Washington Biometric Privacy Laws: Collection, Consent & Penalties (2026)

Washington is one of a small number of states with a dedicated biometric privacy statute. House Bill 1493, signed into law in 2017 and codified as RCW Chapter 19.375, regulates how private businesses collect, store, and use biometric identifiers for commercial purposes. Unlike Illinois BIPA, Washington's law does not include a private right of action, placing enforcement solely in the hands of the state Attorney General.

Washington also regulates government use of biometric data through a separate statute (RCW 40.26) and restricts government facial recognition technology under RCW 43.386. The My Health My Data Act adds another layer by treating biometric data as consumer health data with its own consent and deletion requirements.

For an overview of Washington's broader privacy framework, see the parent guide to [Washington Data Privacy Laws](/us-laws/data-privacy-laws/washington-data-privacy-laws).

What RCW 19.375 Covers: Definitions and Scope

The biometric identifiers statute defines key terms under RCW 19.375.010. Understanding these definitions is essential because they determine what activities trigger the law's requirements.

A biometric identifier means data generated by automatic measurements of an individual's biological characteristics that is used to identify a specific individual. The statute lists fingerprints, voiceprints, eye retinas, irises, and other unique biological patterns as examples. Photographs, video recordings, audio recordings, and health care data are excluded from the definition.

The term enroll has a specific technical meaning. It refers to the process of capturing a biometric identifier, converting it into a reference template that cannot be reconstructed into the original output image, and storing it in a database that matches the identifier to a specific individual. Simply capturing biometric data without storing it in a matched database does not constitute enrollment.

A commercial purpose means advancing the sale or disclosure of a biometric identifier to a third party for marketing goods or services unrelated to the initial transaction where the identifier was collected. This definition is narrower than what you might expect. It does not cover all business uses of biometric data, only those tied to third-party commercial exploitation.

The law defines person to include individuals, partnerships, corporations, LLCs, and other legal entities. Government agencies are explicitly excluded from the definition, meaning RCW 19.375 applies only to private-sector entities. Government biometric use falls under a separate statute.

Notice and Consent Requirements

Under RCW 19.375.020, a person may not enroll a biometric identifier in a database for a commercial purpose without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of that identifier for a commercial purpose.

The notice standard requires organizations to disclose their intentions through a procedure reasonably designed to be readily available to affected individuals. However, the statute specifies that making this disclosure available does not, by itself, constitute affirmative consent. Businesses must take the additional step of actually obtaining consent or offering an opt-out mechanism.

Once a business has collected biometric data with proper notice and consent, it cannot later change how that data is used. The statute prohibits using or disclosing a biometric identifier in a manner that is materially inconsistent with the terms under which it was originally provided, unless the business obtains fresh consent for the new purpose.

Restrictions on Disclosure to Third Parties

Businesses cannot sell, lease, or otherwise disclose biometric identifiers to third parties except in limited circumstances. Permitted disclosures include situations where the disclosure aligns with the original notice and consent, where it fulfills a product or service the individual requested, where it completes an authorized financial transaction, where it is required by law, where the recipient contractually promises not to further disclose the data, or where the disclosure is necessary for litigation.

These restrictions create a meaningful limit on the commercial exploitation of biometric data even for businesses that properly obtain initial consent.

Security and Retention Obligations

Organizations possessing biometric identifiers must take reasonable care to guard against unauthorized access to and acquisition of the data. The statute does not define "reasonable care" with specifics, leaving room for interpretation based on industry standards and the sensitivity of the data.

For retention, businesses may keep biometric identifiers only as long as necessary for one of three purposes: complying with a court order or other legal obligation, preventing fraud, or providing the services for which the individual enrolled. When none of these purposes applies, the data should be deleted.

The Security Purpose Exception

One of the most significant features of Washington's biometric law is the security purpose exception. Entities that collect, capture, enroll, or store a biometric identifier for a security purpose are not required to provide notice or obtain consent.

The statute defines a security purpose as preventing shoplifting, fraud, misappropriation, or theft, as well as protecting software, accounts, applications, online services, or the safety of individuals.

