Search form

October 13, 2017
Washington’s New Biometrics Law – One of a kind in the United States
Practice Areas: 

What is biometrics and why does Washington need a law about it?  Imagine that you are walking down the street and a business, Corner Store, has a security camera that records all people who walk on the sidewalk outside its storefront.  Corner Store also has an inside security camera and it records customers while they shop.  As one of the customers, you buy a well-known brand soft drink, Best Soda.  That’s your favorite brand and you buy it nearly every time you stop there. 

One day, you realize that your coupon app has sent you a smartphone notice that there is a Best Soda fountain drink promotion at Corner Store.  Wow, what a coincidence because you often buy Best Soda at the Corner Store.

One weekend afternoon, you stop by Big Grocery Store to buy some items for dinner.  Your grocery store app sends your smartphone a notice that there’s an e-coupon for Best Soda, and you can buy 2 cases for the price of one.  Double wow.  This is really your lucky day.  You take advantage of Big Grocery Store’s two for one coupon.

Then, you go home that evening to find that the stove is broken and you can’t cook dinner.  So, you decide to go out for dinner at the food court at the Bunch of Stores Mall.  Not sure where to stop for dinner, you walk around the food court.  Your mall app sends a smartphone notice that Huge Burger has a 33% off its most popular combo with the purchase of a large Best Soda.  Triple wow. 

Coincidence?

Maybe. Or maybe not.  The cameras on business premises record your gait.  Corner Store, Big Grocery Store and Bunch of Mall Stores captured your buying habits as well as your gait and other biometric data, then they sold that data to the marketing company, We Know Stuff About People, that stores your unique biometric data and purchasing habits.  We Know Stuff About People bought that data from Corner Store, Big Grocery Store, and Bunch of Mall Stores and then manipulated it.  With that manipulated data, We Know Stuff About People knows who you are … not by name … but by your biometric data.  So, when your biometric data is detected by an on-the-premise camera, it is not only recording your activities for security purposes, but it is also recording your biometric information. With that information, people that want to sell you products or services will know that you are nearby so that they can market directly to you.

Creepy?

It depends.  Some people who really like Best Soda (and other deals) might not care.  There have been studies that millennials are comfortable voluntarily giving information about themselves.  In fact, maybe they appreciate knowing that there are deals for them.  Others, like baby boomers, maybe not so much; it’s too invasive. 

So, can this type of biometric data application really happen?  Can marketers tie this data to GPS systems?  Who knows?  Who thought 15 years ago that we’d be walking around with cellphones that have greater computing capacity in our hands than the 1960s main frame computers that took up two floors of a building?  However, digitizing one’s gait, keyboard stoke, voice, retina, iris, fingerprints, palm prints and other biometric patterns are not for futurists; the study of such biometrics has been going on for a while.[1]

This is a different issue from downloading a GPS-sensitive app to your smartphone.  For example, you might download an app from Nordstrom, Macys, or J.C. Penney and through the GPS system, the app knows where you might be in the store and it starts to send notifications of a shoe sale when you walk by the shoe department or a mattress sale when you are near the furniture department.

What does the new law do?

Enter HB 1493 (now codified as Chapter 19.375 RCW).  The purpose of the new law is to regulate the collection, distribution, and use of biometric identifiers before they are widely used without any discrete legal guidance.  According to Section 1, the legislature said:

…  The collection and marketing of biometric information about individuals, without consent or knowledge of the individual whose data is collected, is of increasing concern. The legislature intends to require a business that collects and can attribute biometric data to a specific uniquely identified individual to disclose how it uses that biometric data, and provide notice to and obtain consent from an individual before enrolling or changing the use of that individual's biometric identifiers in a database.

Biometric data can be static or behavioral.  Biometric static identifiers are somewhat common with fingerprints, face patterns, voiceprints, eye retinas, or irises.  These are fairly common in different situations.  For example, fingerprints are common to unlock your smartphone or banking apps or voice prints “wake up” certain apps on a smartphone, tablet or computer.  Facebook uses facial recognition to suggest Facebook friends to tag in your photos. 

