Washington Biometric Privacy Law Lacks Teeth of Illinois Cousin

By Paul Shukovsky

Washington state’s new biometric privacy law has significant compliance obligations but lacks a right for consumers to sue that might have caused companies greater concern, privacy attorneys told Bloomberg BNA.

Although some consumer advocates say these features make Washington’s new law weak when compared to the landmark 2008 Illinois Biometric Information Privacy Act (BIPA), attorneys that represent companies say the lack of a private right of action, and differences in scope and definitions, make the Washington statute a more realistic way to both protect consumers and further innovation.

Texas is the only other state that has a biometric privacy law. The 2009 Texas law doesn’t include a provision to allow consumers to sue.

Justin O. Kay, litigation partner at Drinker Biddle & Reath LLP in Chicago, told Bloomberg BNA that “it’s too early to tell” if the law will strike “the appropriate balance between not stifling innovation and encouraging innovators to act responsibly.” One of the “keys for compliance is knowledge of the law’s existence” and other biometric laws haven’t “received substantial attention,” he said.

The Illinois law’s private right of action may be “an incentive for the opportunistic to create and exploit” the law, he said. For example, companies such as Facebook Inc., Alphabet Inc.'s Google, and Shutterfly Inc. have all faced class allegations under BIPA. Without the ability for individuals to file class action claims, the Washington and Texas laws “will likely be a footnote,” Kay said.

The Washington law, which takes effect July 23, requires companies that collect consumer biometric data for a commercial purpose to give notice, obtain consumer consent, or provide a “mechanism to prevent subsequent” commercial uses before enrolling the information in a database.

The law only applies to companies that “enroll” biometric data in a database, which the bill defines as capturing biometric data on an “individual, converting it into a reference template that cannot be restructured into the original output image, and store it in a database that matches the biometric identifier to a specific individual.” Other biometric privacy laws in Illinois and Texas, regulate the collection of biometric data more broadly.

The Washington law, however, takes a nuanced approach to obtaining consumer consent that takes into account the specific situation in which the biometric data collection technology is being employed, the privacy pros said.

Enforcement under the Washington and Texas biometric privacy statutes rests solely with the attorneys general of the respective states. In Illinois, the state’s attorney general is authorized to enforce the law in addition to allowing individual consumers to sue.

Consent Provisions

The Washington law prohibits companies from selling or disclosing the enrolled biometric data without either consumer consent or where statutory carve-outs apply. In addition, companies that collect, or obtain from another company, biometric data that they intend to use for a commercial purpose “materially inconsistent” with purposes for which the consumer initially gave consent, must obtain further consent for the new uses.

Unlike BIPA, which requires informed written consent to disclose consumer data, the Washington law text states that consent is “context-dependent.” Additionally, the notice must be “given through a procedure reasonably designed to be readily available to affected individuals.”

Lisa Sotto, privacy leader and managing partner at Hunton & Williams LLP in New York, told Bloomberg BNA that the BIPA written consent requirement is “really, really burdensome.” For example, in the “retail context you couldn’t possibly get written consent from everybody who walks into your store. It’s not feasible.”

The Washington law includes a carve-out to capture biometric data for security purposes without giving notice or obtaining consent and businesses to share identifiers with a third party to effect financial transactions requested by a consumer.

The Washington biometrics law is “carefully crafted to consider technological advances,” Sotto said. It is a modernization of biometrics privacy laws in Illinois and Texas, she said.

Enforcement Debate

Other states have tried to enact biometrics privacy laws with a private right of action for consumers. Bills in California, Alaska, Idaho, New Hampshire, and Montana all would have allowed individuals to sue, but none were enacted, Kay said. Failed measures in Connecticut, Massachusetts, and New York didn’t include a private right of action, he said.

Ari Scharg, privacy partner at consumer-side class action firm Edelson PC in Chicago, told Bloomberg BNA that uncovering alleged violations of biometric privacy laws is “extremely difficult,” especially when going up against sophisticated companies that may “hide” what they are doing. There is a fear that state attorneys general might see the high costs to investigate and prosecute alleged violations “as prohibitory and focus on other cases instead,” he said. A private right of action with statutory damages provides a strong consumer enforcement option, he said.

Sotto said that she is worried that other states will follow the BIPA framework. It will be very difficult on companies if there is a private right of action “for the use of biometrics,” she said. Instead, the power should be vested with a state attorney general that “might be much more thoughtful about what kind of actions they bring,” Sotto said.

Michael Schutzler, CEO of the Washington Technology Industry Association, told Bloomberg BNA that the state’s attorney general is the proper place to consider whether to enforce.

Washington state Rep. Mark Harmsworth (R), who co-sponsored the Washington law, told Bloomberg BNA that he’s not sure the bill would have passed if it contained a private right of action.

Technological Advances

Schutzler said the “law’s carefully chosen language” makes it possible for members of his tech industry group—including companies with their headquarters in the state, such as Amazon.com Inc. and Microsoft Corp.—to use anonymized biometric identifiers to conduct research and work on product development.

Washington state Rep. Jeff Morris, (D), the measure’s prime sponsor, told Bloomberg BNA that rather than specifying an exhaustive list of biometric technologies, the law was written in such a way as to include all technologies that capture any biometric identifier that can identify a unique individual. The bill was crafted so that it won’t become obsolete as new technologies emerge, he said.

“We didn’t exclude facial recognition, we just didn’t want to call it out. We’re not trying to call out particular technologies because those are going to evolve over time,” Morris said.

But consumer attorney Scharg said, not including facial recognition in the statute may not be in the best interest of consumers because certain uses of biometric data aren’t covered. The Washington law’s definition of biometric identifiers doesn’t include physical or digital photographs, videos, or audio recordings, he said.

The “carve-out for biometric data generated from pictures and videos” is a “loss for consumers and big win for the industry groups,” Scharg said.

The Washington law can allow companies to “build secret biometric databases without their permission” in certain contexts, he said. This is a problem because in the event of a breach of biometric data, unlike a payment card or Social Security Number hack where it is possible to replace the compromised numbers, in a hack of biometric facial recognition data, “how do you replace a face?”

With assistance from Daniel R. Stoller in Washington D.C.

To contact the reporter on this story: Paul Shukovsky in Seattle at PShukovsky@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.