Washington has become the third state to pass biometrics privacy law
Following in the footsteps of Illinois and Texas, the state of Washington has become the third state to pass legislation regulating the commercial use of biometric identifiers, according to a report by Lexology.
Governor of the State of Washington, Jay Inslee, recently signed into law House Bill 1493, which will become effective on July 23.
Illinois previously enacted the Illinois Biometric Information Privacy Act (BIPA) while Texas passed the Texas Statute on the Capture or Use of Biometric Identifier.
According to H.B. 1493, “biometric identifier” is defined as data created by automatic measurements of a person’s biological characteristics, including a fingerprint, voiceprint, eye retinas, irises or other unique biological patterns or characteristics that are used to identify a person.
Unlike its Illinois and Texas legislative counterparts, H.B. 1493’s definition of “biometric identifier” does not include a record or scan of face geometry or facial recognition data.
Although it is still unclear whether the law excludes this practice, the omission may be a response to recent lawsuits against Google, Facebook and Shutterfly involving scans of face geometry.
In addition, the definition also clearly omits “physical or digital photographs, video or audio recording or data generated therefrom,” and specific health-related data processed in conformance to the Health Insurance Portability and Accountability Act of 1996.
Similar to the Illinois and Texas statutes, H.B.1493 states that a person may not “enroll” a biometric identifier in a database for a commercial purpose without initially notifying the person, acquiring the individual’s consent or providing a way for the person to opt out of the enrollment.
Unlike the two statutes, which broadly regulate the capture or collection of biometric identifiers, Washington’s law only covers those individuals that “enroll” biometric identifiers by capturing the data, converting it into a reference template that cannot be restored back to the original output image, and storing it in a database that matches the biometric identifier to a specific person.
In addition, H.B. 1493 contains a broad “security exception,” exempting those individuals that collect, capture, enroll or store biometric identifiers in aiding a “security purpose.”
H.B. 1493 also has data security and retention requirements, including reasonable care to protect against unauthorized access to and acquisition of biometric identifiers; and retention of biometric identifiers for no longer than necessary to comply with the law, protect against fraud, criminal activity, security threats or liability, or to provide the service for which the biometric identifier was enrolled.
The statute only gives the Washington Attorney General the right to enforce the requirements, preventing lawsuits from individual plaintiffs. So far, the Illinois biometric law is the only state biometric statute that includes a private right of action.
Reported last month, five states across the nation are looking to adopt Illinois’ biometrics privacy law as more organizations deploy biometric technology in various applications, and as the courts continue to figure out the potentially costly effects of the law’s mandates on businesses.