FINAL BILL REPORT
ESHB 1493
This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent. |
C 299 L 17
Synopsis as Enacted
Brief Description: Concerning biometric identifiers.
Sponsors: House Committee on Technology & Economic Development (originally sponsored by Representatives Morris, Harmsworth, Smith, Tarleton and Stanford).
House Committee on Technology & Economic Development
Senate Committee on Law & Justice
Background:
Biometrics.
The terms "biometric data," "biometric information," or "biometric identifier" variously refer to measurable biological or behavioral characteristics unique to an individual. Biometrics may be used for identification and authentication purposes, such as unlocking a device or authorizing a payment. They may also be used to gather personal characteristics for customizing services or information, such as in advertising.
Federal Regulation.
There is no federal law that specifically regulates the collection or use of biometric data for commercial purposes. The Federal Trade Commission (FTC) has the authority to enforce privacy and data security through the regulation of unfair or deceptive acts or practices in or affecting commerce, and several federal laws regulate the use of personally identifiable information. The Gramm-Leach-Bliley Act requires financial institutions to explain how they share information, and gives consumers the right to place some limits on how their information is shared.
State Regulation.
No Washington law comprehensively regulates the collection or use of a person's biometric data for commercial purposes.
State Consumer Protection Act.
Under Washington's Consumer Protection Act (CPA), "unfair or deceptive acts or practices" in trade or commerce are unlawful. The Attorney General may bring an action under the CPA in order to restrain and prevent unfair and deceptive acts and practices.
Summary:
A person may not enroll a biometric identifier in a database for a commercial purpose, without providing notice, obtaining consent, or providing a mechanism to prevent subsequent use. A biometric identifier enrolled or obtained for a commercial purpose may not be used or disclosed in a way inconsistent with the original terms under which it was provided, unless new consent is obtained.
The sale, lease, or disclosure of a biometric identifier for a commercial purpose, without the individual's consent, is prohibited unless it is:
consistent with the enrollment, protection, and retention requirements;
necessary in providing a product or service sought by the individual;
necessary in a financial transaction that the individual requested or authorized;
required or expressly authorized under a federal or state statute or court order;
made to a third party with specified restrictions; or
made to prepare for litigation or for the purpose of judicial process.
A person in possession of biometric identifiers enrolled for a commercial purpose must guard against unauthorized access and adhere to retention limitations. The limitations on disclosure and retention do not apply if the biometric identifiers have been unenrolled.
Violations may be enforced by the Attorney General under the CPA.
Votes on Final Passage:
House | 81 | 17 | |
Senate | 37 | 12 |
Effective: | July 23, 2017 |