Examining the Likely Impact of Washington’s My Health, My Data Act on Class Action Litigation Involving Biometric Data

Sherman Helenese, Andreas Kaltsounis, Alexander Vitruk
BakerHostetler
Contact
LinkedIn
Facebook
X
Send
Embed

BakerHostetler

Introduction

On April 27, Washington Gov. Jay Inslee signed into law House Bill 1155, colloquially known as the My Health, My Data Act (the Act). Passed in response to the U.S. Supreme Court’s Dobbs v. Jackson decision, the Act concentrates on “consumer health data,” which is expressly defined to include biometric data. In this blog post, we examine the Act’s likely impact on class action litigation arising from the collection, storage and use of biometric data. (As explained in a prior blog post, the Act empowers consumers to pursue private litigation against a regulated entity for any violation of the Act that injures a person’s “business or property,” including but not limited to any biometrics-related violations.)

The Broad Scope of Biometric Data Under the Act

Under the Act’s plain text, biometric data is a broad term that encompasses biometric identifiers and other consumer information. First, the Act defines consumer health data as:

  • Personal information.
  • Information linked or “reasonably linkable” to a consumer.
  • Information that identifies a consumer’s past, present, or future physical or mental health status.

Next, the Act expressly includes biometric data within the meaning of physical or mental health status. More specifically, the Act defines biometric data as data that is generated from the measurement or technological processing of an individual’s physiological, biological or behavioral characteristics and that identifies a consumer, whether individually or in combination with other data.

This broad definition specifically includes imagery of the iris, retina, fingerprint, face, hand, palm and vein patterns, as well as voice recordings, from which an identifier template “can be” extracted. It also includes keystroke patterns or rhythms and gait patterns or rhythms that contain individually identifying information.

The definition of biometric data under the Act is broader than that of the preexisting Washington Biometric Privacy Protection Act, RCW 19.375 (WBPA), which exclusively protects certain biometric identifiers, namely data generated by automatic measurements of an individual’s biological characteristics, such as fingerprints, voiceprints, eye retinas or irises, or other unique biological patterns and characteristics used to identify a specific person. The WBPA also expressly excludes photographs, voice or audio recordings, and any data generated from those recordings, from the definition of biometric identifiers. And unlike the Act, the WBPA does not include a private right of action. It also does not require notice or consent in some circumstances, and it contains a broad security exception, exempting entities collecting biometric information for a “security purpose” (as explained below, the Act has a more detailed security exception).

While the definition of biometric data under the Act is clearly broader than WBPA biometric identifiers, the precise parameters of that definition have yet to be delineated. Absent further guidance from the Washington Legislature, the Act’s plain text indicates that the definition may have expansive reach. As for imagery from which an identifier template “can be” extracted, Washington courts also tend to liberally construe the statutory term “can be.”

To illustrate the various risks by way of example, photographs may contain data generated from the technological processing of someone’s face, i.e., a physiological or biological trait. Plaintiffs could allege that any photograph from which someone’s face can be scanned and identified qualifies as biometric data. Or that any audio or video recording from which an individual can be identified based on some physiological, biological or behavioral characteristic would also qualify as biometric data. For instance, a video recording revealing the relative heights, gaits or even movements of individuals could fall within the ambit of biometric data.

The definition of biometric data under the Act is even broader than that of the Illinois Biometric Information Privacy Act (BIPA), which, unlike the Act, contains a key limitation — biometric information that is not based on a qualifying BIPA biometric identifier, namely “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” is not covered by the act. For example, while a handwriting sample would not be covered by BIPA, a handwriting sample leading to health inferences about a consumer would likely qualify as biometric data under the Act. This statutory construction appears to reflect the Legislature’s intent to define consumer health and biometric data broadly.

