In this article, we'll be taking a look specifically at the Washington Biometric Privacy Law (H.B. 1493), Washington state's effort at protecting the biometric data of its residents and what you need to do to comply.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- 1. What is Biometric Data?
- 1.1. What are Specific Biometric Data Types?
- 2. What is the Washington Biometric Privacy Law (H.B. 1493)?
- 2.1. What are the Notice and Consent Requirements of the Washington Biometric Privacy Law (H.B. 1493)?
- 2.2. Are There Exceptions to Notice and Consent Requirements of the Washington Biometric Privacy Law (H.B. 1493)?
- 2.3. What are the Security and Retention Requirements of the Washington Biometric Privacy Law (H.B. 1493)?
- 2.4. Does the Washington Biometric Privacy Law (H.B. 1493) Create a Private Right of Action?
- 3. How Do YouComply with Washington Biometric Privacy Law (H.B. 1493)?
- 4. Summary
What is Biometric Data?
Biometric data is data related to personal, unique information such as your fingerprints, retinal scans, and scans of face and hand geometry. Each of these is now used regularly for identification and authentication. For instance, facial and finger biometric recognition is commonly used to authenticate credit card transactions or to login to a smartphone.
What are Specific Biometric Data Types?
- Behavior Characteristics: The way you interact with computer systems, such as the way you walk, the way you use your mouse, handwriting, keystrokes, other movements all judge how familiar you are with the data you are entering or assess who you are.
- Hand Geometry: Measures and records the thickness, width, length, and surface area of your hand. Devices that measure this biometric data date all the way back to the 1980's. They were used almost exclusively for security purposes.
- Voice Recognition: Measures the sound waves in a person's voice. This technology has been used to verify a person's identity when calling to ask about their bank accounts. Amazon uses this biometric technology today when you give instructions to Alexa.
- Fingerprint Scanner: This tech captures the unique valleys and ridges on an individual's finger. Some laptops and most smartphones use fingerprints to unlock screens or as a type of password.
- Iris Recognition: Not widely used in the consumer market, but is used widely in security applications.(You see this type of biometric technology in spy movies all the time.) It identifies the patterns of a person's iris, which is the colored area surrounding the pupil of the eye.
- Facial Recognition: Measures the patterns of an individual's face by analyzing and comparing facial contours. This type of biometric information is often used to unlock smartphones and laptops but is also used in law enforcement and security.
What is the Washington Biometric Privacy Law (H.B. 1493)?
In 2017, the state of Washington enacted a biometric privacy law known as H.B. 1493 to safeguard its residents from organizations or individuals who would enter biometric information into a database without gaining consent, providing notice, or supplying a way to prevent the use of biometric data for commercial purposes.
Data produced by automatic measurements of biological characteristics, such as voiceprints, fingerprints, eye retinas, irises, or other unique features or physical patterns used to identify a specific person, is defined as a "biometric identifier" under the law.
Most privacy advocates believe that Washington's law is much weaker and does not protect the state's residents nearly to the same degree as statutes in Illinois and Texas.
The reason for the advocates' belief is that Washington's Biometric Privacy Law (H.B. 1493) excludes "physical or digital photographs, video or audio recording or data generated therefrom," and scans of facial geometry (e.g., facial recognition data) or records from its definition of biometric identifiers.
Moreover, the Washington Biometric Privacy Law (H.B. 1493) does not include specific health-related data that are processed according to 1996's Health Insurance Portability and Accountability Act (HIPAA).
What are the Notice and Consent Requirements of the Washington Biometric Privacy Law (H.B. 1493)?
To make it simple, the use of biometric identifiers in a commercial setting requires organizations to:
- Provide notice to the individual
- Obtain consent
- Provide a mechanism to prevent subsequent use of the biometric identifier for commercial purposes
Interestingly, Washington's biometric privacy law doesn't even detail what kind of notice companies need to provide to state residents before "enrolling" (collecting and using) an individual's biometric identifiers. According to the law, "the exact notice and type of consent' is "context-dependent."
