Biometric Data Privacy Law in the State of Washington

Washington’s Revised Code Ann. 19.375.020 or Code 19.375.020 for short is a biometric data privacy law geared toward protecting the biometric information of citizens residing within the state of Washington. Created in 2017, the law was passed after the Washington State legislature noted that citizens within the state “are increasingly asked to disclose sensitive biological information that uniquely identifies them for commerce, security, and convenience. The collection and marketing of biometric information about individuals, without consent or knowledge of the individual whose data is collected, is of increasing concern.”

Compared to the landmark Illinois Biometric Information Privacy Act or BIPA, Code 19.375.020 does not have the same scope or application as the BIPA, as Code 19.375.020 only addresses the “enrollment” of biometric identifiers within a database for commercial purposes, as opposed to the BIPA which protects both the collection and enrollment of biometric identifiers. What’s more, the law includes several exceptions related to consent and notification, stating that the enrollment of the biometric identifiers for commercial purposes is context-dependent. Nevertheless, Code 19.375.020 does provide protection for the biometric information of Washington State citizens that are used for commercial purposes.

What are the requirements for business entities and organizations under Code 19.375.020?

Under Code 19.375.020, business entities, organizations, and individuals are prohibited from entering biometric data “in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.” Under Code 19.375.020, a commercial purpose is defined as “a purpose in furtherance of the sale or disclosure to a third party of a biometric identifier for the purpose of marketing of goods or services when such goods or services are unrelated to the initial transaction in which a person first gains possession of an individual’s biometric identifier. “Commercial purpose” does not include a security or law enforcement purpose”.

To this end, there are various exceptions to Code 19.375.020, as biometric identifiers that are used for the purpose of two-factor authentication or other law enforcement related matters are not covered by the law. When collecting the biometric information of Washington State citizens for commercial purposes, business entities and organizations must adhere to the following requirements:

• Organizations and business entities may not enroll a biometric identifier into a database for commercial purposes without first obtaining consent, providing notice, or providing a mechanism for preventing the subsequent use of a biometric identifier for commercial purposes.
• Under Code 19.375.020, notice is a disclosure that is not considered to be affirmative consent and is given through a procedure that is reasonably designed to be readily available to any individuals whose biometric information may be affected. As such, the exact type of notice and consent that is required to maintain compliance with the law is context-dependent.
• Unless a business or organization has first obtained consent from an individual, an entity or individual that has enrolled the biometric data of a Washington State citizen is prohibited from selling, leasing, or otherwise disclosing this data to another person for commercial purposes unless the disclosure is consistent with the above sections, is necessary to provide product or service that was requested by the citizen, is necessary to administer, effect, complete or enforce a financial transaction at the behest of the citizen, is expressly authorized or required by a federal or state statute or a court order, is used in the context of litigation or to respond to or participate in the judicial process, or is made to a third party who is contractually obligated to not disclose a citizens biometric information.
• An individual, business, or organization who knowingly possesses the biometric information of a Washington State citizen is required to take reasonable care to guard against the unauthorized use and acquisition of this information, retain a citizen’s biometric information for no longer than is necessary to provide the services from which the biometric identifier was enrolled, to prevent or protect against potential or actual fraud, security threats, or criminal activity, and comply with any court orders, public records retention schedule, or statute specified under state or federal law.
• An individual, business, or organization who enrolls a Washington State citizen’s biometric information for commercial purposes or obtains this information from a third party may not use or disclose said information in a manner that is inconsistent with the purposes for which it was collected in the first place without first obtaining consent relative to the new terms of said disclosure.

What are the penalties for violating Code 19.375.020?

Under Code 19.375.020, individuals, organizations, or business entities who are found to be in non-compliance with the law are subject to the same penalties and fines as those who break Washington’s Consumer Protection Act. Washington’s Consumer Protection Act or CPA was passed into law in 1961 and protects Washington State citizens from fair or deceptive business acts or practices. As such, penalties for violating the CPA include a monetary fine of up to $500,000, damages, as well as any court of attorney fees that may be incurred. These penalties are enforced by the Washington State Attorney General, and Code 19.375.020 does not allow for a Washington citizen’s private right of action in relation to violations of law.

While privacy laws that govern the use of biometric information or identifiers are far and few between throughout the country as of this writing, Washington’s Code 19.375.020 protects the biometric information of Washington State residents. Furthermore, many states in recent years have begun exploring the possibility of passing their own biometric information laws, as the use of biometric information only continues to increase. As a testament to this fact, the recently passed California Privacy Rights Act or CCPA contains provisions that specifically protect the biometric information of California residents. As such, many future privacy laws are sure to consider such provisions, with the goal of protecting all forms of American citizens’ personal privacy.