In this article, we'll be taking a look specifically at the Washington Biometric Privacy Law (H.B. 1493), Washington state's effort at protecting the biometric data of its residents and what you need to do to comply.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



What is Biometric Data?

Biometric data is data related to personal, unique information such as your fingerprints, retinal scans, and scans of face and hand geometry. Each of these is now used regularly for identification and authentication. For instance, facial and finger biometric recognition is commonly used to authenticate credit card transactions or to login to a smartphone.

What are Specific Biometric Data Types?

  • Behavior Characteristics: The way you interact with computer systems, such as the way you walk, the way you use your mouse, handwriting, keystrokes, other movements all judge how familiar you are with the data you are entering or assess who you are.
  • Hand Geometry: Measures and records the thickness, width, length, and surface area of your hand. Devices that measure this biometric data date all the way back to the 1980's. They were used almost exclusively for security purposes.
  • Voice Recognition: Measures the sound waves in a person's voice. This technology has been used to verify a person's identity when calling to ask about their bank accounts. Amazon uses this biometric technology today when you give instructions to Alexa.
  • Fingerprint Scanner: This tech captures the unique valleys and ridges on an individual's finger. Some laptops and most smartphones use fingerprints to unlock screens or as a type of password.
  • Iris Recognition: Not widely used in the consumer market, but is used widely in security applications.(You see this type of biometric technology in spy movies all the time.) It identifies the patterns of a person's iris, which is the colored area surrounding the pupil of the eye.
  • Facial Recognition: Measures the patterns of an individual's face by analyzing and comparing facial contours. This type of biometric information is often used to unlock smartphones and laptops but is also used in law enforcement and security.

What is the Washington Biometric Privacy Law (H.B. 1493)?

In 2017, the state of Washington enacted a biometric privacy law known as H.B. 1493 to safeguard its residents from organizations or individuals who would enter biometric information into a database without gaining consent, providing notice, or supplying a way to prevent the use of biometric data for commercial purposes.

Data produced by automatic measurements of biological characteristics, such as voiceprints, fingerprints, eye retinas, irises, or other unique features or physical patterns used to identify a specific person, is defined as a "biometric identifier" under the law.

Most privacy advocates believe that Washington's law is much weaker and does not protect the state's residents nearly to the same degree as statutes in Illinois and Texas.

The reason for the advocates' belief is that Washington's Biometric Privacy Law (H.B. 1493) excludes "physical or digital photographs, video or audio recording or data generated therefrom," and scans of facial geometry (e.g., facial recognition data) or records from its definition of biometric identifiers.

Moreover, the Washington Biometric Privacy Law (H.B. 1493) does not include specific health-related data that are processed according to 1996's Health Insurance Portability and Accountability Act (HIPAA).

To make it simple, the use of biometric identifiers in a commercial setting requires organizations to:

  • Provide notice to the individual
  • Obtain consent
  • Provide a mechanism to prevent subsequent use of the biometric identifier for commercial purposes

Interestingly, Washington's biometric privacy law doesn't even detail what kind of notice companies need to provide to state residents before "enrolling" (collecting and using) an individual's biometric identifiers. According to the law, "the exact notice and type of consent' is "context-dependent."

Here's an example of a general type of notice:

ExamSoft Notice of Collection of Biometric Data and Consent - Notice section

Typically, consent is requested at the time data is collected, so requesting permission to collect and use biometric data at the time it's collected would make sense in context, as seen here:

Generic biometric notice at collection

Here's another example:

ExamSoft Notice of Collection of Biometric Data and Consent - Consent section

Here's a best practice way of requesting consent to use data for a specific purpose at the time it's created, such as an email address for email marketing purposes, or to create an account:

IDP Education Create Account form with Agree checkbox highlighted

You can use "I Agree" checkboxes to get consent under most privacy laws, as demonstrated here:

Logitech account registration page with consent checkbox for communications

Further, the law gives businesses a lot of leeway by stating that when "enrolling" biometric data, any notice the company provides must simply be "reasonably designed to be readily available to affected individuals."

This is in stark contrast to Illinois' Biometric Information Privacy Act (BIPA), which demands that written notice and release must be acquired before an organization collects any biometric identifiers or information.

