Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Washington state’s new biometric privacy law has significant compliance obligations but lacks a right for consumers to sue that might have caused companies greater concern, privacy attorneys told Bloomberg BNA.
Although some consumer advocates say these features make Washington’s new law weak when compared to the landmark 2008 Illinois Biometric Information Privacy Act (BIPA), attorneys that represent companies say the lack of a private right of action, and differences in scope and definitions, make the Washington statute a more realistic way to both protect consumers and further innovation.
Texas is the only other state that has a biometric privacy law. The 2009 Texas law doesn’t include a provision to allow consumers to sue.
Justin O. Kay, litigation partner at Drinker Biddle & Reath LLP in Chicago, told Bloomberg BNA that “it’s too early to tell” if the law will strike “the appropriate balance between not stifling innovation and encouraging innovators to act responsibly.” One of the “keys for compliance is knowledge of the law’s existence” and other biometric laws haven’t “received substantial attention,” he said.
The Illinois law’s private right of action may be “an incentive for the opportunistic to create and exploit” the law, he said. For example, companies such as Facebook Inc., Alphabet Inc.'s Google, and Shutterfly Inc. have all faced class allegations under BIPA. Without the ability for individuals to file class action claims, the Washington and Texas laws “will likely be a footnote,” Kay said.
The Washington law, which takes effect July 23, requires companies that collect consumer biometric data for a commercial purpose to give notice, obtain consumer consent, or provide a “mechanism to prevent subsequent” commercial uses before enrolling the information in a database.
The law only applies to companies that “enroll” biometric data in a database, which the bill defines as capturing biometric data on an “individual, converting it into a reference template that cannot be restructured into the original output image, and store it in a database that matches the biometric identifier to a specific individual.” Other biometric privacy laws in Illinois and Texas, regulate the collection of biometric data more broadly.
The Washington law, however, takes a nuanced approach to obtaining consumer consent that takes into account the specific situation in which the biometric data collection technology is being employed, the privacy pros said.
Enforcement under the Washington and Texas biometric privacy statutes rests solely with the attorneys general of the respective states. In Illinois, the state’s attorney general is authorized to enforce the law in addition to allowing individual consumers to sue.
The Washington law prohibits companies from selling or disclosing the enrolled biometric data without either consumer consent or where statutory carve-outs apply. In addition, companies that collect, or obtain from another company, biometric data that they intend to use for a commercial purpose “materially inconsistent” with purposes for which the consumer initially gave consent, must obtain further consent for the new uses.
Unlike BIPA, which requires informed written consent to disclose consumer data, the Washington law text states that consent is “context-dependent.” Additionally, the notice must be “given through a procedure reasonably designed to be readily available to affected individuals.”
The Washington law includes a carve-out to capture biometric data for security purposes without giving notice or obtaining consent and businesses to share identifiers with a third party to effect financial transactions requested by a consumer.
The Washington biometrics law is “carefully crafted to consider technological advances,” Sotto said. It is a modernization of biometrics privacy laws in Illinois and Texas, she said.
Other states have tried to enact biometrics privacy laws with a private right of action for consumers. Bills in California, Alaska, Idaho, New Hampshire, and Montana all would have allowed individuals to sue, but none were enacted, Kay said. Failed measures in Connecticut, Massachusetts, and New York didn’t include a private right of action, he said.
Ari Scharg, privacy partner at consumer-side class action firm Edelson PC in Chicago, told Bloomberg BNA that uncovering alleged violations of biometric privacy laws is “extremely difficult,” especially when going up against sophisticated companies that may “hide” what they are doing. There is a fear that state attorneys general might see the high costs to investigate and prosecute alleged violations “as prohibitory and focus on other cases instead,” he said. A private right of action with statutory damages provides a strong consumer enforcement option, he said.
Sotto said that she is worried that other states will follow the BIPA framework. It will be very difficult on companies if there is a private right of action “for the use of biometrics,” she said. Instead, the power should be vested with a state attorney general that “might be much more thoughtful about what kind of actions they bring,” Sotto said.
Michael Schutzler, CEO of the Washington Technology Industry Association, told Bloomberg BNA that the state’s attorney general is the proper place to consider whether to enforce.
Washington state Rep. Mark Harmsworth (R), who co-sponsored the Washington law, told Bloomberg BNA that he’s not sure the bill would have passed if it contained a private right of action.
Schutzler said the “law’s carefully chosen language” makes it possible for members of his tech industry group—including companies with their headquarters in the state, such as Amazon.com Inc. and Microsoft Corp.—to use anonymized biometric identifiers to conduct research and work on product development.
Washington state Rep. Jeff Morris, (D), the measure’s prime sponsor, told Bloomberg BNA that rather than specifying an exhaustive list of biometric technologies, the law was written in such a way as to include all technologies that capture any biometric identifier that can identify a unique individual. The bill was crafted so that it won’t become obsolete as new technologies emerge, he said.
“We didn’t exclude facial recognition, we just didn’t want to call it out. We’re not trying to call out particular technologies because those are going to evolve over time,” Morris said.
But consumer attorney Scharg said, not including facial recognition in the statute may not be in the best interest of consumers because certain uses of biometric data aren’t covered. The Washington law’s definition of biometric identifiers doesn’t include physical or digital photographs, videos, or audio recordings, he said.
The “carve-out for biometric data generated from pictures and videos” is a “loss for consumers and big win for the industry groups,” Scharg said.
The Washington law can allow companies to “build secret biometric databases without their permission” in certain contexts, he said. This is a problem because in the event of a breach of biometric data, unlike a payment card or Social Security Number hack where it is possible to replace the compromised numbers, in a hack of biometric facial recognition data, “how do you replace a face?”
With assistance from Daniel R. Stoller in Washington D.C.
To contact the reporter on this story: Paul Shukovsky in Seattle at PShukovsky@bna.com
To contact the editor responsible for this story: Donald Aplin at email@example.com
Text of the Washington biometric privacy law is available at http://src.bna.com/qQb.
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)