House of Representatives
Office of Program Research
Technology & Economic Development Committee
This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.
Brief Description: Concerning state agency collection, use, and retention of biometric identifiers.
Sponsors: Representatives Smith, Morris, Harmsworth, DeBolt, Hudgins, Van Werven, Santos and Stanford.
Hearing Date: 2/7/17
Staff: Lily Smith (786-7175).
The terms "biometric data," "biometric information," or "biometric identifier" variously refer to measurable biological or behavioral characteristics unique to an individual. Biometrics may be used for identification and authentication purposes, such as unlocking a device or authorizing a payment. They may also be used to gather personal characteristics for customizing services or information, such as in advertising.
There is no federal or Washington law that specifically regulates the collection or use of biometric data.
In 2012 the Federal Trade Commission released recommended best practices for companies that use facial recognition technologies. The three major principles of the best practices are:
privacy by design;
simplified choice; and
State Security Breach Laws.
Agencies are required to notify possibly affected persons when security is breached and personal information is (or is reasonably believed to have been) acquired by an unauthorized person. Disclosure is not required if a breach is not reasonably likely to subject customers to a risk of harm. An individual injured by a violation of these laws may bring a civil action to recover damages and seek an injunction.
Under the security breach law, personal information is defined as an individual's first name or first initial and last name in combination with any one or more of the following data elements:
Social Security number;
driver license number or Washington identification card number; or
account number, credit or debit card number, or any required security code, access code, or password that would permit access to an individual's financial account.
It does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
State Records Laws.
Under the Public Records Act (PRA), all state and local agencies must disclose public records upon request unless the records fall within a specific exemption, which may be within the PRA itself or as provided in another statute. The PRA is technology-neutral, in that it applies to records "regardless of physical form or characteristics."
Agency record retention requirements are independent from record disclosure requirements. State and local agencies must keep and then dispose of records according to specific "schedules." The Office of the Secretary of State sets a general schedule for categories of records common to many agencies. Some agencies set additional schedules to apply to records more specific to that agency's functions.
Summary of Bill:
An agency is prohibited from obtaining a biometric identifier without first:
providing notice that clearly specifies the purpose and use of the identifier; and
obtaining consent specific to the terms of the notice.
An agency is prohibited from selling a biometric identifier.
An agency may only use a biometric identifier in ways consistent with the terms of notice and consent, and may only share the identifier under the following circumstances:
to execute the purposes of the collection, consistent with the terms of notice and consent; or
if sharing is specified in the original consent.
An agency that obtains biometric identifiers must:
establish security policies that ensure the integrity and confidentiality of the identifiers;
address the identifiers in privacy policies;
tailor retention schedules to the purpose of collecting the identifiers;
only retain the identifiers necessary to fulfill the original purpose and use; and
otherwise minimize the review and retention of the identifiers.
Biometric identifiers may not be disclosed under the PRA.
"Agency" is defined as every state office, department, division, bureau, board, commission, or other state agency, but does not include a general-authority Washington law enforcement agency.
"Biometric identifier" is defined as any information, regardless of how it is captured, converted, stored, or shared, based on an individual's retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Specific types of information excluded from this definition include, but are not limited to, information derived from the following:
writing samples, photographs, or physical descriptions such as height or eye color;
donated organ parts, blood, or serum;
information captured in a health care setting; or
image or film used to diagnose or treat a medical condition or validate a scientific screening.
Fiscal Note: Available.
Effective Date: The bill takes effect 90 days after adjournment of the session in which the bill is passed.