Washington Biometric Privacy Protection Act (House Bill 1493)
Passed in May 2017, House Bill 1493 sets forth requirements on businesses that collect and use biometric information for commercial purposes. It prohibits any “person” from “enrolling” a biometric identifier in a database for a commercial purpose without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose. It also places restrictions on the sale, lease, and other disclosure of enrolled biometric identifiers.
How Does the Washington Biometric Privacy Protection Act Define “Biometric Identifier”?
H.B. 1493 defines “biometric identifier” as data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual. The law does not specifically provide for a “scan of hand or face geometry”. It specifically excludes “physical or digital photograph, video or audio recording or data generated therefrom.”
The law regulates the “enrolling” of biometric identifiers in a database. Enrolling is defined as an activity “to capture a biometric identifier of an individual, convert it into a reference template that cannot be reconstructed into the original output image, and store it in a database that matches the biometric identifier to a specific individual.”
What Businesses Are Covered Under the Washington Biometric Privacy Protection Act?
Key Requirements For Businesses Subject to H.B. 1493
Businesses must give a subject notice prior to collecting their biometric information.
A person who enrolls a biometric identifier for a commercial purpose or obtains a biometric identifier from a third party for a commercial purpose may not use or disclose it in a manner that is materially inconsistent with the terms under which the biometric identifier was originally provided without obtaining consent for the new use or disclosure.
Unless consent has been obtained, a person who has enrolled an individual’s biometric identifier may not sell, lease, or otherwise disclose the biometric identifier to another person for a commercial purpose unless one of certain enumerated statutory exceptions applies, including:
- (1) where necessary to provide a product or service requested by the individual; or
- (2) where disclosed to a third party who contractually promises that the biometric identifier will not be further disclosed and will not be enrolled in a database for a commercial purpose that is inconsistent with the notice and consent provided.
Maintain safeguards to protect biometric information in an entity’s possession; ensure that protective measures for biometric information are the same or more protective than the manner in which the entity protects other confidential and sensitive information