This is the first article in a two-part series on biometric technology and the law. This article explains the legal requirements for using biometrics in the workplace. The second article provides tips on avoiding liability.
With the recent rapid advancement of biometric technology, more employers have begun relying on biometric data to accomplish a range of objectives in the workplace.
According to a 2018 survey by Gartner, 6 percent of U.S., European and Canadian companies surveyed tracked workers using biometrics.
Employers who use biometrics can achieve real economic and security benefits, but the practice comes with litigation risks.
Three states—Illinois, Texas and Washington—have enacted laws regulating biometric data to protect employee privacy concerns. An individual's biometric information is not a secure identifying feature once it has been compromised.
Biometric data encompasses unique, measurable human biological or behavioral characteristics—including fingerprints, voice prints, and hand or face geometry—that are used primarily for identification and authentication purposes. Finger and facial biometric recognition have become so commonplace that many people do not think twice before using biometrics to log in to their smartphone or authenticate a credit card transaction.
Employers use biometric data for providing secure building access, tracking employee time and attendance, activating machinery, and authenticating users' identities for increased computer and mobile device login security.
Overall, Illinois' Biometric Information Privacy Act (BIPA)—enacted in 2008—is generally considered the most stringent of all state laws regarding biometric data. Under BIPA, a private entity cannot collect or store biometric data without first providing notice to employees, obtaining written consent and making certain disclosures. In addition, covered entities are required to develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric data.
Furthermore, BIPA bars covered companies from selling or profiting from the biometric data they collect, and it requires them to protect biometric data using the reasonable standards of care within their respective industries in a manner that is as protective as or more protective than the manner in which they protect other sensitive information.
Significantly, actual harm is not a required element of proof when bringing suit under BIPA—the law provides for a private right of action for a technical violation, with statutory damages of $1,000 per violation or $5,000 if the violation is considered intentional or reckless. These allowable statutory damages, combined with an attorney fee provision, provide noteworthy incentives for plaintiffs' attorneys to pursue class-action litigation for alleged technical BIPA violations.
In 2009, Texas passed its Capture or Use of Biometric Identifier Act (CUBI). CUBI mandates that a data subject must be informed of and consent to the collection and use of his or her biometric information before any biometric data is captured by the company. But unlike BIPA, this consent does not have to be in writing.
CUBI bars the sale or disclosure of an individual's biometric identifiers and requires that biometric data be protected using reasonable care and in a manner that is as protective as or more protective than the manner in which the entity handles other sensitive information.
Unlike BIPA, CUBI allows actions to be brought only by the state's attorney general for violations of the law, with a maximum recovery of $25,000 for each violation.
In 2017, the state of Washington became the third state to enact regulations on biometric data. The Washington law, like the Texas law, provides that only the state's attorney general can bring an action to enforce the statute.
Given the increasing use of biometrics in all types of settings, including the workplace, and the potential for severe and permanent adverse consequences that occur when this type of data is compromised, regulation by more states is possible.
Ana Tagvoryan, Brooke T. Iley and David J. Oberly are attorneys with Blank Rome in Los Angeles; Washington, D.C.; and Cincinnati, respectively.