The increasingly popular use of biometric authentication technology by employers as a means of tracking employee data, including for timekeeping purposes, can create liability. Biometric data generally consists of an individual’s physical characteristics and the associated technology used to aggregate this data. Biometric data can include fingerprints, DNA, voiceprints or facial recognition technology. This futuristic means of tracking individuals has its benefits in terms of employee time management (e.g., in lieu of a traditional punch cards), to provide access to a secure facility, or for other authentication purposes. But it also has its pitfalls.
Several states have proposed or enacted legislation protecting individuals’ privacy rights in the collection of their biometric data. Illinois led the pack by enacting the Illinois Biometric Privacy Act (“BIPA”) in 2008, which requires businesses who collect biometric data to: (1) provide written notice to the individual of the collection; (2) inform the individual of the length of time for which the biometric identifiers are being collected, stored, and used; and (3) obtain express, written consent from the individual prior to collection. Employers and other private entities must also exercise a reasonable standard of care in handling biometric data.
BIPA creates a private right of action for individuals aggrieved by a statutory violation, and violations can create substantial exposure to an employer, including liquidated damages, attorneys’ fees, costs, and/or injunctive relief. Since enactment of BIPA, similar legislation has been either enacted or proposed in other states including Texas, Alaska, Connecticut, Montana, New Hampshire, and Washington.
The privacy litigation landscape – particularly in the employment context – has already seen an evolution as a result of these laws designed to protect biometric information, with an uptick in litigation between 2015 and 2017. In one example, in October, 2017, a rehabilitation center in Illinois called Paramount of Oak Park Rehabilitation & Nursing Center LLC was slapped with a BIPA-violation lawsuit for requiring employees to scan fingerprints twice daily as a means of clocking in and clocking out. The complaint filed in Cook County, IL calls this practice “invasive” and states:
Unlike a Social Security number, which can be changed, no amount of time or money can compensate [workers] if their fingerprints are compromised by the lax procedures through which defendants capture, collect, store and use their workers’ biometrics.
Notably, this and other lawsuits addressing this issue do not necessarily arrive at the point of challenging use of the data. Instead, employers are facing liability at the outset for the mere collection of this data when not in compliance with statutory requirements. Over 30 similar class action lawsuits have been filed in federal and state jurisdictions.
Case law under BIPA and other similar statutes is still developing, and employers should keep a watchful eye on trends in court’s treatment of biometric data protections, restrictions, and requirements in order to ensure compliance. In the interim, and because the cost of non-compliance is substantial, employers should be cautious in their approach to collecting, using and storing its employees’ biometric data. Specifically, employers should:
- Draft a written policy regarding collection and use of biometric data, including the company’s process for safeguarding the information, and destruction of data, consistent with state law. Employers should consider including a discrimination disclaimer in their policy, which should be disseminated widely, and review should be made an onboarding and training requirement.
- Obtain express written consent and a release from each employee before collecting or using their biometric data.
- Implement a data breach response protocol that includes biometric data and provide notice to employees that a protocol exists.