This exception has practical implications for employers. A business that uses fingerprint scanners to control building access or prevent "buddy punching" on timekeeping systems could potentially qualify for the security purpose exception, since these uses relate to fraud prevention and facility security. However, if the same employer began using that fingerprint data for commercial purposes like marketing analytics, the exception would no longer apply, and full notice and consent obligations would kick in.

Exemptions Under RCW 19.375.040

RCW 19.375.040 carves out three categories of entities from the statute's requirements entirely.

Financial institutions and their affiliates that are subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 are exempt. This covers banks, credit unions, insurance companies, and securities firms that already face federal privacy obligations related to customer financial data.

Health care entities subject to Title V of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 are also exempt. Hospitals, health plans, and other covered entities that collect biometric data in the course of health care operations do not need to comply with RCW 19.375.

Law enforcement officers acting within the scope of their authority are excluded. This includes the authority of state law enforcement officers executing lawful searches and seizures. The statute explicitly states that nothing in the chapter expands or limits existing law enforcement authority.

Enforcement and Penalties

The legislature declared under RCW 19.375.030 that any violation of the biometric identifiers chapter is an unfair or deceptive act in trade or commerce and an unfair method of competition under the Consumer Protection Act (RCW 19.86).

The Attorney General has exclusive enforcement authority. Private individuals cannot file lawsuits for violations of RCW 19.375. This stands in sharp contrast to Illinois BIPA, which allows private lawsuits and has generated billions of dollars in settlement payouts.

Under RCW 19.86.140, the Attorney General can pursue civil penalties of up to $7,500 per violation of the Consumer Protection Act. For violations of injunctions related to biometric privacy, penalties can reach $125,000 per violation. An additional $5,000 applies to violations that target individuals based on protected characteristics including age, race, disability, or veteran status.

The AG can also seek injunctive relief, restitution, and attorneys' fees. In practice, biometric privacy enforcement actions under RCW 19.375 have been limited compared to the flood of litigation seen in Illinois. The AG-only enforcement model means that violations must rise to a level that attracts the attention and resources of the state's chief legal officer.

Government Biometric Rules: RCW 40.26

Washington addresses government use of biometric identifiers through a separate statute, RCW 40.26. This law was enacted alongside H.B. 1493 in 2017 and applies to state and local government agencies.

Notice and Consent for Government Collection

Agencies must provide clear notice of the purpose and use of biometric collection and obtain specific consent before collecting biometric data. That consent must be recorded and maintained for the entire retention period. This is a stricter consent standard than the private-sector law, which allows consent or an opt-out mechanism.

Use, Sharing, and Sale Restrictions

Government agencies are prohibited from selling biometric identifiers entirely. They may only use biometric data as specified in the consent or as otherwise authorized by law. Sharing biometric identifiers with other agencies is permitted only to carry out the original purpose or when explicitly authorized by the individual's consent.

Storage, Retention, and Data Minimization

Agencies must establish security policies ensuring the integrity and appropriate confidentiality of biometric data. The statute requires agencies to address biometrics in their privacy policies, retain data only as long as necessary for the original collection purpose, set tailored retention schedules, and design policies that minimize collection to what is strictly necessary.

Annual Review Requirement

Agencies must conduct annual reviews of their biometric policies to incorporate new technology developments and respond to complaints. This ongoing review obligation is unique among state biometric laws and reflects Washington's proactive approach to government data stewardship.

Government Exemptions

General authority law enforcement agencies are exempt from RCW 40.26. Limited authority law enforcement agencies may collect fingerprints and DNA without consent but must provide written notice to the state's chief privacy officer and the legislature.

The biometric identifier definition under RCW 40.26 is similar but not identical to the private-sector definition. It covers retina and iris scans, fingerprints, voiceprints, DNA, and hand and face geometry. It excludes writing samples, photographs, demographic data, medical samples, organ tissues, HIPAA-covered health care information, and medical imaging used for diagnosis or treatment.

Facial Recognition Restrictions: RCW 43.386

Washington took an additional step in 2020 by enacting SB 6280, codified as RCW 43.386, which regulates government use of facial recognition technology. This law took effect July 1, 2021.

State and local agencies must file accountability reports before deploying facial recognition, including a civil rights impact assessment, false match rate data, and testing results across distinct subpopulations. Agencies must hold at least three community consultation meetings during the public review process.

Law enforcement faces specific restrictions. Officers cannot use facial recognition for ongoing surveillance, real-time identification, or persistent tracking without a warrant, exigent circumstances, or court order. Facial recognition results cannot serve as the sole basis for establishing probable cause. Agencies must disclose facial recognition use to criminal defendants in a timely manner before trial.

The My Health My Data Act and Biometric Data

The Washington My Health My Data Act (MHMDA), signed in April 2023 and effective for most businesses on March 31, 2024, creates an overlapping layer of biometric protection.

The MHMDA explicitly defines biometric data as a category of consumer health data. Its definition covers imagery of the iris, retina, fingerprint, face, hand, palm, and vein patterns, voice recordings from which identifiers can be extracted, and keystroke patterns, gait patterns, and exercise data containing identifying information. This is broader than the RCW 19.375 definition.

Under the MHMDA, businesses cannot collect consumer health data, including biometric identifiers, without obtaining consent for a specified purpose or establishing that the collection is necessary to provide a requested product or service. Sharing biometric data with third parties requires separate and distinct consent that clearly discloses the categories of data and specific intended uses.

Consumers have the right to request deletion of their biometric data. Businesses must delete the data from all parts of their network, including archived and backup systems. Processors and third parties that received the data must also honor deletion requests.

Violations of the MHMDA are treated as per se violations of the Consumer Protection Act. Unlike RCW 19.375, the MHMDA routes complaints through the Attorney General but does not explicitly limit enforcement to the AG alone.

Employer Obligations in Washington

Washington employers that collect biometric data from workers must evaluate which statutes apply to their specific use case.

The security purpose exception under RCW 19.375 may cover fingerprint-based timekeeping systems and biometric access controls if the primary purpose is fraud prevention or physical security. However, if the employer uses biometric data for any commercial purpose beyond security, full notice and consent requirements apply.

The My Health My Data Act may impose additional obligations depending on whether the biometric data qualifies as consumer health data in the employment context. The MHMDA's scope is tied to consumer relationships, and its application to employment data requires careful analysis.

Government employers face the stricter requirements of RCW 40.26, including specific consent, data minimization, retention schedules, and annual policy reviews.

Regardless of which statute applies, all Washington employers collecting biometric data should maintain written policies on collection, use, retention, and destruction. They should also ensure reasonable security measures protect stored biometric identifiers from unauthorized access.

How Washington Compares to Other State Biometric Laws

Washington's biometric privacy framework occupies a middle ground among state biometric laws.

Illinois BIPA remains the most aggressive statute, with its private right of action that has generated landmark settlements against companies like Facebook and Google. Washington chose not to follow that model, opting for AG-only enforcement.

Texas CUBI shares Washington's AG-only enforcement approach but imposes steeper maximum penalties of up to $25,000 per violation. Texas also lacks the security purpose exception that Washington provides.

What sets Washington apart is the breadth of its regulatory approach. No other state has combined a dedicated biometric statute (RCW 19.375), a government biometric law (RCW 40.26), a facial recognition accountability law (RCW 43.386), and a health data act that covers biometrics (RCW 19.373) into one interlocking framework. Businesses operating in Washington must navigate all four layers.

More Washington Laws

• Washington Recording Laws
• Washington Recording Laws
• Washington Recording Laws
• Washington Recording Laws
• Washington Recording Laws
• Washington Recording Laws
• Washington Data Privacy Laws
• Washington Recording Laws

Sources and References

This article references Washington state statutes and official government publications. For the full text of the biometric identifiers law, visit RCW 19.375 on the Washington State Legislature website. For government biometric rules, see RCW 40.26. For the My Health My Data Act, see RCW 19.373. For information on filing a consumer protection complaint, visit the Washington Attorney General.

This article provides general legal information about Washington biometric privacy laws. It is not legal advice. Consult a qualified attorney for guidance on your specific situation. Laws and regulations change frequently. Verify current requirements through official Washington government sources.