Since the start of the 2023 legislative session, at least 15 biometric privacy law proposals have emerged across 11 states (including Arizona, Hawaii, Maryland, Massachusetts, Minnesota, Mississippi, Missouri, New York, Tennessee, Vermont, and Washington). Broadly speaking, these bills would impose new requirements on companies’ collection, handling, protection, use, and dissemination of biometric information (such as retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry). Many of these bills would greatly increase the compliance risk and liability exposure of companies that handle biometric information and are therefore worth tracking closely.
Currently, the collection and use of biometric information is governed by a patchwork of legal frameworks. For example, comprehensive state privacy laws in California, Colorado, Virginia, Connecticut, and Utah regulate biometric information as a form of “sensitive” information. Meanwhile, some states and municipalities have elected to restrict the use of specific types of biometric data in narrower use cases, such as Colorado’s 2022 law restricting the use of facial recognition technology by state and local government agencies.
The dominant statute in the biometric privacy legal landscape, however, is Illinois’s Biometric Information Privacy Act (BIPA). Though Washington and Texas have their own state biometric privacy laws in place, Illinois’s BIPA is the only such law that is enforceable through a private right of action. That private right of action can generate substantial liability for companies, ranging from $1,000 per violation for negligent violations to $5,000 per violation for intentional or reckless violations (or, in either case, actual damages). Indeed, in October 2022, a federal court in the Northern District of Illinois awarded a plaintiff class $228 million in damages in a BIPA suit against BNSF Railway. Moreover, the Illinois Supreme Court has recently handed down two decisions that expand the scope of BIPA legal exposure even further. Earlier this month, on February 2, in Tims v. Black Horse Carriers, Inc., the Court held that individuals have five years (rather than one) after an alleged BIPA violation to bring claims under the statute’s private right of action. And just last week, on February 17, the Court held in Cothron v. White Castle System, Inc. that “a separate claim accrues under [BIPA] each time a private entity scans or transmits an individual’s biometric identifier or information in violation of [the Act].”
The majority of the 2023 state biometric privacy bills that have been introduced to date are modeled on Illinois’s BIPA, including that statute’s private right of action and damages provisions. Thus, these bills have the potential, like BIPA, to greatly increase the compliance risk and liability exposure of companies that collect and process biometric information. Such companies (particularly those that handle the biometric information of residents of Illinois and any other states considering BIPA-like legislation) should ensure that their data handling and processing procedures are aligned with the requirements of BIPA and BIPA-like proposed legislation.
In this post, we summarize key takeaways from the state biometric privacy bills that have been introduced in the 2023 legislative session, then provide a detailed breakdown of each bill’s provisions. We are happy to answer any questions you may have on these issues.
KEY TRENDS AND HIGHLIGHTS
1. Standalone Bills: Most of these bills are standalone bills focused solely on biometric privacy issues. However, in four states (Maryland, New York, Vermont, and Washington), biometrics-specific provisions are embedded into broader comprehensive privacy law proposals.
2. Common Elements: Most of the bills closely mirror the key provisions of Illinois’s Biometric Information Privacy Act (BIPA). These include:
- Requiring entities to develop a public written policy establishing a retention schedule and destruction guidelines for biometric information.
- Requiring that biometric information be destroyed upon the earlier of (1) satisfaction of the purpose for collecting the information; or (2) within 3 years of the relevant individual’s last interaction with the entity.
- Not allowing an entity to collect or obtain an individual’s biometric information unless the entity first (1) informs the individual of the information’s collection or storage; (2) informs the individual of the purpose and duration of the collection, storage, and use; and (3) obtains consent.
- Prohibiting entities from selling, leasing, trading, or profiting from an individual’s biometric information.
- Prohibiting entities from disclosing or disseminating biometric information unless the individual consents or an exception applies (e.g., required to complete financial transaction that individual requested; required by law).
- Requiring entities to store, transmit, and protect biometric information in accordance with an industry-specific standard of care and in a manner at least as protective as that applied for other confidential and sensitive information.
- Creating a private right of action.
- Exempting information governed by HIPAA, entities governed by GLBA, state and local government entities, and judicial entities.
3. Applicability: Most of the bills apply only to private sector entities. New York’s Digital Fairness Act and Washington’s People’s Privacy Act are the two exceptions, applying to both private and public-sector organizations.
4. Current Status: Most of the bills remain in the early stages of the legislative process, with many having only, at most, been referred to committees. Three bills have made more notable progress:
- Arizona’s SB 1238 has been passed and approved by the Senate Transportation and Technology Committee and Senate Rules Committee, respectively.
