SENATE BILL REPORT

SHB 1717

This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.

As Passed Senate, April 11, 2017

Title: An act relating to state agency collection, use, and retention of biometric identifiers.

Brief Description: Concerning state agency collection, use, and retention of biometric identifiers.

Sponsors: House Committee on Technology & Economic Development (originally sponsored by Representatives Smith, Morris, Harmsworth, DeBolt, Hudgins, Van Werven, Santos and Stanford).

Brief History: Passed House: 3/02/17, 97-1.

Committee Activity: State Government: 3/15/17, 3/29/17 [DP].

Floor Activity:

Passed Senate: 4/11/17, 49-0.

Brief Summary of Bill

  • Prohibits an agency from obtaining a biometric identifier without notice and consent.

  • Prohibits an agency from selling a biometric identifier.

  • Restricts and requires specific agency policies concerning the use, sharing, review, and retention of biometric identifiers.

  • Prohibits agency disclosure of biometric identifiers under the Public Records Act.

SENATE COMMITTEE ON STATE GOVERNMENT

Majority Report: Do pass.

Signed by Senators Miloscia, Chair; Zeiger, Vice Chair; Hunt, Ranking Minority Member; Kuderer and Pearson.

Staff: Samuel Brown (786-7470)

Background: Biometrics. The terms biometric data, biometric information, or biometric identifier variously refer to measurable biological or behavioral characteristics unique to an individual. Biometrics may be used for identification and authentication purposes, such as unlocking a device or authorizing a payment, and to gather personal characteristics for customizing services or information, such as in advertising. There is no federal or Washington law that specifically regulates the collection or use of biometric data.

Data Breach Laws. Agencies are required to notify possibly affected persons when security is breached and personal information is, or is reasonably believed to have been, acquired by an unauthorized person. Disclosure is not required if a breach is not reasonably likely to subject customers to a risk of harm. An individual injured by a violation of these laws may bring a civil action to recover damages and seek an injunction.

Personal information is defined as an individual's first name or first initial and last name, in combination with any of the following data elements:

Publicly available information that is lawfully made available to the general public from federal, state, or local government records is not considered personal information for these purposes.

Public Records Laws. Under the Public Records Act (PRA), all state and local agencies must disclose public records upon request unless the records fall within a specific statutory exemption. The PRA applies to all records, regardless of physical form or characteristics.

Agency record retention requirements are independent from record disclosure requirements. State and local agencies must retain records according to specific schedules. The Office of the Secretary of State sets a general schedule for categories of records common to many agencies, and some agencies set additional schedules for records specific to that agency's functions.

Summary of Bill: Biometric Identifiers. Biometric identifier is defined as any information, regardless of how it is captured, converted, stored, or shared, based on an individual's retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Certain information is excluded from this definition, including information derived from the following:

Agency Responsibilities. State agency responsibilities with regard to biometric identifiers are modified, although the provisions of the act do not apply to law enforcement agencies.

Agencies are prohibited from obtaining a biometric identifier without first providing specific notice and obtaining specific consent. Agencies are prohibited from selling biometric identifiers. An agency may only use a biometric identifier consistent with the terms of the notice and consent. An agency may only share the identifier to execute its collection, consistent with the notice and consent, or if sharing is specified in the original consent. Biometric identifiers may not be disclosed by any agency, including a law enforcement agency, in response to a PRA request.

An agency that obtains biometric identifiers must:

Appropriation: None.

Fiscal Note: Available.

Creates Committee/Commission/Task Force that includes Legislative members: No.

Effective Date: Ninety days after adjournment of session in which bill is passed.

Staff Summary of Public Testimony: PRO: This legislation responds to constituent concerns about their biometric data and its collection by public entities. It codifies the best practices used by agencies in statute, and makes sure the public knows biometric data will not be used without consent.

Persons Testifying: PRO: Representative Norma Smith, Prime Sponsor.

Persons Signed In To Testify But Not Testifying: No one.