Chapter 19.375 RCW

BIOMETRIC IDENTIFIERS

Sections

19.375.010Definitions.
19.375.020Enrollment, disclosure, and retention of biometric identifiers.
19.375.030Application of consumer protection act.
19.375.040Exclusions.
19.375.900FindingIntent2017 c 299.


Definitions.

The definitions in this section apply throughout this chapter , unless the context clearly requires otherwise.
(1) "Biometric identifier" means data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual. "Biometric identifier" does not include a physical or digital photograph, video or audio recording or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under the federal health insurance portability and accountability act of 1996.
(2) "Biometric system" means an automated identification system capable of capturing, processing, and storing a biometric identifier, comparing the biometric identifier to one or more references, and matching the biometric identifier to a specific individual.
(3) "Capture" means the process of collecting a biometric identifier from an individual.
(4) "Commercial purpose" means a purpose in furtherance of the sale or disclosure to a third party of a biometric identifier for the purpose of marketing of goods or services when such goods or services are unrelated to the initial transaction in which a person first gains possession of an individual's biometric identifier. "Commercial purpose" does not include a security or law enforcement purpose.
(5) "Enroll" means to capture a biometric identifier of an individual, convert it into a reference template that cannot be reconstructed into the original output image, and store it in a database that matches the biometric identifier to a specific individual.
(6) "Law enforcement officer" means a law enforcement officer as defined in RCW 9.41.010 or a federal peace officer as defined in RCW 10.93.020.
(7) "Person" means an individual, partnership, corporation, limited liability company, organization, association, or any other legal or commercial entity, but does not include a government agency.
(8) "Security purpose" means the purpose of preventing shoplifting, fraud, or any other misappropriation or theft of a thing of value, including tangible and intangible goods, services, and other purposes in furtherance of protecting the security or integrity of software, accounts, applications, online services, or any person.



Enrollment, disclosure, and retention of biometric identifiers.

(1) A person may not enroll a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.
(2) Notice is a disclosure, that is not considered affirmative consent, that is given through a procedure reasonably designed to be readily available to affected individuals. The exact notice and type of consent required to achieve compliance with subsection (1) of this section is context-dependent.
(3) Unless consent has been obtained from the individual, a person who has enrolled an individual's biometric identifier may not sell, lease, or otherwise disclose the biometric identifier to another person for a commercial purpose unless the disclosure:
(a) Is consistent with subsections (1), (2), and (4) of this section;
(b) Is necessary to provide a product or service subscribed to, requested, or expressly authorized by the individual;
(c) Is necessary to effect, administer, enforce, or complete a financial transaction that the individual requested, initiated, or authorized, and the third party to whom the biometric identifier is disclosed maintains confidentiality of the biometric identifier and does not further disclose the biometric identifier except as otherwise permitted under this subsection (3);
(d) Is required or expressly authorized by a federal or state statute, or court order;
(e) Is made to a third party who contractually promises that the biometric identifier will not be further disclosed and will not be enrolled in a database for a commercial purpose inconsistent with the notice and consent described in this subsection (3) and subsections (1) and (2) of this section; or
(f) Is made to prepare for litigation or to respond to or participate in judicial process.
(4) A person who knowingly possesses a biometric identifier of an individual that has been enrolled for a commercial purpose:
(a) Must take reasonable care to guard against unauthorized access to and acquisition of biometric identifiers that are in the possession or under the control of the person; and
(b) May retain the biometric identifier no longer than is reasonably necessary to:
(i) Comply with a court order, statute, or public records retention schedule specified under federal, state, or local law;
(ii) Protect against or prevent actual or potential fraud, criminal activity, claims, security threats, or liability; and
(iii) Provide the services for which the biometric identifier was enrolled.
(5) A person who enrolls a biometric identifier of an individual for a commercial purpose or obtains a biometric identifier of an individual from a third party for a commercial purpose pursuant to this section may not use or disclose it in a manner that is materially inconsistent with the terms under which the biometric identifier was originally provided without obtaining consent for the new terms of use or disclosure.
(6) The limitations on disclosure and retention of biometric identifiers provided in this section do not apply to disclosure or retention of biometric identifiers that have been unenrolled.
(7) Nothing in this section requires an entity to provide notice and obtain consent to collect, capture, or enroll a biometric identifier and store it in a biometric system, or otherwise, in furtherance of a security purpose.



Application of consumer protection act.

(1) The legislature finds that the practices covered by this chapter are matters vitally affecting the public interest for the purpose of applying the consumer protection act, chapter 19.86 RCW. A violation of this chapter is not reasonable in relation to the development and preservation of business and is an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the consumer protection act, chapter 19.86 RCW.
(2) This chapter may be enforced solely by the attorney general under the consumer protection act, chapter 19.86 RCW.



Exclusions.

(1) Nothing in this chapter applies in any manner to a financial institution or an affiliate of a financial institution that is subject to Title V of the federal Gramm-Leach-Bliley act of 1999 and the rules promulgated thereunder.
(2) Nothing in this chapter applies to activities subject to Title V of the federal health insurance privacy and portability act of 1996 and the rules promulgated thereunder.
(3) Nothing in this chapter expands or limits the authority of a law enforcement officer acting within the scope of his or her authority including, but not limited to, the authority of a state law enforcement officer in executing lawful searches and seizures.



FindingIntent2017 c 299.

The legislature finds that citizens of Washington are increasingly asked to disclose sensitive biological information that uniquely identifies them for commerce, security, and convenience. The collection and marketing of biometric information about individuals, without consent or knowledge of the individual whose data is collected, is of increasing concern. The legislature intends to require a business that collects and can attribute biometric data to a specific uniquely identified individual to disclose how it uses that biometric data, and provide notice to and obtain consent from an individual before enrolling or changing the use of that individual's biometric identifiers in a database.