- The Maryland Biometric Data Privacy Act has received hearings in the House Economic Matters and Senate Finance Committees.
- Maryland’s Online and Biometric Data Privacy Act had a hearing before the House Economic Matters Committee on February 22 and has a hearing before the Senate Finance Committee scheduled for March 8.
2023 PROPOSALS
Arizona
1. Bill Title: SB 1238
2. Current Status: As of February 23, 2023, the bill had been passed by the Transportation and Technology Committee (2/6/23) and approved by the Rules Committee (2/13/23).
3. Key Provisions:
- Private entities in possession of biometric information must develop a public written policy establishing retention schedule and destruction guidelines.
- Biometric information must be destroyed upon the earlier of (1) satisfaction of the purpose for collecting the information; or (2) within 3 years of the relevant individual’s last interaction with the entity.
- Private entity may not collect or obtain individual’s biometric information without first: (1) informing individual of the collection or storage; (2) informing individual of the purpose and duration of the collection, storage, and use; and (3) obtaining consent.
- Private entities may not sell, lease, trade, or profit from individual’s biometric information.
- Private entities may not disclose or disseminate individual’s biometric information unless individual consents or other exception applies (e.g., required to complete financial transaction that individual requested; required by law).
- Private entity must store, transmit, and protect biometric information in accordance with industry-specific standard of care and in manner at least as protective as that applied for other confidential and sensitive information.
- Creates private right of action. Individuals may obtain, for each violation, the greater of (1) $1,000 or actual damages for a negligent violation; or (2) $5,000 or actual damages for an intentional or reckless violation.
- Exempts information governed by HIPAA, state and local government entities, judicial entities, and entities governed by GLBA.
Hawaii
1. Bill Title: Hawaii Biometric Information Privacy Act (SB 1085)
2. Current Status: As of February 23, 2023, the bill had been deferred by the Labor and Technology Committee (2/10/23).
3. Key Provisions:
- Private entities in possession of biometric information must develop a public written policy establishing retention schedule and destruction guidelines.
- Biometric information must be destroyed upon the earlier of (1) satisfaction of the purpose for collecting the information; or (2) within 3 years of the relevant individual’s last interaction with the entity.
- Private entity may not collect or obtain an individual’s biometric information unless it first (1) informs individual of the collection or storage of the biometric information; (2) informs individual of the purpose and length of the collection, storage, and usage; and (3) obtains consent.
- Private entities may not sell, lease, trade, or profit from individual’s biometric information.
- Private entity may not disclose or disseminate individual’s biometric information unless individual consents or other exception applies (e.g., required to complete financial transaction requested by the individual; required by law).
- Private entity must store, transmit, and protect biometric information in accordance with industry-specific standard of care and in manner at least as protective as that applied to other confidential and sensitive information.
- Creates private right of action. Individuals may obtain, for each violation, the greater of (1) $1,000 or actual damages for negligent violations; (2) $5,000 or actual damages for intentional or reckless violations.
- Exempts information governed by HIPAA, state and county entities, judicial entities, and entities governed by GLBA.
- Act would take effect upon enactment.
Maryland
1. Bill Title: Biometric Data Privacy Act (HB 33/SB 169)
2. Current Status: As of February 23, 2023, HB 33 had been subject to a hearing in the Economic Matters Committee (2/1/23) and SB 169 had been subject to a hearing in the Finance Committee (1/21/23).
3. Key Provisions:
- Requires entities in possession of biometric data to develop a public written policy addressing the retention and destruction of biometric data.
- Entities must destroy biometric data on the earliest of three occurrences: (1) date on which the purpose for collecting the data is satisfied; (2) within three years after the individual’s last interaction with the entity; or (3) within 30 days after receiving a request to delete an individual’s data.
- Entities must use reasonable standard of care in protecting biometric data and protect such data in a manner at least as protective as that used for other confidential and sensitive information.
- Prohibits entities from selling, leasing, or trading biometric data.
- Prohibits entities from collecting, using, disclosing, or disseminating biometric data unless individual consents or other exceptions apply (e.g., legal requirements, law enforcement cooperation, fraud prevention or security).
- Creates right for individual to request that entity disclose individual’s “biometric data and information related to the use of the biometric data.”
- Generally, Act to be enforced by state AG and Division of Consumer Protection, with violations treated as unfair, abusive, or deceptive trade practices under Maryland law.