Requirements for Collection and Use of Biometric Data Under the Act

Covered entities must comply with the following key requirements when collecting and using biometric data under the Act:

  • Provide notice of biometric data practices within a dedicated “consumer health data privacy policy,” which discloses (a) the categories of biometric data collected, the purpose of collection, and the intended use of the data; (b) the categories of sources from which the data is collected; (c) the categories of data shared; (d) a list of the categories of third parties and specific affiliates with which the covered entity shares the data; and (e) how consumers can withdraw consent from the future collection or sharing of their biometric data, among other rights enumerated below.
  • Obtain opt-in consent from the consumer for a specified purpose; otherwise, biometric data may only be collected to the extent necessary to provide a product or service that the consumer has specifically requested. To be effective, consent must be obtained through a “clear affirmative act” and not through acceptance of general or broad terms of use, ambiguous acts such as hovering over or closing a text box, or “deceptive designs.” The request for consent must also “clearly and conspicuously” disclose (a) the categories of biometric data collected or shared; (b) the purpose of collection or sharing, “including the specific ways in which it will be used”; (c) the categories of entities with which the data is shared; and (d) how the consumer can withdraw consent.
  • Do not share or sell biometric data except under very limited circumstances. By way of example, the Act prohibits sharing biometric data without obtaining separate consent, and prohibits selling the data without obtaining a specifically worded written authorization.
  • Allow consumers to (a) confirm whether a covered entity is collecting, sharing or selling their biometric data and to access such data (including a list of all third parties and affiliates with which such data has been shared or sold, as well as an “active email address or other online mechanism” that a consumer may use to contact those third parties); (b) withdraw consent; and (c) have their data deleted.

Risk of Biometric Class Actions Under the Act

The Act and BIPA share a key similarity — they can both be enforced through a wide-ranging private right of action (see prior blog post about significant risk of class actions under the Act, generally). Courts across the country have been inundated with BIPA class actions since 2015. Recent plaintiff-friendly decisions from the Illinois Supreme Court, such as Cothron v. White Castle (ruling that claims accrue with each reoccurring violation of the statute, as opposed to when biometric data is collected in the first instance), are likely to incentivize plaintiffs further.

The biometric data-related provisions in the Act are also likely to spur class actions, especially since the private right of action appears to broadly apply to any violation of the statute that injures a person’s “business or property.” Moreover, the complex yet rather uncertain definition of “biometric data” invites legal questions and issues that are likely to be decided in full-throated litigation, including but not limited to the questions of (a) under what circumstances biometric data is “reasonably linkable to a consumer,” (b) which “measurements” of “behavioral characteristics” may actually constitute biometric data, and (c) the contours and limits of what identifier templates “can be” extracted to sufficiently identify a consumer.

There are key distinctions between the Act and BIPA, however:

  • Statutory or liquidated damages are not available in private suits for a violation of the Act, and plaintiffs must allege injury to their “business or property.”
  • Data is considered “biometric” only if it “identifies a consumer,” who is limited to “a natural person who acts . . . in an individual or household context,” and excludes “an individual acting in an employment context.” The Act therefore likely does not apply to biometric data collected and used in (most) business-to-business or employment contexts.
  • The Act exempts certain security-related uses, like preventing, detecting and responding to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, and any illegal activities.

These distinctions are likely to foreclose the types of employment-related cases that have shaped the BIPA litigation landscape, such as cases involving biometric timekeeping.

Potential Steps to Mitigate Risk

Most sections of the Act will take effect on March 31, 2024 (and then on June 30, 2024, for “small business[es]”). Covered entities that collect, store or use biometric data should take concrete steps to mitigate litigation and regulatory risk under the Act, including but not limited to the following:

  • Evaluate data practices involving biometric data, as broadly defined in the Act, to determine if any implicate the Act’s biometric provisions.
  • Prepare the requisite biometric data privacy policies and consent mechanisms now, or determine whether adjustments are warranted to bring the activity out of scope.
  • Consider risk-mitigating contract provisions such as arbitration clauses and class action waivers (yet weigh the risk of a court finding that such limitations may be contrary to public policy or inconsistent with the private right of action allowed under the Act).
  • Develop and disclose data retention and disposal policies to customers. Note that the Act restricts processing (which includes storage) to that which is necessary to provide a consumer-requested product or service absent specific consumer consent.
  • Take steps to ensure biometric data is not sold to or shared with third parties without meeting the Act’s strict requirements.
  • Implement security controls, including internal access controls, for the protection of consumers’ biometric data, and ensure that company vendors provide at least the same level of data protection as that of the business, among other potential safeguards.
  • Review existing insurance policies for coverage assessments regarding a breach of biometric data or litigation arising from allegations of improper collection, use or retention of biometric data.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:

BakerHostetler
BakerHostetler
Contact
more
less

BakerHostetler on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide