Biometric Data: Legal Considerations and Privacy Concerns

Do you handle biometric data? A data breach could result in legal complications.

Do you have a comprehensive cybersecurity strategy in place? If not, you’re vulnerable to data breaches, compliance issues, and much more. Schedule a consultation with an experienced cybersecurity attorney at By Design Law for guidance.


Like most aspects of technological advancement, data collection operates as a double-edged sword. On one hand, it provides researchers, manufacturers, and innovators with access to the information needed to improve consumers’ lives; on the other, it leaves individuals vulnerable to a wide range of data abuses, and theft.


Perhaps the most controversial subcategory of data collection involves biometric data. While biometric data can be used to enhance security in a wide range of sectors and even improve individual health outcomes, it can also be misused to disastrous effects.


As federal and state laws race to address the concerns surrounding the usage of biometric data, it’s critical for both individual consumers and businesses to understand how this information is used and how to keep it safe. This article will explain some of the legal considerations and privacy concerns connected to biometric data collection, including how a data privacy attorney can help you secure sensitive data and ensure legal compliance.


Does your business handle sensitive data? Protect yourself from legal complications by adopting a robust cybersecurity approach. Reach out to
By Design Law online to get started.

Understanding Biometric Data

In an increasingly digital world, nothing is more valuable than consumer data. Although biometric data may seem like merely the newest frontier in an ever-expanding field, it differs from other types of data collection in a profound way.


Rather than revealing how a consumer interacts with the external world, biometric data provides insights to their internal world by capturing unique physical and behavioral characteristics, including fingerprints, facial features, voice patterns, and more. The question of
how biometrics are used , collected, and stored raises significant legal challenges and privacy concerns.

Biometric Data Laws

Although biometric data is partially regulated by federal laws such as the Health Insurance Portability and Accountability Act (HIPAA), there is currently no comprehensive federal law addressing biometric data privacy. Some states, including Washington, have implemented laws that tighten the consent and retention requirements for entities collecting biometric data.

Washington Biometric Privacy Law

In addition to addressing biometric data protection in the My Health My Data Act and other pieces of legislation, Washington has joined a handful of states in enacting biometric-data-specific laws. The Washington Biometric Privacy Law (H.B. 1493) includes the following key aspects:

  • Biometric identifier. H.B. 1493 defines a biometric identifier as data generated by automatic measurements of a person’s biological characteristics, including fingerprints, voiceprints, eye retinas, irises, and other unique biological features.

  • Consent requirements. Before collecting biometric data, an entity must provide clear notice and obtain consent for its use.

  • Use and sharing restrictions. H.B. 1493 prevents an entity from enrolling biometric identifiers in a database used for commercial purposes without prior notice and consent.

  • Exemptions. Certain entities are exempt from meeting notice and consent requirements, including law enforcement and fraud prevention officials.

  • Security and retention criteria. Organizations must take reasonable steps to protect consumers’ biometric data from unauthorized use and acquisition. According to H.B. 1493, organizations can only keep biometric information for the time in which it is necessary to achieve the original purpose of its collection.

  • Enforcement. Washington law does not allow individuals to sue for violations of their biometric data; rather, enforcement of this law is under the purview of the Washington State attorney general and penalties align with those outlined by Washington’s Consumer Protection Act.

  • Application and scope. H.B. 1493 applies to all individuals and non-government entities that collect, use, and retain biometric identifiers, but not to entities collecting biometric data for security purposes.


If you work in an industry that collects, analyzes, or otherwise uses biometric data, you must maintain legal compliance in its handling. Unsure whether you’re legally protected? Our data privacy lawyers can help ensure your legal compliance.

Legal Considerations and Privacy Concerns

From a legal standpoint, there are several notable dangers—to both consumers and collecting entities—associated with biometric data, namely involving data privacy. Here are some of the key considerations:

  • Privacy infringements. As biometric data is inherently personal, unauthorized or improper collection and use can result in serious privacy infringements.

  • Security risks. Like any other type of digital information, biometric data is susceptible to hacking and data breaches. However, data leaks involving biometric data are potentially much more damaging than other types of data misuse, as biometric information can’t be changed in the same way as financial information.

  • Surveillance. It is possible for entities collecting biometric data to use this information for surveillance and tracking purposes, both of which infringe on individual freedoms and civil liberties.

  • Discrimination and bias. Some biometric systems, especially facial recognition technologies, may show racial and ethnic biases similar to the biases of their creators.

  • Function creep. Functional creep happens when collected data is used for purposes other than those initially intended. For example, function creep may occur when biometric data is collected for one purpose, such as for workplace security, and then is used for a more intrusive purpose.

  • Lack of regulatory oversight. Although Washington and a handful of other states have enacted laws to regulate biometric data collection, many jurisdictions suffer from a lack of oversight and accountability.


If you or your company handles biometric data in any way, these are just a few of the legal considerations and privacy concerns that need to be at the forefront of your mind. Without a comprehensive cybersecurity strategy in place, you open yourself up to potential lawsuits, compliance issues, and more.

By Design Law: Leading Cybersecurity and Data Privacy Attorneys in Seattle

The use of biometric data opens up a whole new world of possibilities—both good and bad. As the legal landscape around data collection continues to evolve, it’s imperative that you exercise due diligence in your own data and cybersecurity protocols. Luckily, you don’t have to do it alone—the data privacy lawyers at By Design Law are here to help.


Contact our law firm online to
schedule a case evaluation with a trusted legal expert today.

Facebook
LinkedIn

Our Blog​

Related News and Articles