By Mike Hintze & Jevan Hutson
This is Part 7 in a series of blog posts about the Washington My Health My Data Act. Previous parts include:
This part discusses the Act’s impact on biometric data and technologies.
Biometric data is among the broad range of “consumer health data” regulated by the Washington My Health My Data Act (MHMDA). Under MHMDA biometric data is defined expansively, broader than the scope of biometrics covered by the previously-existing Washington biometric privacy law (RCW 19.375). MHMDA’s substantive provisions overlap with, but differ from those of RCW 193.75, many of which raise the bar on substantive obligations or add new requirements applicable to biometric data (and a wide range of other data). Finally, MHMDA includes a private right of action, like Illinois’ Biometric Information Privacy Act (BIPA) and unlike RCW 19.375, thereby subjecting the processing of biometric data to a significant risk of litigation under Washington law.
Definitions of Biometric Data
As described in Part 2 of this series, MHMDA regulates a broad range of “consumer health data" which is defined as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status.” The definition goes on to specify that “physical or mental health status” includes, among many other things, “[b]iometric data.”
The Act defines biometric data as:
data that is generated from the measurement or technological processing of an individual's physiological, biological, or behavioral characteristics and that identifies a consumer, whether individually or in combination with other data. Biometric data includes but is not limited to:
(a) Imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template can be extracted; or
(b) Keystroke patterns or rhythms and gait patterns or rhythms that contain identifying information.
This is an expansive definition of biometric data, which in several ways is broader than the scope of biometric data covered by the previously-existing RCW 19.375.
RCW 19.375 defines “biometric identifier” as:
data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual.
That definition goes on to exclude any “physical or digital photograph, video or audio recording or data generated therefrom.”
Thus, the first way that the MHMDA definition is broader than that of RCW 19.375 is that the later definition is dependent on the data actually being “used to identify a specific individual.” The mere potential to identify a person is not enough. By contrast, the MHMDA definition captures any data about an “an individual's physiological, biological, or behavioral characteristics” that are identifying or would be identifying when combined with any other type of data.
The second way in which the MHMDA definition is broader is that under RCW 19.375, "biometric identifier" does not include “a physical or digital photograph, video or audio recording or data generated therefrom.” But, under the MHMDA, biometric data does include “[i]magery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template can be extracted.” So, a mere photograph of a person’s face may be enough to be considered “biometric data” under MHMDA.
Additionally, RCW 19.375 is limited to persons who “enroll” biometric identifiers. And “enroll” is defined as the “means to capture a biometric identifier of an individual, convert it into a reference template that cannot be reconstructed into the original output image, and store it in a database that matches the biometric identifier to a specific individual.” This, in effect, limits the scope of RCW 19.375 to certain types of practices commonly used in biometric identification systems. There is no such limitation in MHMDA. As a result, MHMDA’s broad scope of regulated entities (as further detailed in Part 3), along with its broad definitions of “consumer health data” and “biometric data,” mark a considerable expansion of the scope of biometric privacy requirements under Washington law.
Lastly, there is one way in which the MHMDA definition is narrower than that of the previously-existing RCW 19.375. As noted in Part 1 and Part 3 of this series, “consumer health data” is data about “consumers,” and the definition of “consumer” does not include individuals acting in an employment context. Thus, unlike under RCW 19.375 (and under Illinois BIPA) biometric data collected from employees and B2B contacts should be considered out of scope of MHMDA.
Overlapping Obligations & New Challenges
Because of the overlapping, but differing, definitions and scope of MHMDA compared to RCW 19.375, some biometric data will be subject to just one of the laws and not the other, but a great deal of biometric data will be subject to both Washington laws. Thus, entities subject to these laws will need to reconcile and develop compliance measures to comply with the overlapping obligations. This challenge is made more difficult by the fact that the MHMDA introduces new requirements and raises the bar on substantive obligations applicable to biometric data (and a wide range of other data)
Consent
MHMDA and RCW 19.375 both have consent requirements that apply to the collection, use, and disclosure of biometric data. But they are quite different from each other.
