Washington’s new biometrics law softer on privacy protections than Illinois BIPA

Washington state has passed a new law governing the collection and use of consumers’ biometric information, which experts view as a more business-friendly version of the Illinois Biometric Information Privacy Act (BIPA) which could serve as the model for other state legislation, according to a report by Law 360.

The newly enacted law was first announced last month, making Washington the third state following Illinois and Texas to pass legislation regulating the commercial use of biometric identifiers.

The law enforces regulations for businesses that collect biometric data to disclose the manner in which they would use the information as well as provide notice to and obtain consent from the individual before using it.

Unlike its Illinois counterpart, Washington’s law omits controversial provisions that businesses say opens them up to increased legal liability, such as the consumer’s right to sue and holding companies accountable for collecting and using digital images and audio recordings.

“If you look at all the exclusions in the Washington bill, it doesn’t appear to be anywhere close to providing consumers with the type of privacy protections that the Illinois one does and seems to be a much more industry-friendly piece of legislation,” said Bradley S. Shear, managing partner of Shear Law LLC. “If I’m representing a company, I’d say let’s try to focus on the Washington state law because it provides us [with] greater flexibility, and let’s hope that bill becomes the standard across the country.”

The Illinois law allows residents to sue on claims of unlawful collection of biometric data, with $1,000 to $5,000 awarded in damages per violation.

As such, only the Washington state attorney general has the authority to enforce the biometrics law, which prevents consumers from being able to sue companies over violations, legal experts said.

Washington’s law also excludes the types of data and the methods of data collection that have triggered the majority of litigation under the Illinois bill, attorneys said.

The law defines “biometric identifier” as data “generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises or other unique biological patterns or characteristics that is used to identify a specific individual,” as well as excludes “a physical or digital photograph, video or audio recording or data generated therefrom, or information collected, used or stored for health care treatment, payment or operations under the federal Health Insurance Portability and Accountability Act.”

Under the Washington law, companies are given more flexibility in regards to their use of biometric data for noncommercial purposes than the Texas or Illinois laws, attorneys said.

Washington-based companies are not required opt-in consent in all cases for the collection, use and disclosure of biometric data.

“It appears that Washington is trying to have the best of all worlds, by protecting citizens from the sale and commercialization of biometric databases while at the same time not restricting businesses that are using the data for purposes such as enhancing security, which is becoming increasingly common due to the rise of two-factor authentication,” Sharon Klein, who chairs Pepper Hamilton LLP’s privacy, security and data protection practice, said.

Finally, the Washington law focuses on businesses that commercially “enroll” biometric identifiers into a database that matches it to a specific person, while the Illinois and Texas laws revolves around the isolated capture and use of individual biometric data components.

The more streamlined Washington state bill is likely to provide the emerging biometrics industry sufficient room to grow and innovate while enabling the attorney general to cut down on the more serious violations.

As a result, experts said the law is likely to appeal to the 47 states that currently do not have any biometric privacy regulation.

Article Topics

biometrics  |  BIPA  |  data protection  |  privacy