Biometric Data Privacy Law in the State of Washington

Biometric Data Privacy Law in the State of Washington

Washington’s Revised Code Ann. 19.375.020 or Code 19.375.020 for short is a biometric data privacy law geared toward protecting the biometric information of citizens residing within the state of Washington. Created in 2017, the law was passed after the Washington State legislature noted that citizens within the state “are increasingly asked to disclose sensitive biological information that uniquely identifies them for commerce, security, and convenience. The collection and marketing of biometric information about individuals, without consent or knowledge of the individual whose data is collected, is of increasing concern.”

Compared to the landmark Illinois Biometric Information Privacy Act or BIPA, Code 19.375.020 does not have the same scope or application as the BIPA, as Code 19.375.020 only addresses the “enrollment” of biometric identifiers within a database for commercial purposes, as opposed to the BIPA which protects both the collection and enrollment of biometric identifiers. What’s more, the law includes several exceptions related to consent and notification, stating that the enrollment of the biometric identifiers for commercial purposes is context-dependent. Nevertheless, Code 19.375.020 does provide protection for the biometric information of Washington State citizens that are used for commercial purposes.

What are the requirements for business entities and organizations under Code 19.375.020?

Under Code 19.375.020, business entities, organizations, and individuals are prohibited from entering biometric data “in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.” Under Code 19.375.020, a commercial purpose is defined as “a purpose in furtherance of the sale or disclosure to a third party of a biometric identifier for the purpose of marketing of goods or services when such goods or services are unrelated to the initial transaction in which a person first gains possession of an individual’s biometric identifier. “Commercial purpose” does not include a security or law enforcement purpose”.

To this end, there are various exceptions to Code 19.375.020, as biometric identifiers that are used for the purpose of two-factor authentication or other law enforcement related matters are not covered by the law. When collecting the biometric information of Washington State citizens for commercial purposes, business entities and organizations must adhere to the following requirements:

What are the penalties for violating Code 19.375.020?

Under Code 19.375.020, individuals, organizations, or business entities who are found to be in non-compliance with the law are subject to the same penalties and fines as those who break Washington’s Consumer Protection Act. Washington’s Consumer Protection Act or CPA was passed into law in 1961 and protects Washington State citizens from fair or deceptive business acts or practices. As such, penalties for violating the CPA include a monetary fine of up to $500,000, damages, as well as any court of attorney fees that may be incurred. These penalties are enforced by the Washington State Attorney General, and Code 19.375.020 does not allow for a Washington citizen’s private right of action in relation to violations of law.

While privacy laws that govern the use of biometric information or identifiers are far and few between throughout the country as of this writing, Washington’s Code 19.375.020 protects the biometric information of Washington State residents. Furthermore, many states in recent years have begun exploring the possibility of passing their own biometric information laws, as the use of biometric information only continues to increase. As a testament to this fact, the recently passed California Privacy Rights Act or CCPA contains provisions that specifically protect the biometric information of California residents. As such, many future privacy laws are sure to consider such provisions, with the goal of protecting all forms of American citizens’ personal privacy.

Related Reads