- Creates limited private right of action for individuals whose biometric information is sold, leased, or traded by an entity.
- Exempts state and local government agencies, judicial entities, information subject to HIPAA, and entities regulated by GLBA.
- Act would take effect on October 1, 2023.
Maryland
1. Bill Title: Online and Biometric Data Privacy Act (SB 698/HB 807)
2. Current Status: As of February 23, 2023, SB 698 has a Finance Committee hearing scheduled for 3/8/23 (2/7/23), and HB 807 had a hearing in the Economic Matters Committee on 2/22/23.
3. Key Provisions:
- Comprehensive state privacy bill that includes provisions focused specifically on biometric information. (For a full summary of this bill, see our February 13 state comprehensive privacy law update).
- Controller may not sell, lease, or trade individual’s biometric information.
- Controller must store, transmit, and protect biometric information in accordance with industry-specific standard of care and in manner at least as protective as that applied to other confidential and sensitive information.
- Controller may not collect, use, disclose, or disseminate individual’s biometric information unless the individual consents, disclosure is required for legal or law enforcement purposes, or other exception applies (e.g., necessary for fraud prevention or security purposes).
- Controller that collects biometric information must develop public written policy establishing retention schedule and destruction guidelines (subject to limited exceptions).
- Biometric information must be destroyed upon the earliest of (1) satisfaction of the purpose for which the biometric information was collected; (2) within 3 years after the individual’s last interaction with the controller; or (3) within 30 days after the controller receives a request from the individual to delete the biometric data.
- Creates a limited private right of action for individuals injured by controller’s sale, leasing, or trade of biometric data.
- Act would take effect on October 1, 2023.
Massachusetts
1. Bill Title: HD 3053
2. Current Status: As of February 23, 2023, the bill had been filed on the House docket (1/20/23).
3. Key Provisions:
- Entity must satisfy the following requirements before collecting or processing biometric information for identification purposes: (1) inform individual of collection or processing; (2) provide individual with biometric privacy policy; and (3) “obtain[] explicit non-electronic, handwritten consent.”
- Entity must satisfy the following requirements before collecting or processing biometric information for verification purposes: (1) inform the individual of the collection or processing; (2) provide the individual with a biometric privacy policy; and (3) “obtain[] explicit handwritten or electronic consent.”
- Entity must destroy biometric information after consent expires. Individual’s consent expires upon the earliest of (1) three years after consent obtained or (2) satisfaction of the purpose for which the biometric data was collected.
- Entities must maintain a Biometric Privacy Policy including use models, data management and security policies, disclosure practices, and retention/destruction guidelines.
- Entities must use reasonable standard of care in storing, transmitting, and protecting biometric data and protect biometric data in a manner at least as protective as that used for other confidential and sensitive information.
- Entities may not disclose or disseminate biometric information without individual’s consent, subject to certain limited exceptions.
- Prohibits entities from monetizing an individual’s biometric information.
- Entities must provide notice of disclosure to individuals when they provide biometric information in response to a judicial warrant.
- Creates private right of action for individuals harmed by violation of Act. If defendant’s conduct was intentional or reckless, individual entitled to “liquidated damages of not less than 0.5% of the annual global revenue of the covered entity or $5,000 per violation, whichever is greater.” If defendant’s conduct was negligent, individual entitled to “liquidated damages of not less than 0.1% of the annual global revenue of the covered entity or $1,000 per violation, whichever is greater.”
- Authorizes state AG to bring action to enforce Act.
- Authorizes state AG to adopt regulations in furtherance of Act.
- Exempts entities and information subject to HIPAA, entities subject to GLBA, state and local governments, and judicial entities.
- Act would take effect one year after enactment.
Massachusetts
1. Bill Title: Biometric Information Privacy Act (SD 2218)
2. Current Status: As of February 23, 2023, the bill had been filed on the Senate docket (1/20/23).
3. Key Provisions:
- Private entities in possession of biometric data must develop public written policy establishing retention schedule and guidelines for destruction of biometric information.
- Biometric information must be destroyed upon the earliest of (1) satisfaction of the purpose for collecting said information or (2) within 1 year of the relevant individual’s last interaction with the entity.
- Private entity may not collect or obtain biometric information unless it (1) informs subject of the collection; (2) informs the subject of the purpose of the collection and the length of retention; and (3) obtains written consent (including electronic consent).
- Prohibits private entities from selling, leasing, or profiting from biometric information.