Notice can be via a Privacy Policy clause that discloses the collection and use of biometric data along with all the other types of data collected and used, as seen here:

PayPal Privacy Policy: Categories of Personal Information We Collect clause

Here's another example of how to include this information in a Privacy Policy clause:

Wells Fargo CCPA Notice: Categories of Third Parties and Our Disclosures of Personal Data clause - Chart with Biometrics section highlighted

And one more:

Asure Software Privacy Policy: Biometric Data clause excerpt

The Washington Biometric Privacy Law (H.B. 1493) exempts organizations from the need to provide notice or gain consent if the use of an individual's biometric identifiers is related to a "security purpose" and fraud prevention.

The definition of "security purpose" is broad and vague, although it does cover misappropriation and theft, preventing shoplifting, and other purposes, which may advance an organization's overall security.

Additionally, the Washington Biometric Privacy Law (H.B. 1493) provides exemptions for the use of biometric data in ways that clash with the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act. Law enforcement is also exempt.

Organizations will not need to gain consent before leasing or disclosing enrolled biometric data, or before selling that information if the lease, disclosure, or sale is:

  • Consistent with the demands of the biometric law
  • Made to respond or participate in the judicial process
  • Made to get ready for litigation
  • Made to third-parties who contractually promise that the biometric information will not be disclosed further or be enrolled in a database for commercial purposes that are not consistent with the law
  • Specifically authorized or required by a federal or state statute
  • Specifically authorized or required by a court order
  • Necessary to provide a service or product requested by, subscribed to, or specifically authorized by the individual
  • Necessary to administer, effect, complete, or enforce a financial transaction initiated, authorized, or requested by the individual and where the recipient keeps the confidentiality of the biometric identifier and does not disclose it further

What are the Security and Retention Requirements of the Washington Biometric Privacy Law (H.B. 1493)?

The law requires that:

  • Organizations must take reasonable care to safeguard against the unauthorized acquisition of or access to biometric data
  • Organizations must ensure that they retain biometric information for no longer than they must to comply with the law, protect against criminal activity, liability, security threats, fraud, or to supply the service which the biometric identifier was enrolled for

Use your Privacy Policy to disclose that you have security processes in place, as seen here:

Generic biometric security clause

This clause doesn't have to be detailed or specific. It's just important to note that you do take security seriously. A more general clause like this one will work as well:

Amazon Web Services Privacy Notice: How we secure information clause

Does the Washington Biometric Privacy Law (H.B. 1493) Create a Private Right of Action?

The Washington Biometric Privacy Law (H.B. 1493) doesn't create a private right of action.

The law's requirements may only be enforced by Washington's Attorney General.

Again, this is in stark contrast to Illinois' BIPA, where class action lawsuits have been filed against organizations.

How Do YouComply with Washington Biometric Privacy Law (H.B. 1493)?

Experts are increasingly suggesting that businesses adopt a comprehensive, common framework when it comes to complying with biometric privacy laws.

For instance, the Sans Institute, which is a cooperative research and education organization in the cyber and information security space, put out a research paper detailing how organizations can become compliant with the biometric privacy laws enacted in the United States.

The theory goes that by implementing solutions that will put them in compliance with the strictest of these laws, businesses will be in compliance with all (including Washington's) by default.

It's recommended that you:

  • Create a comprehensive, documented plan for your company.
  • Provide individuals with a thorough, written policy (such as a Privacy Policy). Make that policy publicly available. Ensure that it includes information on the specific purposes for which you'll be collecting biometric data. Detail in full how that information will be used. Cover how the data will be disclosed and to whom. State clearly how long the data will be used, kept, and stored.
  • Be completely transparent, in writing, as to when and how their biometric data will be destroyed.
  • Ensure that strict security protocols to protect an individual's biometric data are implemented.
  • Obtain explicit consent for the collection of an individual's biometric information.
  • Ensure that provisions are placed in vendor contracts to make sure they;re complying with existing laws. Additionally, ensure that you have the right to be notified if there is a suspected data breach.

Summary

If you use biometric data, you must disclose this in your Privacy Policy, and ensure you obtain consent when required. Collecting, using and/or processing this information without doing so is violating privacy laws.

Link your Privacy Policy to wherever you collect biometric data, and use a checkbox to obtain consent to collect and process the data. Keep records of obtained consent to help you prove compliance if ever needed.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy