Effective July 23, 2017, Washington will join Illinois and Texas as the third U.S. state to impose statutory restrictions on how businesses collect, use, disclose and retain biometric information. House Bill 1493 applies to entities that “enroll a biometric identifier in a database for a commercial purpose” and includes requirements to provide notice to individuals and obtain their affirmative consent, both prior to enrollment and if the business seeks to sell, lease or otherwise disclose the identifier to a third party.
The new law does not prescribe the exact form of notice and consent, making clear those processes are “context-dependent,” and notably, there is no specific requirement that consent must be written. The law contains certain exceptions to the consent requirement with respect to disclosures, such as if disclosure is necessary to provide a service or product requested by the individual or if it is made to a third party that “contractually promises” that the biometric identifier will not be further disclosed or enrolled in a database inconsistent with the law.
Although this law is similar to those enacted in Illinois and Texas (in 2008 and 2009, respectively), there are some noteworthy differences:
- Like Texas, the Washington law does not provide a private right of action. In contrast, the Illinois Biometric Information Privacy Act includes a right of private action that has led to a proliferation of civil suits against companies alleged to have collected and used biometric identifiers (namely facial geometry) without first obtaining the requisite consent.
- Washington’s definition of biometric identifier differs somewhat from that in the other two laws. For example, it does not include “scan of hand or face geometry” as in the Illinois law, and it specifically excludes “physical or digital photographs” and “video or audio recordings,” which would seem to put “face geometry” out of scope. This is notable, as the bulk of the litigation surrounding the Illinois statute concerns alleged nonconsensual collection and use of “face geometry”.
- The Washington law restricts “enrollment” of biometric identifiers, a term which is specifically defined. This differs from the Illinois and Texas laws, which refer more generally to the “capture” or “collection” of such identifiers. To “enroll” a biometric identifier is to capture and convert it such that it can be used to identify a “specific individual.” This definition appears to account for the kind of fingerprint scanning technology familiar to any late-model iPhone user, whereby a mathematic representation of a fingerprint is derived from its image, but the image itself is not retained, nor can it be reconstructed by using the fingerprint’s mathematic representation. Under the Illinois and Texas laws, which do not address the conversion of biometric identifiers, it could potentially be argued that a fingerprint is not being “captured” at all when it is scanned for use with Touch ID, since only a mathematic representation of the fingerprint is retained. This interpretation would be precluded under the Washington law.
Like Illinois and Texas, Washington will require that companies take reasonable care to safeguard biometric identifiers from unauthorized access or acquisition, and companies may not retain identifiers longer than is reasonably necessary to (i) comply with a law or court order; (ii) protect against fraud, criminal activity or other security threats; or (iii) provide the intended services. There is no requirement in the Washington law to develop a written policy concerning data-handling practices with respect to biometric identifiers.
Washington may be only the third state to enact a biometric law of this nature, but other states have passed laws applicable to government collection and use of identifiers and the protection of minors’ identifiers, and several states, including Alaska, Massachusetts and New Hampshire, are considering similar commercial laws. Companies that currently collect and use biometric identifiers – or plan to do so in the future – should consider revisiting notice, consent, security and retention policies to stay ahead of the curve.