- Prohibits private entities from disclosing or disseminating biometric information without individual consent or an applicable exception (e.g., financial transaction requested by individual; legal requirements).
- Private entities must store, transmit, and protect biometric information in accordance with industry-specific standard of care and in a manner that is at least as protective as that used by the entity for other confidential and sensitive information.
- Prohibits commercial establishments from using biometric information to identify an individual.
- Creates a private right of action for individuals who suffer a violation of the Act. Individuals may obtain damages of at least $5,000 per violation or actual damages (whichever is greater). For willful or knowing violations, individuals may obtain between double and treble damages.
- Authorizes the state AG to bring actions to enforce the Act. Like individuals, the state AG may obtain damages of at least $5,000 per violation or actual damages (whichever is greater), and between double and treble damages for willful or knowing violations.
- Exempts entities and information subject to HIPAA.
Minnesota
1. Bill Title: SF 954
2. Current Status: As of February 23, 2023, the bill had been referred to the Commerce and Consumer Protection Committee (1/30/23).
3. Key Provisions:
- Private entities in possession of biometric information must develop public written policy establishing retention schedule and destruction guidelines.
- Biometric information must be destroyed upon the earlier of (1) satisfaction of purpose for collecting the information; or (2) within 3 years of the relevant individual’s last interaction with the entity.
- Private entity may not collect or obtain individual’s biometric information without first: (1) informing the individual of the collection or storage; (2) informing the individual of the purpose and duration of the collection, storage, and use; and (3) obtaining consent.
- Private entities may not sell, lease, trade, or profit from individual’s biometric information.
- Private entities may not disclose or disseminate an individual’s biometric information unless individual consents or other exception applies (e.g., required to complete transaction requested by individual; required by law).
- Private entity must store, transmit, and protect biometric information in accordance with industry-specific standard of care and in manner at least as protective as that applied for other confidential and sensitive information.
- Creates private right of action. Individuals may obtain, for each violation, the greater of: (1) $1,000 or actual damages for a negligent violation; or (2) $5,000 or actual damages for an intentional or reckless violation.
- Exempts information governed by HIPAA, state and local government entities, judicial entities, and entities governed by GLBA.
Mississippi
1. Bill Title: Biometric Identifiers Privacy Act (HB 467)
2. Current Status: This bill died in the Judiciary Committee on January 31, 2023.
3. Key Provisions:
- Private entities in possession of biometric information must develop public (subject to limited exception) written policy establishing retention schedule and destruction guidelines.
- Biometric information must be destroyed upon the earliest of (1) satisfaction of the purpose for which the biometric information was collected; (2) 1 year after the individual’s last interaction with the entity; or (3) 30 days after the entity receives a request from the individual to delete the information.
- Private entity may not collect or obtain biometric information unless it first (1) informs individual of the biometric information’s collection and storage; (2) informs individual of the purpose and duration of the collection, storage, or use; and (3) obtains consent.
- Private entities may not sell, lease, or trade individual’s biometric information.
- Private entity may not disclose or disseminate individual’s biometric information unless individual consents or other exception applies (e.g., required to complete financial transaction requested by individual; required by law).
- Private entity may not condition provision of good or service on processing of biometric information, unless such biometric information is “strictly necessary to provide the good or service.”
- Private entity may not discriminate on basis of price or quality against an individual who exercises rights under the Act.
- Private entities must store, transmit, and protect biometric information in accordance with industry-specific standard of care and in manner at least as protective as that applied to other confidential and sensitive information.
- Upon request by individual, private entity must disclose individual’s biometric information and additional details related to the use of that information. This requirement applies only to private entities that, among other criteria, had annual gross revenue exceeding $10 million in previous calendar year.
- Creates private right of action. Individuals may obtain, for each violation, the greater of: (1) $1,000 or actual damages for a negligent violation; or (2) $5,000 or actual damages for an intentional or reckless violation.
- Authorizes state AG to bring enforcement actions. State AG may obtain same damages as individuals (see above).
- Exempts information governed by HIPAA, state and local government entities, and information governed by GLBA.
- Act would take effect on July 1, 2023.
Missouri
1. Bill Title: Biometric Information Privacy Act (HB 1047)
2. Current Status: As of February 23, 2023, the bill had been read for the second time in the House (2/7/23).
3. Key Provisions:
- Private entities in possession of biometric information must develop a public written policy establishing retention schedule and destruction guidelines.
- Biometric information must be destroyed upon the earlier of (1) satisfaction of the purpose for collecting the information; or (2) within 1 year of the relevant individual’s last interaction with the entity.
- Private entity may not collect or obtain individual’s biometric information unless it (1) informs the individual of the collection or storage; (2) informs the individual of the purpose and duration of the collection, storage, or use; and (3) obtains consent.
- Private entities may not sell, lease, or trade individual’s biometric information.
- Private entities may not disclose or disseminate individual’s biometric information unless individual consents or other exception applies (e.g., required to complete financial transaction requested by individual; required by law).
- Private entity must store, transmit, and protect biometric information in accordance with industry-specific standard of care and in manner at least as protective as that applied for other confidential and sensitive information.
- Private entity may not condition a good or service on collection or use of biometric information unless biometric information “is strictly necessary to provide the good or service.”
- Private entity may not discriminate in terms of price or quality against an individual who exercises their rights under the Act.
- Creates private right of action. Individuals may obtain, for each violation, the greater of (1) $1,000 or actual damages for negligent violations; or (2) $5,000 or actual damages for intentional or reckless violations.
- Exempts information governed by HIPAA, state and local government entities, judicial entities, entities governed by GLBA.
New York
1. Bill Title: Biometric Privacy Act (A. 1362/S. 4457)
2. Current Status: As of February 23, 2023, A. 1362 had been referred to the Assembly Consumer Affairs and Protection Committee (1/17/23), and S. 4457 had been referred to the Senate Consumer Affairs and Protection Committee (2/9/23).
3. Key Provisions:
- Private entity that possesses biometric information must develop public written policy establishing retention schedule and destruction guidelines.
- Private entity must destroy biometric information upon the earlier of (1) satisfaction of the purpose for which the biometric information was collected; or (2) within three years of the relevant individual’s last interaction with the entity.
- Private entity may not collect or obtain individual’s biometric information without (1) informing the individual of the collection; (2) informing the individual of the purpose and length of the biometric information’s collection and/or storage; and (3) obtaining individual’s consent.
- Private entity may not sell, lease, trade, or profit from individual’s biometric information.
- Private entity may not disclose or disseminate biometric information without individual consent, subject to limited exceptions (e.g., completion of financial transaction requested by individual; required by law).
- Private entity must apply reasonable standard of care in protecting biometric information and use measures at least as protective as those used to protect other confidential and sensitive information.
- Creates private right of action. Individuals may obtain, for each violation, the greater of: (1) $1,000 or actual damages for a negligent violation; (2) $5,000 or actual damages for an intentional or reckless violation.
- Exempts information governed by HIPAA, entities governed by GLBA, state and local government entities, and judicial entities.
- Would take effect 90 days after enactment.
New York
1. Bill Title: S. 2390
2. Current Status: As of February 23, 2023, the bill had been referred to the Consumer Affairs and Protection Committee (1/20/23).
3. Key Provisions:
- Prohibits private entities from using biometric information for advertising, marketing, or promotional purposes.
- Exempts state and local government entities and information governed by HIPAA.
- Act would take effect 30 days after enactment.
New York
1. Bill Title: Digital Fairness Act (S. 2277/A. 3308)
2. Current Status: As of February 23, 2023, S. 2277 had been referred to the Internet and Technology Committee (1/19/23), and A. 3308 had been referred to the Consumer Affairs and Protection Committee (2/2/23).
3. Key Provisions:
- Comprehensive state privacy bill that includes a section (Section 899-gg) focused specifically on biometric information. (For a full summary of this bill, see our January 30 state comprehensive privacy law update).
- Covered entity or governmental entity in possession of biometric information must develop public written policy establishing retention schedule and destruction guidelines.
- Biometric information must be destroyed upon the earliest of (1) satisfaction of the purpose for which the information was collected; or (2) within 1 year of the individual’s last interaction with the relevant entity.
- Covered entities may not collect or obtain individual’s biometric information without first (1) informing the individual of the information’s collection and storage; (2) informing the individual of the purpose and length of the information’s collection, storage, and use; and (3) obtaining consent.
- Absent law enforcement investigation, a government entity may not collect or obtain individual’s biometric information unless it (1) obtains a warrant; (2) biometric information request is related and narrowly tailored to an “emergency involving immediate danger of death or serious physical injury”; or (3) it informs the individual of the information’s collection and storage; informs the individual of the purpose and length of the information’s collection, storage, and use; and obtains the individual’s consent.
- Covered and governmental entities may not sell, lease, trade, monetize, or profit from individual’s biometric information.
