Washington state recently passed a biometric law, which goes into effect July 23, 2017. Washington joins Illinois and Texas in passing a law of this kind. Washington’s law defines biometric data as that which is “generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics used to identify a specific individual.” The law requires companies that want to sell or share biometric information for commercial purposes to provide notice and either (a) get consent or (b) let people opt out of subsequent uses of biometric information for “commercial purposes.” Where consent is not obtained, the right to share biometric information is limited, including to when the sharing is necessary to provide a product or service, to complete a transaction, is with an entity who contractually promises not to disclose it, or is required by law.
Under the new law, companies that either collect or receive biometric information as a third party provider must protect that information. Records containing biometric information must also be destroyed once they are no longer needed for business or compliance purposes.
The law contains no private right of action, vesting enforcement power with the State Attorney General. (The Texas law also has no private right of action, but the Illinois law does contain a private of action and, as we have written before, plaintiffs’ attorneys have been active).
TIP: Companies considering collecting biometric information should keep in mind Washington’s new notice requirements and the situations in which consent may be needed.