There has been an increase in biometric privacy class action lawsuits, which should bring concerns to employers. First and foremost, what is biometric data? Biometric data refers to any data that identifies or is related to an individual’s physical, physiological or behavioral characteristics, such as fingerprints, iris scans, facial recognition, hand recognition, voice recognition, DNA or any other unique biological information. With the rise of biometric technologies, concerns over the privacy and security of biometric data have become increasingly important. Securing an employee’s biometric data should be held in the same regard, if not higher, as other data, such as their Social Security number. While there are no federal laws that address biometric authentication or the collection, usage and storage of biometric data, several states have enacted biometric data privacy laws to protect the privacy of individuals.
Illinois was the first state to do so in 2008, with the passage of the Biometric Information Privacy Act (BIPA). BIPA requires organizations to obtain written consent from individuals, before collecting biometric data, and mandates that organizations establish and maintain reasonable security measures to protect the data. BIPA has resulted in a flood of litigation in Illinois, especially class actions. The White Castle chain employs almost 9,500 workers and uses biometric data, a fingerprint for its employees to access the store’s computer system. The computer system also performs the function of a timeclock where the employees punch in and out. The Illinois Supreme Court recently ruled that the chain has violated Illinois BIPA and is now facing damages of an estimated $17 billion. You read that correctly. $17 BILLION. BIPA imposes penalties of $1,000 per violation and $5,000 for reckless or intentional violations, and the Illinois Supreme Court ruled that every time an employee uses their biometric data, it counts as a violation. Yes, every single time a fingerprint is used. I have seen some restaurant point-of-sale systems require the employee to use their fingerprint to log in every time they ring up a guest order, so a violation can easily put a business out of business. California’s penalty is $2,500 per violation and $7,500 for intentional violations.
Other states have followed Illinois‘ lead with Texas in 2009, Washington in 2017 and California in 2018, all passing biometric data privacy laws in recent years. The California Consumer Privacy Act (CCPA) requires organizations to disclose what biometric data they collect and for what purpose, as well as allowing individuals to request the deletion of their biometric data. Clicking on the state above will link you to each state’s law.
While I am writing this from an employer perspective about its employees, it’s not just employers who should be concerned. While biometric data privacy laws are important for protecting workers’ privacy and security, they can also pose challenges for organizations that rely on biometric data for authentication or identification purposes. For example, financial institutions may use biometric data to authenticate customers before allowing access to accounts, healthcare providers may use biometric data to verify patient identities to ensure accurate medical records, and so on.
It may be a matter of time before other states enact their own variation, so taking action now may be a best practice. Since the start of the 2023 legislative session, at least 15 biometric privacy law proposals have emerged across 11 states, including Arizona, Hawaii, Maryland, Massachusetts, Minnesota, Mississippi, Missouri, New York, Tennessee, Vermont, and Washington. What is a best practice, you may ask? The details may change from state to state, so be sure to check with your state laws about specifics, but in essence, it is important to receive consent from the employee if you are asking for biometric data. States may differ as to the format of the consent, whether it can be provided electronically or if it must be in writing. In any case, it should be a good practice to also include why you are collecting the data, how it is being used and stored and when it will be destroyed in your employee handbook, in which employees should be signing off to begin with.
What happens if the employee declines to give consent? This is an interesting scenario that may very well require legal consultation. Employees who work in an employment at-will state allow employers to terminate employment for any lawful reason; for example, without legislation providing that an employee cannot be terminated for refusing to provide a fingerprint, an employer would certainly have the right to terminate the employee. But, not so fast. What if it goes against an employee’s religious beliefs, as defined in Title VII of the Civil Rights Act of 1964? In EEOC v. Consol Energy, Inc., the employee believed that submitting to a workplace hand recognition had a connection to the “Mark of the Beast,” as referenced in the Book of Revelation. The employee asked the company to accommodate his religious beliefs by allowing him to track his time some other way, such as through a more traditional manual time recording system. The company refused and the employee filed a charge, ultimately resulting in the lawsuit.
In summary, these laws are new, evolving and should be taken seriously. Whether you are in one of the few states that have a biometric privacy law or not, develop a good practice now, put it in writing and obtain consent.
While I make every attempt to ensure the accuracy and reliability of the information provided in this article, the information is provided “as-is” without warranty of any kind. There may be additional situations that apply to you that are not mentioned above and we are just seeing the start of biometric laws being made. PayMaster, Inc and Romeo Chicco do not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained. Consult with your CPA, Labor Attorney, and/or HR Professional to ensure you are in compliance.