- Covered and governmental entities may not disclose or disseminate an individual’s biometric information unless individual consents or exception applies (e.g., required to complete financial transaction requested by individual; required by law).
- Exempts information governed by HIPAA.
Tennessee
1. Bill Title: Consumer Biometric Data Protection Act (SB 339/HB 932)
2. Current Status: As of February 23, 2023, SB 339 had been referred to the Commerce and Labor Committee (1/25/23), and HB 932 had been assigned to the Banking and Consumer Affairs Subcommittee of the Commerce Committee (2/7/23).
3. Key Provisions:
- Private entity may not collect or obtain biometric information without (1) informing individual of the collection and storage; (2) informing individual of the purpose and duration of the collection, storage, and use; and (3) obtaining consent.
- Private entity may not sell, lease, trade, or profit from individual’s biometric information.
- Private entity may not disclose or disseminate individual’s biometric information unless individual consents or other exception applies (e.g., necessary to complete financial transaction requested by individual; required by law).
- Private entity must store, transmit, and protect biometric information using industry-specific standard of care and in manner at least as protective as that used for other confidential and sensitive information.
- Private entity that possesses biometric information must develop a public written policy establishing a retention schedule and destruction guidelines.
- Biometric information must be destroyed upon the earliest of (1) satisfaction of the purpose for which the biometric information was collected; or (2) within 3 years of the relevant individual’s last interaction with the entity.
- Violation of the Act is treated as an unfair or deceptive act or practice under the Tennessee Consumer Protection Act.
- Creates private right of action. Individuals may obtain, for each violation, the greater of (1) $1,000 or actual damages for a negligent violation; or (2) $5,000 or actual damages for a reckless or willful violation.
- Exempts information governed by HIPAA, state and local government entities, judicial entities, entities governed by GLBA.
- Act would take effect on January 1, 2024.
Vermont
1. Bill Title: H. 121
2. Current Status: As of February 23, 2023, the bill had been referred to the Committee on Commerce and Economic Development (1/26/23).
3. Key Provisions:
- Comprehensive state privacy bill that includes section focused on protection of biometric information (Sec. 2449). (For a full summary of this bill, see our January 30 state comprehensive privacy law update).
- Entity may not collect or retain biometric information without providing notice, obtaining consent, and “providing a mechanism to prevent the subsequent use of a biometric identifier.”
- Entity that collects or retains biometric information must establish retention schedule and guidelines for destruction.
- Entity must destroy biometric information when initial purpose for collection is satisfied or within one year of individual’s last interaction with the entity (whichever occurs first).
- Entity may not use, sell, lease, or disclose individual’s biometric information unless individual consents, subject to limited exceptions (e.g., necessary to complete transaction authorized by individual; required by law).
- Entity must use reasonable care to protect biometric information and comply with data protection standards for data brokers articulated at Vt. Stat. Ann. tit. 9, § 2447 (including establishment of information security program).
- Authorizes state AG and State’s Attorney to bring enforcement actions and obtain civil penalties.
- Creates a private right of action for individuals who suffer a violation of the Act. Court may award actual damages or $1,000 for a negligent violation and actual damages or $5,000 for a willful or reckless violation.
- Act would take effect on July 1, 2023.
Washington
1. Bill Title: People’s Privacy Act (HB 1616/SB 5643)
2. Current Status: As of February 23, 2023, HB 1616 had been referred to the Civil Rights and Judiciary Committee (1/26/23), and SB 5643 had been referred to the Environment, Energy, and Technology Committee (1/31/23).
3. Key Provisions:
- Comprehensive state privacy bill that includes a section (Section 7) focused specifically on biometric information. (For a full summary of this bill, see our January 30 state comprehensive privacy law update).
- Covered entity or Washington government entity that processes biometric information must develop public written policy establishing retention schedule and destruction guidelines.
- Biometric information must be destroyed upon the earliest of (1) satisfaction of the purpose for which the information was collected; (2) within 1 year of the individual’s last interaction with the entity; or (3) expiration of individual’s consent.
- Covered and Washington government entities may not process individual’s biometric information unless they first (1) inform individual of the information’s processing; (2) inform individual of purpose and duration of the processing; and (3) obtain consent.
- Covered and Washington government entities may not disclose or disseminate individual’s biometric information unless individual consents or exception applies (e.g., necessary to complete financial transaction requested by individual; required by law).
- Covered and Washington government entities may not monetize or profit from individual’s biometric information, subject to limited exceptions.