for the advocates' belief is that H.B. 1493 excludes "physical or digital photographs, video or audio recording or data generated therefrom," and scans of facial geometry (e.g., facial recognition data) or records from its definition of biometric identifiers.
Moreover, the Washington privacy law also does not include specific health-related data that are processed according to 1996's Health Insurance Portability and Accountability Act (HIPAA).
To make it simple, the use of biometric identifiers in a commercial setting requires organizations to:
Interestingly, Washington's biometric privacy law doesn't even detail what kind of notice companies need to provide to state residents before "enrolling" (collecting and using) an individual's biometric identifiers. According to the law, "the exact notice and type of consent' is "context-dependent."
Further, the law gives businesses a lot of leeway by stating that when "enrolling" biometric data, any notice the company provides must simply be "reasonably designed to be readily available to affected individuals."
This is in stark contrast to Illinois' Biometric Information Privacy Act (BIPA), which demands that written notice and release must be acquired before an organization collects any biometric identifiers or information.
H.B. 1493 exempts organizations from the need to provide notice or gain consent if the use of an individual's biometric identifiers is related to a "security purpose" and fraud prevention.
The definition of "security purpose" is broad and vague, although it does cover misappropriation and theft, preventing shoplifting, and other purposes, which may advance an organization's overall security.
Additionally, H.B. 1493 provides exemptions for the use of biometric data in ways that clash with the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act. Law enforcement is also exempt.
Organizations will not need to gain consent before leasing or disclosing enrolled biometric data, or before selling that information if the lease, disclosure, or sale is:
The law requires that:
The law's requirements may only be enforced by Washington's Attorney General. H.B. 1493 doesn't create a private right of action.
Again, this is in stark contrast to Illinois' BIPA, where class action lawsuits have been filed against organizations.
Experts are increasingly suggesting that businesses adopt a comprehensive, common framework when it comes to complying with biometric privacy laws.
For instance, the Sans Institute, which is a cooperative research and education organization in the cyber and information security space, put out a research paper detailing how organizations can become compliant with the biometric privacy laws enacted in the United States.
The theory goes that by implementing solutions that will put them in compliance with the strictest of these laws, businesses will be in compliance with all (including Washington's) by default.
Speaking of strict, in February 2019 there were over 200 class actions filed under BIPA. Additionally, Google and Facebook have both faced lawsuits charging that they violated BIPA by tagging the faces of users in photographs and then making suggestions to link those faces to specific individuals.
David Todd, writing for the Sans Institute, suggests that businesses can avoid the penalties faced by the organizations listed in the class action lawsuits mentioned above by adopting the Institute's Biometric Compliance Framework.
There are some key takeaways that, if implemented, can put your business on the path to compliance in all states that have laws pertaining to biometric identifiers.
It's recommended that you:
What customers say about TermsFeed:
This really is the most incredible service that most website owners should consider using.
Easy to generate custom policies in minutes & having the peace of mind & protection these policies can offer is priceless. Will definitely recommend it to others. Thank you.
- Bluesky's review for TermsFeed. Read all our testimonials here.
With TermsFeed, you can generate:
It's a good bet that more states will begin passing their own biometric privacy laws as we near 2021. Indeed, as California moves to become a leader in the realm of privacy and data protection, and as the U.S. federal government begins to seriously take on the task of addressing national privacy legislation, businesses would do well to start taking a hard look at their overall privacy practices.
If trends continue, it will only become more difficult and more imperative for businesses to stay current and up-to-date with compliance efforts.
With that in mind, companies are encouraged to review and revise Privacy Policies and Terms and Conditions agreements to make sure they cover developments in existing privacy law as well as new biometric privacy laws.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
25 August 2022