On May 16, 2017, Governor Jay Inslee signed into law H.B. 1493—Washington’s first statute governing how individuals and non-government entities collect, use, and retain “biometric identifiers,” as defined in the statute.  The law prohibits any “person” from “enroll[ing] a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.”  It also places restrictions on the sale, lease, and other disclosure of enrolled biometric identifiers.  With the new law, Washington has become only the third state after Illinois and Texas to enact legislation that regulates business activities related to biometric information.  Although the three laws seek to provide similar consumer protections around the collection, use, and retention of biometric data, the Washington law defines the content and activity it regulates in different terms, and, similar to Texas, but unlike Illinois, the Washington law does not provide a private right of action.

The Washington statute, as compared to existing biometrics laws, is notable for its definition of “biometric identifier.”   In the law, a “biometric identifier” is “data generated by automatic measurements of an individual’s biological characteristics,” including “fingerprints, voiceprints, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual.”  Washington’s definition of “biometric identifier” may be broader than that in the Texas statute, but Washington’s definition does not specifically provide for a “scan of hand or face geometry,” as is the case in the Illinois statute.  Washington’s definition of “biometric identifiers” specifically excludes “physical or digital photograph, video or audio recording or data generated therefrom” (in addition to certain health-related data), suggesting the statute will have limited application in the context of facial recognition technology.
Continue Reading Washington Becomes the Third State with a Biometric Law

This week, the much talked-about amendments to Texas’s breach notice statute took effect.  We previously blogged about these amendments, which are unprecedented in scope.  With the amendments, the Texas statute now requires entities doing business in Texas to notify “any individual” whose “sensitive personal information” is acquired in a breach (unless the information is encrypted). 

A court in Texas recently dismissed a lawsuit it described as “an aspiring class action against a veritable who’s-who of social media companies.”  The Plaintiffs in Opperman v. Path claimed that the Defendants improperly used their smartphone apps to copy, upload, and store Plaintiffs’ address book information without their consent.

According to the court, the

A California law that took effect on January 1, 2011 makes it a crime to impersonate someone online.  Any person who knowingly and without consent impersonates another actual person through electronic means for purposes of harming, intimidating, threatening, or defrauding another person is guilty of a misdemeanor.  “Electronic means” is defined to include opening an e-mail account or social networking profile in another person’s name.  A violation of the law occurs only if the impersonation is credible, meaning that another person would reasonably believe that the defendant was the person impersonated.

Continue Reading California’s Online Impersonation Law Comes Into Effect