Running Into the Wind: How Businesses Should Approach Biometric Privacy Compliance

When a storm approaches, cattle instinctively try to outrun it, often resulting in exhaustion and prolonged exposure. 

Buffalo, however, take a different approach—they run directly into the storm, minimizing their time in adversity and emerging stronger on the other side. This philosophy is exactly how businesses should handle privacy compliance. Instead of fearing regulations or scrambling after lawsuits, companies that charge ahead—by implementing sound privacy practices—will position themselves as leaders in their industries, avoiding unnecessary panic and disruption.

Case Update: The First Class-Action Lawsuit Under Washington’s "My Health, My Data Act"

The recent filing of a class-action lawsuit under Washington’s "My Health, My Data Act" is an early sign that biometric privacy enforcement is here to stay. The lawsuit alleges that a business failed to obtain proper consent before collecting biometric information, emphasizing the need for companies to take a proactive stance in compliance. Rather than viewing this as a warning, companies should see it as a reminder that privacy laws are evolving, and those who embrace compliance now will be well-prepared for the future.

The "My Health, My Data Act": What You Need to Know

Washington’s "My Health, My Data Act" is designed to ensure transparency and consumer control over personal data, including biometric information. Unlike other privacy laws, this legislation includes a private right of action, meaning individuals can bring lawsuits if they believe their biometric data rights have been violated. Additionally, the Act applies broadly, covering entities beyond traditional healthcare providers and extending protections to residents outside of Washington if their data is collected within the state. While this may sound concerning, companies that follow basic privacy principles will find compliance to be manageable.

Key Takeaways:

• Consent Matters: Businesses must obtain clear, informed consent before collecting biometric data.

• Consumer Rights Are Expanding: Individuals have the right to access, delete, and restrict the use of their data.

• Broad Applicability: The law applies not only to healthcare entities but also to any business collecting sensitive health-related or biometric data.

• Security Is Key: Implementing reasonable safeguards to protect biometric data is required.

Why Running Into the Wind—Instead of Against It—Is the Smart Approach

Businesses that embrace compliance early, rather than waiting until lawsuits or enforcement actions force them into it, will find themselves ahead of the curve. Just like the buffalo charging into the storm, businesses that proactively implement privacy measures will face less turbulence in the long run.

1. Obtain and Document Consent

Ensure that individuals understand what biometric data you collect and how it will be used. A simple, clear consent form before data collection is often sufficient.

2. Enhance Transparency

Maintain a privacy policy that explains biometric data practices in plain language. Inform consumers of their rights and how they can exercise them.

3. Adopt Secure Storage Practices

Encrypt biometric data and store it securely to prevent unauthorized access. Many existing security frameworks, such as those used in financial services, already meet this requirement.

4. Limit Data Retention

Only keep biometric data for as long as necessary for its intended purpose. Regularly review and delete outdated records.

5. Monitor Legal and Regulatory Updates

Staying informed about evolving privacy laws will help ensure continued compliance without last-minute adjustments.

A Shift Toward Proactive Compliance

The impact of Washington’s law extends beyond state borders. Similar to California’s CCPA and Illinois’ BIPA, this legislation signals a broader trend in state-driven privacy protections. Even businesses that don’t operate in Washington should be aware that:

• Other states may enact similar laws. Being proactive now can prevent costly adjustments later.

• Federal attention on privacy laws is growing. While there is no comprehensive federal biometric law yet, staying ahead of state-level changes prepares businesses for possible national regulation.

• Cross-state compliance is becoming necessary. If a company collects biometric data from customers across multiple states, aligning with the strictest requirements ensures long-term compliance.

Looking Ahead: A Positive Outlook for Businesses

At Unified Law, we counsel our clients to run into the wind—to take challenges head-on rather than react out of fear. By embracing privacy compliance, businesses can reinforce trust, avoid regulatory surprises, and differentiate themselves as industry leaders.

Rather than seeing biometric privacy laws as obstacles, businesses should view them as opportunities to strengthen consumer trust and security. Compliance is not a burden; it’s a strategic advantage. Companies that act today will not only weather the storm but emerge stronger on the other side.

Need Guidance? If you have questions about how the "My Health, My Data Act" applies to your business or need assistance updating your privacy policies, Unified Law is here to help. Reach out to our team for practical, business-friendly compliance strategies that keep you ahead of regulatory changes.

By running into the wind—rather than away from it—businesses can navigate biometric privacy laws with confidence. Compliance doesn’t have to be difficult—it’s simply about clarity, security, and respect for consumer rights. With a thorough but straightforward approach, businesses can stay compliant and continue innovating without unnecessary fear.