Key Notes:

  • Employers should evaluate their use of biometric data in light of privacy and litigation risks.
  • Employers should ensure compliance with state and federal laws.

As technology continues to enable us to create ways to accomplish tasks faster and more accurately, the workplace continues to become more complex and complicated for employers to navigate. The use of biometric data for security and identity verification is becoming more commonplace by the day. However, the use of biometric data also is raising a host of concerns for employers, ranging from privacy and security issues to litigation exposure.

What Is Biometric Data?

Biometric data is any data involving a natural person’s unique biological patterns or characteristics, including fingerprints, voice prints, facial recognition, hand geometry, and iris or retina scans. Unlike other personal identifiers, such as a Social Security or driver’s license number, biometric data generally cannot be changed once in the wrong hands.

How Is Biometric Data Being Used?

In the employment space, biometric data is most often used for time-keeping purposes (such as fingerprint scans used in place of traditional time clocks), for security purposes (to restrict access to certain information or company locations), and for websites or phone apps that use and recognize individual faces (such as an employee intranet).

There are marked advantages to these uses of biometric data: employees who are late to work or absent cannot have co-workers clock in for them; an employee without permission to access restricted information, rooms or documents cannot steal another employee’s key or password to gain access; and intranets can promote employee connectedness, especially in large organizations with many facilities.

However, the use of biometric data also presents a number of serious concerns for employers.

State Law Prohibitions

Currently, a number of states—Illinois, Texas and Washington—have laws in place that expressly prohibit companies from collecting biometric data without an individual’s consent. The Illinois law requires that consent be given in writing. Additionally, guidance from the New York Department of Labor suggests requiring employees to use their fingerprints to clock in and out likely violates provisions of the New York Labor Law. Several other states and the federal government are contemplating similar legislation. Moreover, the federal Genetic Information Nondiscrimination Act, already in place, makes it illegal to discriminate against employees or applicants because of genetic information and places restrictions on the collection of that information.

While the Texas and Washington laws may only be invoked by the state attorneys general, the Illinois Biometric Information Privacy Act (BIPA) provides a private right of action and has been the focus of much of the biometric data litigation to date. BIPA was enacted in 2008 and regulates the collection and storage of biometric identifiers (such as a fingerprint or retina scan) and biometric information (defined to encompass more than just biometric identifiers and includes data like photographs). BIPA prohibits companies from selling, leasing, trading or profiting from biometric data without an individual’s consent and carries damages ranging from $1,000 to $5,000 per violation.

The plaintiffs’ bar has brought a series of class action lawsuits pursuant to BIPA, including against supermarket and hotel chains relating to the use and storage of employee fingerprint data. While much of the litigation is still playing out in the courts, class actions of any kind can be incredibly costly for employers.

Data Storage

Employers in any state should be mindful of how they collect, retain and store biometric data. The Illinois, Texas and Washington laws all require that companies employ a “reasonable standard of care” to protect and handle the data. Many other states have data breach notification laws that require notifications relating to the disclosure of biometric data.

Best Practices

Employers who use biometric data should take a close look at their biometric data policies and procedures, regardless of the states in which they are located. Best practices may include providing employees with a written policy and release form, and maintaining confidentiality of the biometric data. If a third party is involved in collecting or storing the data, the employer may want to coordinate its policies and procedures with the third party. If a data breach does occur, employers should have procedures in place for how to promptly respond.