Washington’s New Biometric Privacy Law: What Businesses Need to Know

by Davis Wright Tremaine LLP
Contact

Davis Wright Tremaine LLP

With the rise in hackings and data breaches, companies and government agencies are looking for ways to protect their data that offer more security than passwords. Because passwords are easily lost, stolen, guessed, and cracked by hackers, companies are shifting to the use of biological characteristics that uniquely identify you, called biometric identifiers. For example, financial institutions and online retailers are developing ways to authenticate a purchase by requiring a user to take a selfie and smile, wink, or make another gesture. A stolen password could be easily reused, but faking a user’s arbitrary facial expression is more complicated.

But along with the strength of biometric identifiers comes new risks. When hackers steal your password, you change it. But when hackers acquire your fingerprint or facial scan, you can’t change either. Indeed, biometric identifiers are often selected for their permanence. For example, many companies are investing in scanners that identify a person based on the pattern of veins in their fingertip, rather than their fingerprint. A person’s vascular identity is harder to forge than a fingerprint and it changes less over time. 

Another new risk comes from the ability to collect biometric identifiers surreptitiously.  When a website or company asks for your password, you actively decide whether or not to share it and know when you’ve done so. But some biometric identifiers can be collected from cameras or microphones without your knowledge or consent. As a result, more and more states are regulating the use and collection of biometric data.

New Regulation of Biometric Identifiers

In 2008, Illinois enacted a biometric privacy law, and Texas followed with its own in 2009. Today, Washington becomes the third state with an active biometric privacy law. The express purpose of the statute is to address increasing concern with the collection and marketing of biometric information without an individual’s consent or knowledge. The legislature therefore “intends to require a business that collects and can attribute biometric data to a specific uniquely identified individual to disclose how it uses that biometric data and provide notice to and obtain consent from an individual before enrolling or changing the use of that individual’s biometric identifiers in a database.”

Under the statute, a company (or individual) may not “enroll biometrics in a database for a commercial purpose without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of the biometrics for a commercial purpose.” The statute thus requires either notice, consent, or a mechanism to prevent the subsequent use of the biometrics for a commercial purpose. The exact notice and type of consent required is context-dependent and, thus, need not be written. This potentially allows brick and mortar business to obtain your consent orally or over the phone.

Under the statute, to “enroll” means to capture a biometric identifier of an individual, convert it into a template, and store it in a database that matches the biometric identifier to a specific individual. Thus, if an entity does not enroll biometric information in exactly this way, the statute does not impose its notice and consent requirements.

But, importantly, the statute regulates commercial use of biometrics. Namely, it imposes its requirements on entities only when they enroll biometric identifiers in a “commercial database” and prevents the subsequent use of the biometrics for a “commercial purpose.” The statute allows entities to use biometric identifiers for security purposes. Indeed, the statute broadly defines this as preventing shoplifting, fraud, or any other misappropriation or theft of a thing of value, including tangible and intangible goods, services, and other purposes in furtherance of protecting the security or integrity of software, accounts, applications, online services, or any person.

The statute defines “biometric identifier” as data generated by “automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual.” But the statute also expressly excludes “a physical or digital photograph, video or audio recording or data generated therefrom.” Depending on how courts interpret this exception, it would potentially exclude the speaker recognition technology financial institutions have been developing to automatically authentic customers to their call centers. Likewise, this also potentially excludes the facial recognition technology social networking and photo storage websites use to automatically tag users in digital photographs.

In addition to the notice and consent requirements, the statute requires companies who possess a biometric identifier enrolled in a commercial database to take reasonable care to guard against unauthorized access to and acquisition of biometric identifiers. They may retain the biometric identifier no longer than is reasonably necessary in order to provide the services for which the biometric identifier was originally enrolled. But again, the statute allows the company to keep the biometric identifiers longer if done to protect against actual or potential fraud, criminal activity, claims, security threats, or liability. The statute also prevents companies from using or disclosing biometric identifiers in a manner that is materially inconsistent with the terms under which the biometric identifier was originally provided without obtaining consent for the new terms of use or disclosure.

When it comes to enforcement, the statute limits consumer options. Namely, it prevents a private lawsuit from being filed. Instead, it may be enforced solely by the attorney general under the Consumer Protection Act. In contrast, the Illinois biometric privacy law allows consumer suits and has generated numerous class action lawsuits around the country.
The protections and restrictions of Washington’s biometric privacy statute reflect a balancing of consumer privacy rights with the need for data security greater than those traditional passwords provide. The statute thus attempts to prevent unwanted or undisclosed commercial use of biometric identifiers while allowing companies more freedom when using biometrics to protect security data or transactions.

What Businesses Need to Know About the Washington Statute

Washington’s biometric privacy law has some key differences with the Illinois and Texas statutes that may affect businesses. These differences may have the greatest impact on technology companies operating social networking and photo storage websites, as well as financial institutions using speaker identification software in call centers. Unlike Washington, both Illinois and Texas lack a carve-out for data generated from digital photographs and audio recordings. And, most importantly, the Illinois statute allows private entities to bring lawsuits to enforce the statute. 

These differences reflect the way Washington and Illinois have each chosen to balance consumer’s privacy rights with the growing need to improve security and technology through use of biometrics. The Illinois statute more heavily weights consumer privacy while the Washington statute gives companies greater freedom to use biometrics for security and in commerce.
Indeed, the more protective Illinois statute has recently spawned a string of class action lawsuits targeting social networking and photo storage websites for using facial recognition technology on digital photographs. Even where their user agreements say they should be governed by the laws of a different state, courts have found that Illinois law may still apply when those states have not expressed a policy interest in biometrics through their own statute. 

A court may view Washington’s statute as a policy decision to exclude from regulation data generated from digital photographs and audio recordings. A court may also view the Washington statute as a policy decision that only the attorney general should be permitted to bring any lawsuits, even when companies use biometrics beyond facial or speaker recognition.  Selecting Washington’s law as governing user agreements may therefore help companies avoid being subject to any private lawsuit, such as class actions, under the more protective Illinois statute.  

Nonetheless, all companies intending to collect and use biometric identifiers must proceed carefully. It is difficult to predict with certainty which state’s law a court will apply. To minimize risk, companies should therefore consider ensuring compliance with Washington’s statute, along with Illinois and Texas, and staying vigilant as more biometric privacy laws come into effect.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Written by:

Davis Wright Tremaine LLP
Contact
more
less

Davis Wright Tremaine LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.