Here's an example of a general type of notice:
Typically, consent is requested at the time data is collected, so requesting permission to collect and use biometric data at the time it's collected would make sense in context, as seen here:
Here's another example:
Here's a best practice way of requesting consent to use data for a specific purpose at the time it's created, such as an email address for email marketing purposes, or to create an account:
You can use "I Agree" checkboxes to get consent under most privacy laws, as demonstrated here:
Further, the law gives businesses a lot of leeway by stating that when "enrolling" biometric data, any notice the company provides must simply be "reasonably designed to be readily available to affected individuals."
This is in stark contrast to Illinois' Biometric Information Privacy Act (BIPA), which demands that written notice and release must be acquired before an organization collects any biometric identifiers or information.
And one more:
Are There Exceptions to Notice and Consent Requirements of the Washington Biometric Privacy Law (H.B. 1493)?
The Washington Biometric Privacy Law (H.B. 1493) exempts organizations from the need to provide notice or gain consent if the use of an individual's biometric identifiers is related to a "security purpose" and fraud prevention.
The definition of "security purpose" is broad and vague, although it does cover misappropriation and theft, preventing shoplifting, and other purposes, which may advance an organization's overall security.
Additionally, the Washington Biometric Privacy Law (H.B. 1493) provides exemptions for the use of biometric data in ways that clash with the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act. Law enforcement is also exempt.
Organizations will not need to gain consent before leasing or disclosing enrolled biometric data, or before selling that information if the lease, disclosure, or sale is:
- Consistent with the demands of the biometric law
- Made to respond or participate in the judicial process
- Made to get ready for litigation
- Made to third-parties who contractually promise that the biometric information will not be disclosed further or be enrolled in a database for commercial purposes that are not consistent with the law
- Specifically authorized or required by a federal or state statute
- Specifically authorized or required by a court order
- Necessary to provide a service or product requested by, subscribed to, or specifically authorized by the individual
- Necessary to administer, effect, complete, or enforce a financial transaction initiated, authorized, or requested by the individual and where the recipient keeps the confidentiality of the biometric identifier and does not disclose it further
What are the Security and Retention Requirements of the Washington Biometric Privacy Law (H.B. 1493)?
The law requires that:
- Organizations must take reasonable care to safeguard against the unauthorized acquisition of or access to biometric data
- Organizations must ensure that they retain biometric information for no longer than they must to comply with the law, protect against criminal activity, liability, security threats, fraud, or to supply the service which the biometric identifier was enrolled for
This clause doesn't have to be detailed or specific. It's just important to note that you do take security seriously. A more general clause like this one will work as well:
Does the Washington Biometric Privacy Law (H.B. 1493) Create a Private Right of Action?
The Washington Biometric Privacy Law (H.B. 1493) doesn't create a private right of action.
The law's requirements may only be enforced by Washington's Attorney General.
Again, this is in stark contrast to Illinois' BIPA, where class action lawsuits have been filed against organizations.
How Do YouComply with Washington Biometric Privacy Law (H.B. 1493)?
Experts are increasingly suggesting that businesses adopt a comprehensive, common framework when it comes to complying with biometric privacy laws.
For instance, the Sans Institute, which is a cooperative research and education organization in the cyber and information security space, put out a research paper detailing how organizations can become compliant with the biometric privacy laws enacted in the United States.
The theory goes that by implementing solutions that will put them in compliance with the strictest of these laws, businesses will be in compliance with all (including Washington's) by default.
It's recommended that you:
- Create a comprehensive, documented plan for your company.
- Be completely transparent, in writing, as to when and how their biometric data will be destroyed.
- Ensure that strict security protocols to protect an individual's biometric data are implemented.
- Obtain explicit consent for the collection of an individual's biometric information.
- Ensure that provisions are placed in vendor contracts to make sure they;re complying with existing laws. Additionally, ensure that you have the right to be notified if there is a suspected data breach.