Washington State

House of Representatives

Office of Program Research



Technology & Economic Development Committee

HB 1717

This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.

Brief Description: Concerning state agency collection, use, and retention of biometric identifiers.

Sponsors: Representatives Smith, Morris, Harmsworth, DeBolt, Hudgins, Van Werven, Santos and Stanford.

Brief Summary of Bill

  • Prohibits an agency from obtaining a biometric identifier without notice and consent, and from selling the identifier.

  • Restricts agency use, sharing, review, and retention of biometric identifiers, and requires specific policies.

  • Exempts biometric identifiers from the Public Records Act.

Hearing Date: 2/7/17

Staff: Lily Smith (786-7175).



The terms "biometric data," "biometric information," or "biometric identifier" variously refer to measurable biological or behavioral characteristics unique to an individual. Biometrics may be used for identification and authentication purposes, such as unlocking a device or authorizing a payment. They may also be used to gather personal characteristics for customizing services or information, such as in advertising.


There is no federal or Washington law that specifically regulates the collection or use of biometric data.

In 2012 the Federal Trade Commission released recommended best practices for companies that use facial recognition technologies. The three major principles of the best practices are:

  1. privacy by design;

  2. simplified choice; and

  3. greater transparency.

State Security Breach Laws.

Agencies are required to notify possibly affected persons when security is breached and personal information is (or is reasonably believed to have been) acquired by an unauthorized person. Disclosure is not required if a breach is not reasonably likely to subject customers to a risk of harm. An individual injured by a violation of these laws may bring a civil action to recover damages and seek an injunction.

Under the security breach law, personal information is defined as an individual's first name or first initial and last name in combination with any one or more of the following data elements:

It does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

State Records Laws.

Under the Public Records Act (PRA), all state and local agencies must disclose public records upon request unless the records fall within a specific exemption, which may be within the PRA itself or as provided in another statute. The PRA is technology-neutral, in that it applies to records "regardless of physical form or characteristics."

Agency record retention requirements are independent from record disclosure requirements. State and local agencies must keep and then dispose of records according to specific "schedules." The Office of the Secretary of State sets a general schedule for categories of records common to many agencies. Some agencies set additional schedules to apply to records more specific to that agency's functions.

Summary of Bill:

An agency is prohibited from obtaining a biometric identifier without first:

An agency is prohibited from selling a biometric identifier.

An agency may only use a biometric identifier in ways consistent with the terms of notice and consent, and may only share the identifier under the following circumstances:

An agency that obtains biometric identifiers must:

Biometric identifiers may not be disclosed under the PRA.

"Agency" is defined as every state office, department, division, bureau, board, commission, or other state agency, but does not include a general-authority Washington law enforcement agency.

"Biometric identifier" is defined as any information, regardless of how it is captured, converted, stored, or shared, based on an individual's retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Specific types of information excluded from this definition include, but are not limited to, information derived from the following:

Appropriation: None.

Fiscal Note: Available.

Effective Date: The bill takes effect 90 days after adjournment of the session in which the bill is passed.