SHB 1717

This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.

As Passed House:

March 2, 2017

Title: An act relating to state agency collection, use, and retention of biometric identifiers.

Brief Description: Concerning state agency collection, use, and retention of biometric identifiers.

Sponsors: House Committee on Technology & Economic Development (originally sponsored by Representatives Smith, Morris, Harmsworth, DeBolt, Hudgins, Van Werven, Santos and Stanford).

Brief History:

Committee Activity:

Technology & Economic Development: 2/7/17, 2/14/17 [DPS].

Floor Activity:

Passed House: 3/2/17, 97-1.

Brief Summary of Substitute Bill

  • Prohibits an agency from obtaining a biometric identifier without notice and consent, and from selling the identifier.

  • Restricts agency use, sharing, review, and retention of biometric identifiers, and requires specific policies.

  • Exempts biometric identifiers from the Public Records Act.


Majority Report: The substitute bill be substituted therefor and the substitute bill do pass. Signed by 15 members: Representatives Kloba, Vice Chair; Tarleton, Vice Chair; Smith, Ranking Minority Member; Doglio, Fey, Harmsworth, Hudgins, Manweller, McDonald, Nealey, Santos, Slatter, Steele, Wylie and Young.

Staff: Lily Smith (786-7175).



The terms "biometric data," "biometric information," or "biometric identifier" variously refer to measurable biological or behavioral characteristics unique to an individual. Biometrics may be used for identification and authentication purposes, such as unlocking a device or authorizing a payment. They may also be used to gather personal characteristics for customizing services or information, such as in advertising.


There is no federal or Washington law that specifically regulates the collection or use of biometric data.

In 2012 the Federal Trade Commission released recommended best practices for companies that use facial recognition technologies. The three major principles of the best practices are:

  1. privacy by design;

  2. simplified choice; and

  3. greater transparency.

State Security Breach Laws.

Agencies are required to notify possibly affected persons when security is breached and personal information is (or is reasonably believed to have been) acquired by an unauthorized person. Disclosure is not required if a breach is not reasonably likely to subject customers to a risk of harm. An individual injured by a violation of these laws may bring a civil action to recover damages and seek an injunction.

Under the security breach law, personal information is defined as an individual's first name or first initial and last name, in combination with any one or more of the following data elements:

It does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

State Records Laws.

Under the Public Records Act (PRA), all state and local agencies must disclose public records upon request unless the records fall within a specific exemption, which may be within the PRA itself or as provided in another statute. The PRA is technology-neutral, in that it applies to records "regardless of physical form or characteristics."

Agency record retention requirements are independent from record disclosure requirements. State and local agencies must keep and then dispose of records according to specific "schedules." The Office of the Secretary of State sets a general schedule for categories of records common to many agencies. Some agencies set additional schedules to apply to records more specific to that agency's functions.

Summary of Substitute Bill:

An agency is prohibited from obtaining a biometric identifier without first:

An agency is prohibited from selling a biometric identifier.

An agency may only use a biometric identifier consistent with the terms of the notice and consent, and may only share the identifier under the following circumstances:

An agency that obtains biometric identifiers must:

Biometric identifiers may not be disclosed under the PRA.

"Agency" is defined as every state office, department, division, bureau, board, commission, or other state agency, but does not include a general-authority Washington law enforcement agency.

"Biometric identifier" is defined as any information, regardless of how it is captured, converted, stored, or shared, based on an individual's retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. There are a number of specific types of information excluded from this definition, including but not limited to, information derived from the following:

Appropriation: None.

Fiscal Note: Available.

Effective Date: The bill takes effect 90 days after adjournment of the session in which the bill is passed.

Staff Summary of Public Testimony:

(In support) This bill is specific to public agencies and provides a construct for them to know the rules regarding Washingtonians' data. It is critically important to the people served by the Legislature.

(Opposed) None.

(Other) Though the bill is directed at public agencies, it would also apply to companies doing business with the state. The definition of "biometric identifier" differs from House Bill 1493 and consistency is a concern.

Persons Testifying: (In support) Representative Smith, prime sponsor.

(Other) Joanie Deutsch, TechNet; and Bob Battles, Association of Washington Business.

Persons Signed In To Testify But Not Testifying: None.