Does your organization use employees' "biometric data"? Probably. Fingerprint swipes for time cards, temperature screenings for COVID precautions, and retina scans for security access — these are just a few examples of the proliferation of biometric data used in the workplace.
Using employee biometric data is not risk-free, however. In 2015, a court awarded a Pittsburgh-based employee $586,860 in damages for being illegally fired after he refused to clock in and out of work via the employer's biometric hand scanner. Employers that use biometric data should be wary of the developments in biometric data legislation and should take proactive steps to ensure compliance.
What Is Biometric Data?
Biometric data can be divided into two categories: biometric identifiers and biometric information. Biometric identifiers include retina or iris imaging, fingerprint scans, voiceprints, hand scans, genetic prints, and face geometry. Biometric information is the data collected from the use of biometric identifiers specific to the target individuals. Both types of biometric data present legal issues for employers.
Why Do Employers Use Biometric Data?
Using biometric data has its advantages. It can cut down on paperwork, increase processing speeds, and lower the risk of human error. For example, a fingerprint swipe in lieu of a time card may reduce the incidence of wage theft. A fingerprint swipe record can also provide helpful rebuttal evidence if an employee alleges that an employer's time records are inaccurate.
Biometric data laws vary across different jurisdictions, and there is currently no federal law regarding biometric data in the workplace. Generally speaking, most biometric data laws:
- Require an employee's informed consent prior to biometric data collection;
- Protect the confidentiality of an employee's biometric data;
- Prohibit employment discrimination based upon an employee's biometric data; and
- Prohibit the sale or unauthorized dissemination of an employee's biometric data.
In addition, some state legislatures go a step further by prohibiting specific types of mandatory biometric data collection altogether. In New York, for example, employers are prohibited from requiring employees to provide their fingerprint information as a condition of employment. (However, New York does allow employee fingerprint scanning, provided the employee voluntarily consents in advance.)
What Are the Legal Risks?
Biometric data privacy violations can be costly. Some states have enacted laws that create a private right to file a civil action for biometric data privacy violations. The Illinois Biometric Information Privacy Act ("BIPA"), for example, permits statutory damages of up to $1,000 per negligent violation and $5,000 per reckless or intentional violation. Those statutory damages provisions often lead to expensive class action filings. Court records suggest that in the last two years alone, over 400 BIPA class actions have been filed in Illinois.
In addition to statutory damages, as noted in the example at the top of this article, employees who are fired for refusing to submit biometric data may also be entitled to compensatory damages for back pay, front pay, and emotional distress.
What Should Employers Do to Limit the Risk of a Biometric Data Lawsuit?
For most employers, the advantages of using biometric data will outweigh the legal risks. Plus, the legal risks are usually manageable. Here are a few steps employers should take to minimize the risk of a biometric data lawsuit:
- Obtain written consents from employees before biometric data is collected.
- Provide employees written notice regarding when biometric data is collected and the purpose(s) of collection.
- Consider potential racial bias claims associated with biometric data collection technologies, such as facial recognition software, when deciding which biometric data methods are appropriate for your organization.
- Implement appropriate confidentiality, storage, and data security measures, both internally and with third-party vendors that collect or use biometric data.
- Negotiate indemnification agreements that entitle your organization to be indemnified in the event of a data breach or mishandling of biometric data by a third-party vendor.
Employers that collect or use employees' biometric data should also consult with experienced employment counsel regarding the specific laws applicable to the jurisdictions in which they operate. Should you have any questions, please do not hesitate to contact the authors of this article, or any of the other attorneys in Venable's Labor and Employment Group.
* * * * *
The authors gratefully acknowledge the able assistance of Taylor Bleistein, currently a law clerk in Venable's New York office, for her contributions to this article.