FINAL BILL REPORT
This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.
C 306 L 17
Synopsis as Enacted
Brief Description: Concerning state agency collection, use, and retention of biometric identifiers.
Sponsors: House Committee on Technology & Economic Development (originally sponsored by Representatives Smith, Morris, Harmsworth, DeBolt, Hudgins, Van Werven, Santos and Stanford).
House Committee on Technology & Economic Development
Senate Committee on State Government
The terms "biometric data," "biometric information," or "biometric identifier" variously refer to measurable biological or behavioral characteristics unique to an individual. Biometrics may be used for identification and authentication purposes, such as unlocking a device or authorizing a payment. They may also be used to gather personal characteristics for customizing services or information, such as in advertising.
There is no federal or Washington law that specifically regulates the collection or use of biometric data.
State Records Laws.
Under the Public Records Act (PRA), all state and local agencies must disclose public records upon request unless the records fall within a specific exemption, which may be within the PRA itself or as provided in another statute. The PRA applies to records "regardless of physical form or characteristics."
Agency record retention requirements are independent from record disclosure requirements. State and local agencies must keep and then dispose of records according to specific "schedules." The Office of the Secretary of State sets a general schedule for categories of records common to many agencies. Some agencies set additional schedules to apply to records more specific to that agency's functions.
An agency is prohibited from obtaining a biometric identifier without first:
providing notice that clearly specifies the purpose and use of the identifier; and
obtaining consent specific to the terms of the notice.
An agency is prohibited from selling a biometric identifier.
An agency may only use a biometric identifier consistent with the terms of the notice and consent, and may only share the identifier under the following circumstances:
to execute the purposes collection, consistent with the notice and consent; or
if sharing is specified in the original consent.
An agency that obtains biometric identifiers must:
establish security policies that ensure the integrity and confidentiality of the identifiers;
address the identifiers in privacy policies;
tailor retention schedules to the purpose of collecting the identifiers;
only retain the identifiers necessary to fulfill the original purpose and use;
otherwise minimize the review and retention of the identifiers; and
design a biometric policy to minimize the collection of biometric identifiers.
Biometric identifiers may not be disclosed under the PRA.
Votes on Final Passage:
July 23, 2017