The Washington Biometric Act ("HB 1493") aims to “require a business that collects and can attribute biometric data to a specific uniquely identified individual to disclose how it uses that biometric data, and provide notice to and obtain consent from an individual before enrolling or changing the use of that individual's biometric identifiers in a database”. If your organization operates in Washington or you have employees that are residents of Washington, you need to comply with HB 1493. You can read the full text of HB 1493 in the Revised Code of Washington (Chapter 19.375).
HB 1493 defines "Biometric Identifiers" as "data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual. Biometric identifier does not include a physical or digital photograph, video or audio recording or data generated therefrom ...". This definition seems to exclude facial recognition, since the biometric identifiers used by facial recognition are generated from a digital photograph or video. Nonetheless, in the interests of privacy, Noah Facial Recognition Pty Ltd ("NoahFace") has taken the conservative view that this definition may be interpreted in the future to cover the use of biometric identifiers used by facial recognition.
NoahFace is committed to privacy and provides you with extensive capabilities in the NoahFace App and Dashboard ("NoahFace Service") to help you comply with HB 1493. However, it is important to note that if your organization uses the NoahFace Service you cannot rely on the capabilities of the NoahFace Service alone. You must ensure you configure and use the NoahFace Service appropriately to comply with HB 1493 and that you comply with the non-system requirements of HB 1493. For example, you should ensure your premises and devices are physically secured. Given the importance of privacy, you should obtain your own professional legal advice to ensure you are fully compliant.
The sections below detail the requirements of HB 1493 and explain how NoahFace provides you with capabilities in the NoahFace Service to help you comply with each of them.
HB 1493 requires that: "A person may not enroll a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose. Notice is a disclosure, that is not considered affirmative consent, that is given through a procedure reasonably designed to be readily available to affected individuals. The exact notice and type of consent required to achieve compliance ... is context-dependent".
The NoahFace Service displays a written privacy statement which informs individuals that biometric data will be collected (before it is collected), the specific usage of the biometric data, and the length of term for which the biometric data will be stored.
If the privacy statement is accepted, the NoahFace Service will capture the individual's photo and extract their biometric data. If the privacy statement is not accepted, the individual can still use the NoahFace Service by manually identifying themselves using non-biometric methods (eg: passcodes).
The date and time each individual accepts the privacy statement is recorded and can be viewed through the NoahFace Service.
NoahFace does NOT use biometric data for any purpose other than to identify individuals using the NoahFace Service, as specified in the privacy statement that individuals consent to.
HB 1493 requires that: "A person who knowingly possesses a biometric identifier of an individual that has been enrolled for a commercial purpose may retain the biometric identifier no longer than is reasonably necessary ... provide the services for which the biometric identifier was enrolled".
The NoahFace Service will automatically destroy an individual's biometric data whenever either:
HB 1493 requires that: "Unless consent has been obtained from the individual, a person who has enrolled an individual's biometric identifier may not sell, lease, or otherwise disclose the biometric identifier to another person for a commercial purpose".
NoahFace does NOT sell, lease, or otherwise disclose biometric data.
HB 1493 requires that: "A person who knowingly possesses a biometric identifier of an individual that has been enrolled for a commercial purpose must take reasonable care to guard against unauthorized access to and acquisition of biometric identifiers that are in the possession or under the control of the person".
NoahFace has designed data protection into the core of the NoahFace Service. In particular: