Guide to

Washington Biometric Privacy Protection Act (House Bill 1493)

What Is Washington Biometric Privacy Protection Act (House Bill 1493)?

Passed in May 2017, House Bill 1493 sets forth requirements on businesses that collect and use biometric information for commercial purposes. It prohibits any “person” from “enrolling” a biometric identifier in a database for a commercial purpose without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose. It also places restrictions on the sale, lease, and other disclosure of enrolled biometric identifiers.

How Does the Washington Biometric Privacy Protection Act Define “Biometric Identifier”?

H.B. 1493 defines “biometric identifier” as data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual. The law does not specifically provide for a “scan of hand or face geometry”. It specifically excludes “physical or digital photograph, video or audio recording or data generated therefrom.”

The law regulates the “enrolling” of biometric identifiers in a database. Enrolling is defined as an activity “to capture a biometric identifier of an individual, convert it into a reference template that cannot be reconstructed into the original output image, and store it in a database that matches the biometric identifier to a specific individual.”

What Businesses Are Covered Under the Washington Biometric Privacy Protection Act?

The law applies to all individuals and non-government entities that collect, use, and retain “biometric identifiers” as defined in the statute. However, H.B. 1493 exempts persons that collect, capture, enroll, or store biometric identifiers in furtherance of a “security purpose.”

Key Requirements For Businesses Subject to H.B. 1493

  • Businesses must give a subject notice prior to collecting their biometric information.
  • A person who enrolls a biometric identifier for a commercial purpose or obtains a biometric identifier from a third party for a commercial purpose may not use or disclose it in a manner that is materially inconsistent with the terms under which the biometric identifier was originally provided without obtaining consent for the new use or disclosure.
  • Maintain safeguards to protect biometric information in an entity’s possession; ensure that protective measures for biometric information are the same or more protective than the manner in which the entity protects other confidential and sensitive information
  • Unless consent has been obtained, a person who has enrolled an individual’s biometric identifier may not sell, lease, or otherwise disclose the biometric identifier to another person for a commercial purpose unless one of certain enumerated statutory exceptions applies, including:
  • (1) where necessary to provide a product or service requested by the individual; or
  • (2) where disclosed to a third party who contractually promises that the biometric identifier will not be further disclosed and will not be enrolled in a database for a commercial purpose that is inconsistent with the notice and consent provided.

Who Enforces H.B. 1493 and What Are the Penalties for Non-Compliance?

The law does not allow for a private right of action. The law is enforced by the Washington state attorney general. Since the law has only been in effect since 2017, specific details on penalties for non-compliance remain to be seen.

Washington Biometric Privacy Protection Act: Frequently Asked Questions

Biometric data under the Washington Biometric Privacy Protection Act includes unique physical or behavioral characteristics that can be used to identify an individual. This includes fingerprints, facial recognition data, retina or iris scans, voiceprints, and other similar identifiers. The Act specifically excludes information derived from items or procedures such as photographs, writing samples, demographic data, or any physical or digital representations of biometric data that cannot be used alone to identify a person.

Any private entity operating in Washington State that collects, uses, stores, or shares biometric data must comply with the Washington Biometric Privacy Protection Act. This includes businesses, organizations, and other non-governmental entities. Government agencies are generally exempt from the requirements of this Act.

Under the Washington Biometric Privacy Protection Act, businesses must obtain explicit, informed consent from individuals before collecting or storing their biometric data. The consent must detail the purpose of the data collection, how it will be used, and the duration for which it will be retained. The consent must be obtained before any data is collected, and it must be documented in a manner that can be easily accessed if required.

The Washington Biometric Privacy Protection Act mandates that businesses implement reasonable security measures to protect biometric data from unauthorized access, use, or disclosure. This includes encryption, access controls, and regular security audits. Businesses must also destroy biometric data within a reasonable time frame once it has served its purpose or within three years of the individual’s last interaction with the business, whichever is earlier.

Yes, the Washington Biometric Privacy Protection Act strictly prohibits the sale or disclosure of biometric data to third parties without the individual’s explicit consent. The law also restricts sharing biometric data unless it is necessary to complete a transaction, provide a service requested by the individual, comply with a legal obligation, or under certain conditions with the individual’s knowledge and consent.

Violations of the Washington Biometric Privacy Protection Act can result in significant legal and financial penalties. Individuals have the right to file lawsuits against entities that violate the Act, with potential damages including attorney fees, court costs, and monetary compensation for each violation. Additionally, businesses may face injunctive relief, compelling them to cease violating activities.

The Washington Biometric Privacy Protection Act is similar to Illinois’ Biometric Information Privacy Act (BIPA) in that both laws require informed consent and impose strict regulations on the handling of biometric data. However, the Washington Biometric Privacy Protection Act includes specific provisions related to the retention and destruction of data and provides clearer guidelines on security measures. Both Acts allow for private rights of action, meaning individuals can sue for damages resulting from violations, although the Washington Biometric Privacy Protection Act treats violations of the Act an unfair or deceptive act under the Washington Consumer Protection Act (CPA).

To comply with the Washington Biometric Privacy Protection Act, businesses should:

  • Implement a comprehensive biometric data policy
  • Obtain explicit consent before collecting biometric data
  • Ensure robust security measures are in place for storing and handling biometric data
  • Regularly audit and update data protection practices
  • Train employees on compliance with the Washington Biometric Privacy Protection Act
  • Develop procedures for securely destroying biometric data within the required time frame

Yes, under the Washington Biometric Privacy Protection Act, individuals have the right to request the deletion of their biometric data. Businesses must comply with such requests within a reasonable timeframe unless the data is required to be retained by law or for other legitimate business purposes as outlined during the consent process.

Hyperproof makes meeting Washington Biometric Privacy Act requirements simple

  • Quickly implement Washington Biometric Privacy Protection Act requirements by using Hyperproof to centrally manage risks, automate risk workflows, and track risk posture over time
  • Centralize the collection and visualization of biometric data risks
  • Kickstart your compliance efforts with Hyperproof’s out-of-the-box Washington Biometric Privacy Protection Act framework template
  • Map overlapping controls from other frameworks to streamline your compliance work
  • Efficiently collect and document evidence to support your compliance efforts
  • Track your progress towards compliance with a robust, exportable dashboard
Get a Demo

Ready to see
Hyperproof in action?

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader