Employers are utilizing biometrics to identify employees and track hours worked. However, unlike other methods of authentication such as passwords, biometric identifiers may not easily be changed once compromised. Employers that use biometrics need to be aware of regulations such as the Illinois Biometric Information Privacy Act (BIPA). Similar statutes are taking effect in California and New York in 2020.
What is BIPA?
BIPA is the first and the oldest biometric regulation in the United States. Enacted in 2008, it regulates the collection and storage of biometric information. Biometric information includes a variety of identifiers such as retina scans, iris scans, fingerprints, palm prints, voice recognition, facial-geometry recognition, DNA recognition, gait recognition, and even scent recognition.
Although biometric laws broadly apply to all industries and regulate private entities and individuals, compliance issues most frequently arise in the HR and employment context.
Employers are utilizing employees' biometric information to monitor when their workers clock in and out, to restrict access to secure areas, to provide system login and regulate online access to sensitive data, and to monitor productivity. While convenient, highly accurate, and efficient, use of biometric technology brings with it legal and regulatory compliance issues.
As these technologies evolve, organizations expect that staff will provide biological data to improve security. State governments, now regulate the collection, use and disclosure of biometric data — including data collected by time clocks that scan fingers and hands.
Under BIPA, private entities that utilize biometric information must have a written policy, schedule, and guidelines for its collection, retention, and destruction. BIPA also requires advance disclosure and a written release from the subject or employee whose information is going to be collected. It also restricts the entity's right to disseminate biometric information. And, importantly, BIPA provides for a private right of action. The Illinois Supreme Court decision, Rosenbach v. Six Flags Entertainment, held that a person does not need to suffer actual or concrete harm in order to have a standing to sue under BIPA—the mere violation of the Act is enough.
The Illinois law is a precursor, and employers should expect other states to draft similar legislation. Employers should adopt biometric policies focused on privacy ahead of any new compliance expectations.
Since July 2017, hundreds of class action lawsuits have been filed under BIPA against employers operating in Illinois. Statutory penalty damages range between $1,000 and $5,000 per violation plus attorney fees for a successful plaintiff. Given the damages, the potential exposure for employers sued for BIPA violations can be expensive.
While Illinois BIPA remains the only biometrics legislation that provides for a private right of action, five other states (Texas, Washington, California, New York, and Arkansas) have now passed their own biometric statutes or expanded existing laws to include biometrics. These five states, however, either do not address the private right of action or expressly allow enforcement by the state attorneys general.
Most of these cases are class actions, and most target employers that utilize biometric technology at work. These lawsuits are on the rise and expensive and difficult to defend.
In January 2020, Facebook agreed to pay $550 million to settle a class-action lawsuit that alleged the company's use of facial recognition technology violated the Illinois BIPA. The case marks one of the largest cash settlements ever reached in a privacy lawsuit.
BIPA requires companies to obtain consumers' explicit consent before collecting or sharing biometric information, such as facial recognition or fingerprint scans.
Plaintiffs argued that Facebook violated the law because it failed to get consent before generating scans or "templates" of users' faces it employs to identify the subjects of photos to make tagging suggestions, and for some security features.
To protect your company against allegations and lawsuits involving biometric laws, consider the following steps:
- Consider whether use of biometric technology is necessary and appropriate for your business.
- If relying on biometric technology, provide advance notice to the individuals and obtain consent.
- Ensure that the notice adequately discloses why you collect, how you use, how you store, and how you disclose biometric data.
- Obtain written informed consent from each individual, when appropriate.
- Allow individuals to opt out of biometric information collection.
- Stay abreast of the latest compliance developments in this area and update relevant policies and procedures.
At Excelerator® we recognize the importance of using leading technology while assisting clients stay up to date on compliance requirements, policies and procedures.