Washington Passes a Biometric Privacy Law, Effective July 23, 2017
On April 11, 2017, HB 1493 was passed into law. It went into effect on July 23, 2017, The new bill doesn’t have a specific name, but is often referred to as the Washington Biometric Privacy Law. It governs how biometric information can be obtained and handled for commercial purposes.
Washington is the third state to pass biometric privacy laws, following Illinois and Texas. New York has a privacy law that places some restrictions on the use of biometric information. According to Littler, a legal website, Washington’s law does not include employers who collect biometric information for time clocks as part of their timekeeping system.
Overview of HB 1493
Washington law oversees the collection, usage, and retention of “biometric identifiers.” Biometric identifiers are defined as “data generated by automatic measurements of an individual’s biological characteristics.”
The law includes “fingerprints, voiceprints, eye retinas, irises, or other unique biological patterns or characteristics used to identify a specific individual.” It specifically excludes photographs and voiceprints.
Washington’s definition is broader than the previous two states regarding biometric identifiers. However, it is important to note that it does not include face or hand geometry scans as included in biological identifiers.
The law prohibits anyone from enrolling biological indicators into a database without providing notice and obtaining consent. However, the law only applies to biometric indicator commercial use. The law does not cover businesses, or employers, using biometric information in a noncommercial use.
The law defines what it means to enroll biometric identifiers into a database. To enroll biometric data means to capture a biometric identifier, convert it into a template, and store it in a database that can match it to a specific individual.
It is also important to understand that Washington’s law applies to the commercial use of biometric identifiers. Commercial purposes are defined as the sale or disclosure of biometric information for the purposes of marketing goods and services.
Using Biometrics in Commercial Use
Companies that do use biometric identifiers for a commercial purpose must take care to protect that information. They must also notify the individuals whose biometric information they enrolled about the purposes. Those individuals must provide consent.
Biometric identifiers cannot be retained longer than necessary. Companies cannot share or sell biometric indicators for any other reasons than those that were disclosed to the individuals at the time of consent.
- Provide notice to the individual
- Obtain consent
- Provide a mechanism to prevent subsequent use of the biometric identifier for commercial purposes
Employers Use of Biometrics for Employee Identification
The law specifically states that it does not limit or govern using biometric technology for security reasons and defines “security purposes” as purposes to prevent the fraud or theft of anything of value, including “intangible goods.”
One of the primary reasons employers use biometric time clocks is to prevent buddy punching, a wage theft practice that affects roughly 75% of all employers. Buddy punching is when employees clock in for other employees who are not at work yet. On average, employees steal 4.5 hours a week from their employees, according to a recent survey.
In addition to using time clocks or security measures, employers and other businesses, who use biometrics for purposes not defined for commercial purposes, will still be able to use biometric identifiers.
Enforcement of Biometric Privacy Law
Unlike Illinois, which allows for private and class action lawsuits to enforce the Illinois Biological Information Privacy Act, Washington solely allows the Attorney General to enforce the law.
The Debate Over Biometrics In Employment Rages
Although Illinois first passed its law in 2008 and Texas’ passed in 2009, the debate over biometric information and how companies can use that information is still being debated.
In Texas, employers who use biometric time clocks do not fall under the law if they use technology that analyzed the biometric information instead of using the actual biometric indicators. In other words, if an employer uses a technology like SwipeClock’s, which looks for specific distances between features, but does not retain the biometric indicator and cannot recreate that indicator, the employer does not fall under Texas law.
In Illinois, dozens of lawsuits were filed under alleged violations of its biometric privacy law. Currently, dozens of employers have pending litigation for the use of biometric time clocks. Illinois courts have just started ruling on the first of those cases. In a recent ruling regarding Six Flags collecting fingerprints of season pass holders, the courts ruled that even with a violation, without injury or adverse effect is not considered aggrieved under the act.
This could mean that only when harm is caused, employers would be held accountable. Furthermore, the coming months will show whether the courts require disclosure and consent by the employee when only the analysis of biometric data is used and not the actual biometric indicators.