Parents who took their children to Disney World in recent years may have been surprised when Disney “cast members” asked the young princes and princesses to place a finger on a scanner before entering the parks. Biometric authentication technology has become so ubiquitous that even amusement parks have begun using it on guests young and old, lest little Johnny sneak his entrance ticket to a friend.
Workplace surveys show that fingerprint scanners are the most common type of biometric authentication technology used. Other types include facial recognition, voice recognition and retinal scans. Not surprisingly, the most common workplace use for such technology is user authentication for computers or similar devices. Another use involves time clock systems to prevent workers from “clocking in” for co-workers who are not physically present.
The benefits of biometric authentication technology in the workplace are clear. For example, requiring user authentication before logging on to a computer or entering a private area increases security. Further, requiring user authentication for time keeping reduces the risk of fraud and should lead to higher productivity and cost savings. However, employers should be aware of certain risks before deciding to use this technology.
First, the potential theft of employees’ biometric data by third parties could result in serious legal consequences for employers, in addition to severe personal consequences for the employees. As the use of biometric authentication technology becomes increasingly prevalent in everyday life, the value of obtaining an individual’s biometric data also increases. The possession of an employee’s biometric data could be used to gain access to his or her electronic devices, which typically store a host of personal information, his or her financial and medical records, and even the employee’s home. Many employers that use biometric authentication technology use third-party vendors to handle the resulting data in some capacity, increasing the risk of theft of such data. This risk is likely to be even greater in employment environments involving highly confidential information, such as financial institutions, medical facilities and government offices.
Second, and as a result of the aforementioned risks to employees, a number of states have enacted legislation regulating the collection, storage and use of biometric data, including by employers, and other state legislatures are actively considering such legislation. For example, Illinois has enacted a law known as the “Biometric Information Privacy Act.” That act requires employers and other private entities that collect or store biometric data to obtain written consent from the affected persons to do so. It also requires employers that collect biometric data to develop and maintain policies stating the purpose of collecting such data, the retention schedule for such data, and the protocols for destroying such data once the reasons for collecting and storing it have ended. The law requires employers to destroy biometric data upon the earlier of the following dates: (a) the date on which the initial purpose for collecting the biometric data has expired; and (b) the date that is three (3) years after the relevant employee’s last interaction with the employer.
Employer liability for technical violations
Importantly, employers that violate the Illinois Biometric Information Privacy Act can be found monetarily liable even if the affected individual cannot prove any actual damages. A prevailing party is entitled to $1,000 per negligent violation, $5,000 per willful violation, or actual damages, whichever is greatest. The act also provides for an award of attorneys’ fees and costs to the prevailing party.
The Illinois case underscoring that even technical violations of the Biometric Information Privacy Act can subject an entity to monetary loss, regardless of actual damages, involved a Six Flags amusement park. A 14-year-old boy visited a Six Flags park in Illinois. He presented his season pass at the entrance gate and was required to scan his thumbprint. The park did not provide any written information to the boy about the purpose of the scan or how long it would retain his fingerprint data, nor did the park obtain a written consent from him.
The boy’s mother brought a lawsuit against Six Flags alleging a violation of the Biometric Information Privacy Act. Although she could not establish any injury or damages, the Illinois Supreme Court issued a decision last month allowing her case to proceed in light of the act’s inclusion of monetary damages for “technical” violations of the act.
Important considerations in using biometric data
Based on potential liability, if an employer intends to use biometric data to prevent fraud in timekeeping, for example, it should carefully consider any statutes that might govern its collection, storage and use of such data. However, considering statutory law only might not be sufficient. Certain states may have constitutional privacy provisions employers should consider. Further, requiring employees to use biometric scanning for timekeeping purposes may implicate religious discrimination laws.
In 2015, the Equal Employment Opportunity Commission (EEOC) won an employment discrimination lawsuit it filed in federal court in West Virginia on behalf of an employee who claimed he was forced to retire because his employer would not accommodate his sincerely held religious beliefs. The employer installed a biometric hand scanner to track employee time and attendance. The employee objected to using the scanner, asserting a relationship between hand-scanning technology and the “Mark of the Beast” discussed in the New Testament’s Book of Revelation. The employee requested an exemption to using the scanner based on his religious beliefs.
The employer informed the employee that he would be disciplined, up to and including termination, if he refused to scan his hand. The employee retired and filed a charge of discrimination with the EEOC, which subsequently filed a lawsuit on his behalf alleging that the employer unlawfully refused to provide a reasonable accommodation for his religious beliefs. The jury agreed with the EEOC, finding that the employer should have allowed the employee to record his time in an alternative manner and awarding the employee $150,000 in compensatory damages. The judge increased the award by more than $400,000 for back pay and front pay.
Biometric authentication technology is not going away, and its use in the workplace is likely to increase as its use increases throughout society. However, employers should carefully consider the legal implications of such technology before they implement it in their workplaces. Otherwise, they may find themselves in a situation that is anything but a day at the park.