As outlined in Part 5 of this series, MHMDA requires consent for collection, processing, or sharing consumer health data (including biometric data) for any purpose other than that which is necessary to provide a consumer-requested product or service (i.e. only for secondary purposes).
By contrast, the range of biometric data processing that requires consent under RCW 19.375 is different. “Enrolling” a biometric identifier in a database for a commercial purpose requires consent whether or not the enrollment is necessary to provide a consumer requested product or service. In other words, “enrollment” requires consent for both primary and secondary purposes. But for the sharing of a biometric identifier under RCW 19.375, like MHMDA, consent is required only for a secondary purpose. Specifically, consent for sharing is not required under RCW 19.375 if the disclosure is “necessary to provide a product or service subscribed to, requested, or expressly authorized by the individual.”
Illinois’ BIPA is different still, with collection requiring consent in all cases, sharing requiring consent unless necessary to complete a financial transaction, and selling being prohibited.
The level and type of consent required also differs between MHMDA and RCW 19.375. MHMDA specifies a GDPR-level of consent, meaning it must be “freely given, specific, informed, opt-in, voluntary, and unambiguous.” MHMDA requires an even higher level of consent (or “authorization”) for any disclosure of consumer health data that would be considered a “sale.” By contrast under RCW 19.375, the type of consent required seems to be more flexible. That statute notes that “the exact notice and type of consent required...is context dependent.”
The high level of consent required under MHMDA may negatively impact many common and beneficial uses of data. As an example, the creation and improvement of biometric technologies heavily depends on using data for training and development. In this context, much or most of the useful data could be classified as biometric data or consumer health data. And the use of artificial intelligence and machine learning technologies in the development or improvement of biometric technology may exceed what is considered necessary to offer a consumer-requested product or service. Such use could therefore be subject to the Act's strict opt-in consent requirements, which would, in turn, severely limit the data sets available. This limitation could create significant obstacles for the development of biometric technologies and other uses of AI/ML.
Data Subject Rights
As discussed in Part 6 of this series, MHMDA creates data subject rights – including rights of access and deletion that go well beyond what exists in other laws. This is in striking contrast to both RCW 19.375 and BIPA, which do not grant rights of access and deletion. Thus, regulated entities processing biometric data will need to be able to comply with such data subject requests with respect to that biometric data.
Such obligations may require companies to develop new means to provide access to and/or delete biometric data upon request. These rights also create obligations, which if companies fail to meet, are likely to lead to class action claims that go beyond the types of claims that have been (or can be) made under BIPA.
Data Retention
Notably, both RCW 19.375 and BIPA include retention limitations applicable to biometric data. Specifically, RCW 19-375 states that a biometric identifier may be retained “no longer than is reasonably necessary to:
Comply with a court order, statute, or public records retention schedule specified under federal, state, or local law;
Protect against or prevent actual or potential fraud, criminal activity, claims, security threats, or liability; and
Provide the services for which the biometric identifier was enrolled.
MHMDA, by contrast, does not have a data retention limitation. In fact, as noted in Part 5 of this series, the consent requirements of MHMDA, which apply to any “processing” of data that is not necessary to provide a consumer-requested product or service, could be interpreted to mean that in the absence of specific consumer consent, a regulated entity cannot delete data because deletion according to a retention schedule is a type of processing that not necessary to provide the product or service. If that interpretation prevails, it would effectively nullify the retention limitation of RCW 19.375 since, as quoted above, that law’s retention limitation does not apply where retention is required to “comply with … a statute.”
Important Exceptions
There are several important exceptions under MHMDA that limit the applicability of the strict substantive obligations.
First, MHMDA, similar to both RCW 19.375 and BIPA, has an exclusion for data that is subject to HIPAA and the Gramm-Leach-Bliley Act. MHMDA also has additional exclusions for data that is subject to other federal and Washington state regulations related to health and insurance.
