Employers are increasingly tracking employee work and movements using biometric data such as fingerprints, voiceprints, retinal scans, and facial images. As revealed by the media attention to lawsuits against Facebook, Shutterfly, and other companies regarding their use of facial recognition technology, the public—and lawmakers—are becoming ever-more aware of the risks involved, including the possibility of identity theft.
Many employers are unaware of the laws regulating their collection and use of such data. Those laws are increasingly being used as the basis for class-action lawsuits filed against companies that do not comply with the laws’ strict requirements regarding employee notice, employee consent, and data destruction. In one recent example, United Airlines was sued in a class-action suit alleging that it violated Illinois’ recent biometric data law by maintaining a fingerprint timekeeping system for employees without properly giving notice and obtaining consent.
Texas and Illinois are currently leading the way in regulating employers’ use of biometric data. (It is no coincidence that these are reported to be the two states in which Google has blocked use of its “Arts & Culture” app, which uses facial recognition software to compare users’ images to historical artwork.) Texas’ biometric data law governs the collection, use, and retention of biometric information obtained for a “commercial purpose,” Tex. Bus. & Comm. Code § 503.001 et seq., and some commenters have interpreted this term as applying to biometric data collected by employers. The Texas law does not have a private right of action, but the Attorney General may investigate and impose a penalty of $25,000 for each violation.
Illinois’ biometric data law, called the Illinois Biometric Privacy Act, has already resulted in dozens of lawsuits against companies with workers in Illinois, including large employers such as United Airlines and Hyatt. Its penalty of up to $5,000 per “willful” violation of the statute, plus plaintiffs’ attorneys’ fees, can quickly add up when the practice extends to many employees. Of particular concern to employers is that it is currently unclear whether a complaining Illinois employee has to show that her data was actually misused in some way; violation of the strict statutory requirements may be enough.
In addition to running afoul of state biometric data statutes, failure to safeguard biometric data could result in claims of common-law negligence or violation of state data breach notification laws. This possibility exists as to biometric data kept in almost every jurisdiction.
The bottom line
Biometric data systems can be valuable tools for employers. But they also carry risks because of the potential for identity theft. Prudent employers should review their systems to determine whether employees’ biometric data is being used or preserved. If so, employers should understand the patchwork of potentially applicable laws, and develop procedures that provide required notice to employees, arrange for employee consent, safeguard biometric data, and provide for the destruction of biometric data in compliance with the specifics of the applicable laws. Employers should also be prepared to carefully consider any employee requests to be exempted from the collection of biometric data, as such requests could conceivably implicate religious or disability accommodation issues.