Washington’s New Biometric Privacy Law: What Businesses Need to Know
With the rise in hackings and data breaches, companies and government agencies are looking for ways to protect their data that offer more security than passwords. Because passwords are easily lost, stolen, guessed, and cracked by hackers, companies are shifting to the use of biological characteristics that uniquely identify you, called biometric identifiers. For example, financial institutions and online retailers are developing ways to authenticate a purchase by requiring a user to take a selfie and smile, wink, or make another gesture. A stolen password could be easily reused, but faking a user’s arbitrary facial expression is more complicated.
But along with the strength of biometric identifiers comes new risks. When hackers steal your password, you change it. But when hackers acquire your fingerprint or facial scan, you can’t change either. Indeed, biometric identifiers are often selected for their permanence. For example, many companies are investing in scanners that identify a person based on the pattern of veins in their fingertip, rather than their fingerprint. A person’s vascular identity is harder to forge than a fingerprint and it changes less over time.
Another new risk comes from the ability to collect biometric identifiers surreptitiously. When a website or company asks for your password, you actively decide whether or not to share it and know when you’ve done so. But some biometric identifiers can be collected from cameras or microphones without your knowledge or consent. As a result, more and more states are regulating the use and collection of biometric data.
New Regulation of Biometric Identifiers
In 2008, Illinois enacted a biometric privacy law, and Texas followed with its own in 2009. Today, Washington becomes the third state with an active biometric privacy law. The express purpose of the statute is to address increasing concern with the collection and marketing of biometric information without an individual’s consent or knowledge. The legislature therefore “intends to require a business that collects and can attribute biometric data to a specific uniquely identified individual to disclose how it uses that biometric data and provide notice to and obtain consent from an individual before enrolling or changing the use of that individual’s biometric identifiers in a database.”
Under the statute, a company (or individual) may not “enroll biometrics in a database for a commercial purpose without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of the biometrics for a commercial purpose.” The statute thus requires either notice, consent, or a mechanism to prevent the subsequent use of the biometrics for a commercial purpose. The exact notice and type of consent required is context-dependent and, thus, need not be written. This potentially allows brick and mortar business to obtain your consent orally or over the phone.
Under the statute, to “enroll” means to capture a biometric identifier of an individual, convert it into a template, and store it in a database that matches the biometric identifier to a specific individual. Thus, if an entity does not enroll biometric information in exactly this way, the statute does not impose its notice and consent requirements.
But, importantly, the statute regulates commercial use of biometrics. Namely, it imposes its requirements on entities only when they enroll biometric identifiers in a “commercial database” and prevents the subsequent use of the biometrics for a “commercial purpose.” The statute allows entities to use biometric identifiers for security purposes. Indeed, the statute broadly defines this as preventing shoplifting, fraud, or any other misappropriation or theft of a thing of value, including tangible and intangible goods, services, and other purposes in furtherance of protecting the security or integrity of software, accounts, applications, online services, or any person.
The statute defines “biometric identifier” as data generated by “automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual.” But the statute also expressly excludes “a physical or digital photograph, video or audio recording or data generated therefrom.” Depending on how courts interpret this exception, it would potentially exclude the speaker recognition technology financial institutions have been developing to automatically authentic customers to their call centers. Likewise, this also potentially excludes the facial recognition technology social networking and photo storage websites use to automatically tag users in digital photographs.
In addition to the notice and consent requirements, the statute requires companies who possess a biometric identifier enrolled in a commercial database to take reasonable care to guard against unauthorized access to and acquisition of biometric identifiers. They may retain the biometric identifier no longer than is reasonably necessary in order to provide the services for which the biometric identifier was originally enrolled. But again, the statute allows the company to keep the biometric identifiers longer if done to protect against actual or potential fraud, criminal activity, claims, security threats, or liability. The statute also prevents companies from using or disclosing biometric identifiers in a manner that is materially inconsistent with the terms under which the biometric identifier was originally provided without obtaining consent for the new terms of use or disclosure.
When it comes to enforcement, the statute limits consumer options. Namely, it prevents a private lawsuit from being filed. Instead, it may be enforced solely by the attorney general under the Consumer Protection Act. In contrast, the Illinois biometric privacy law allows consumer suits and has generated numerous class action lawsuits around the country.
The protections and restrictions of Washington’s biometric privacy statute reflect a balancing of consumer privacy rights with the need for data security greater than those traditional passwords provide. The statute thus attempts to prevent unwanted or undisclosed commercial use of biometric identifiers while allowing companies more freedom when using biometrics to protect security data or transactions.
What Businesses Need to Know About the Washington Statute
Washington’s biometric privacy law has some key differences with the Illinois and Texas statutes that may affect businesses. These differences may have the greatest impact on technology companies operating social networking and photo storage websites, as well as financial institutions using speaker identification software in call centers. Unlike Washington, both Illinois and Texas lack a carve-out for data generated from digital photographs and audio recordings. And, most importantly, the Illinois statute allows private entities to bring lawsuits to enforce the statute.
These differences reflect the way Washington and Illinois have each chosen to balance consumer’s privacy rights with the growing need to improve security and technology through use of biometrics. The Illinois statute more heavily weights consumer privacy while the Washington statute gives companies greater freedom to use biometrics for security and in commerce.
Indeed, the more protective Illinois statute has recently spawned a string of class action lawsuits targeting social networking and photo storage websites for using facial recognition technology on digital photographs. Even where their user agreements say they should be governed by the laws of a different state, courts have found that Illinois law may still apply when those states have not expressed a policy interest in biometrics through their own statute.
A court may view Washington’s statute as a policy decision to exclude from regulation data generated from digital photographs and audio recordings. A court may also view the Washington statute as a policy decision that only the attorney general should be permitted to bring any lawsuits, even when companies use biometrics beyond facial or speaker recognition. Selecting Washington’s law as governing user agreements may therefore help companies avoid being subject to any private lawsuit, such as class actions, under the more protective Illinois statute.
Nonetheless, all companies intending to collect and use biometric identifiers must proceed carefully. It is difficult to predict with certainty which state’s law a court will apply. To minimize risk, companies should therefore consider ensuring compliance with Washington’s statute, along with Illinois and Texas, and staying vigilant as more biometric privacy laws come into effect.