Second, as noted above, MHMDA excludes employee and B2B data, unlike either RCW 19.375 or BIPA.
Third, both MHMDA and RCW 19.375 have exclusions that apply to security-related uses of biometric data (unlike BIPA, which does not). Specifically, RCW 19.375.020(7) provides:
Nothing in this section requires an entity to provide notice and obtain consent to collect, capture, or enroll a biometric identifier and store it in a biometric system, or otherwise, in furtherance of a security purpose.
MHMDA has a more detailed articulation of security-related purposes that are excluded from the Act’s strict substantive requirements that is arguably even broader. Specifically, the exclusion applies to the
collection, use, or disclosure of consumer health data to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any activity that is illegal under Washington state law or federal law; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action that is illegal under Washington state law or federal law.”
The employee and security-related exemptions mean that many uses of biometric data that are most common (and which have been the subject of a large portion of the litigation under BIPA) will be exempt from MHMDA’s substantive compliance requirements and will likely avoid the risk of litigation under the Act’s private right of action. Consider the following scenarios, for example:
Scenario 1: Use of facial recognition in retail store security cameras for security purposes. Assuming the retailer does not use the biometric data for any other (non-security related) purposes, this scenario would fall within the MHMDA security exception.
Scenario 2: Use of a biometric identity verification service to prevent identity theft or fraud in financial transactions. This scenario would fall within the MHMDA security / fraud exception.
Scenario 3: Use of biometric access control and timekeeping for employees. The Act’s definition of “consumer” does not include an individual acting in an employment context, so this scenario would fall into the employee data exception. Further, if the biometric access control and timekeeping for employees are for security and fraud-prevention purposes, this scenario would also likely fall within the MHMDA security / fraud exception.
Enforcement
As noted above, MHMDA may be enforced through a private right of action, in addition to enforcement by the Washington Attorney General. By contrast, RCW 19.375 may be enforced solely by the Attorney General. Notably, the Washington Attorney General has not brought a single action enforcing RCW 19.375.
Thus, Washington will join Illinois as the second jurisdiction in the U.S. that allows for a private right of action for violations of privacy rules applicable to biometric data. If the enormous volumes of costly litigation under Illinois’ BIPA is any indication, Washington courts are likely to see a high volume of claims under MHMDA.
This is likely the case even though the scope of biometric use cases subject to MHMDA is narrower in some respects than those subject to BIPA — due to the employee and security exceptions and the consent requirement applying only to secondary purposes under MHMDA. On the other hand, the scope of biometric data (and the larger superset of consumer health data) under MHMDA is much broader than under BIPA. Further MHMDA adds additional obligations, such those connected to the access and deletion rights, that do not exist under BIPA. So, compared to BIPA, the targets for class action litigation related to biometric data are narrower in some respects and broader in others.
Summary and Conclusion
The key differences in the treatment of biometric data between the new Washington MHMDA, the existing Washington biometric privacy law (RCW 19.375), and Illinois’ BIPA are summarized in the following table.
Washington MHMDA | Washington RCW 19.375 | Illinois BIPA | |
Definition could include a mere photo | Yes | No | No |
Definition includes data not "used" to identify | Yes | No | Yes |
Employee and B2B biometric data included | No | Yes | Yes |
Consent required for “primary purpose” collection | No | Yes | Yes |
GDPR-level consent for secondary purposes | Yes | Not Specified | Not Specified |
Consumer access & deletion rights | Yes | No | No |
Retention limitation | No | Yes | Yes |
Private right of action | Yes | No | Yes |
MHMDA, given its broad definition of biometric data, GDPR-level consent requirements, new obligations, and private right of action dramatically changes and complicates the regulation of biometric data in Washington state and is poised to become the most disruptive change in U.S. biometric privacy law since Illinois’ BIPA.
As noted above, in the coming days we will discuss other aspects of the Act and the issues it raises. In upcoming posts, we will look at notice obligations, geofencing restrictions, and other topics raised by the Act.