But it also includes behavioral ones described as “other unique biological patterns or characteristics” that are used to identify a specific individual.  For example, your walking gait is unique.  Most of us are naïve regarding the many ubiquitous patterns used as identifiers, like our gait or the way that we tap a keyboard.

HB 1493 addresses not just behavioral or static biometrics that we know exist today; the bill drafters intentionally left the definition somewhat broad and vague so that statute would apply to future biometric data that might come into existence.  While it is important for the person whose biometrics might be captured to know about this law, it is as important for businesses to be aware of this law.  A business could find itself as the target of a consumer protection claim should it fail to follow this new law.

For those interested, one can watch the legislative hearing on HB 1493 at https://www.tvw.org/watch/?eventID=2017031128

What are HB 1493’s key elements?

It is not the intent of this article to provide a detailed analysis of this new law, but here are some key provisions of the law.  If you capture someone’s biometric information (e.g., a video of a person), then you cannot (1) convert it to a “reference template that cannot be reconstructed into the original output image”[2] and (2) store it in a database if the biometric identifier matches to a specific individual” for a commercial purpose.  The capture and storage of an individual’s biometric data is referred to as “enrolling”.  It does not need to be identification by a name or a social security number.  Identification could be certain unique biometric data, such as your gait derived by walking down the street. 

The statute permits one to enroll a person’s biometric information if notice is given, the affected person consents or there is a mechanism in place that would prevent the subsequent use of the biometric identifier for a commercial purpose.  The prohibition is limited to a commercial purpose.  That would mean that that there could be enrollment of the identifier, for example, as part of a law enforcement database.  (Could this be how the police can identify a person on a blurry security video when that person is wearing a hood or mask?)

Notice is context-dependent, so the actual content requirement varies.  Disclosure, then, is not “one size fits all.”  The notice must be via a procedure that is “reasonably designed to be readily available to affected individuals.”  So, a sign behind the cashier, covered by boxes of inventory, that says that the “cameras are recording your biometric data” is not likely adequate notice.  On the other hand, if the front door has a sign attached that says that the proprietor uses security cameras, your image may be enrolled into a database that could be used for commercial purposes, then that might have a better chance of being acceptable notice.

How is this law enforced?

There is no private right of action.  So, if you are an individual and you find that your biometric information has been enrolled and used for commercial purposes without consent or adequate notice, then there is nothing you can do.  If you are a business, then you may need to know what the state Attorney General thinks of your use of biometric data.  Only the Attorney General has been given the authority to enforce this law with the power of the consumer protection act.  (This is different than the law in Illinois, where there is much litigation under a private right of action.)

It will be interesting to see how this one-of-a-kind law will work.  We would be pleased to assist you in complying with this new law.

[1] For an interesting description of this technology, see this 2011 article from Homeland security at http://www.homelandsecuritynewswire.com/gait-biometrics-shows-promise

[2] There is no definition of “reference template that cannot be reconstructed into the original output image” but it sounds like a video, for example, is processed into data and once processed, it cannot be reprocessed back into a video.

 

Disclaimer

This advisory is a publication of Eisenhower Carlson PLLC. Our purpose in publishing this advisory is to inform our clients and friends of recent legal developments. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations.

Eisenhower Carlson PLLC © 2011  ||  Credits & Disclaimers

DISCLAIMER:
This website is for informational purposes only and is not legal advice.

No portion of this page or any content herein may be redistributed or republished without written permission from Eisenhower Carlson PLLC.The information you'll find here is our way of introducing you to Eisenhower Carlson PLLC. It contains no official legal opinions. No responsibility is assumed for the accuracy or timeliness of any information on this website. The information on this website is not intended as a substitute for legal counsel, and is not intended to create, and receipt of it does not constitute, a lawyer-client relationship.

We invite you to contact us by phone, fax or e-mail for a session with one of our lawyers.

For your own protection, we strongly suggest that you do not transmit confidential documents to us or anyone else via unsecured email.

If you have any questions or comments concerning this site, please send an email to admin@eisenhowerlaw.com. Do not send confidential information via email.

CREDITS:
Concept & Design: CAVLRY
Photography: CAVLRY
Drupal CMS Development: Praece Strategic Technolog Consulting