Employers are increasingly adopting technology that collects biometric information from their employees. For example, employers are using timekeeping systems that track when employees arrive and leave work by scanning employees’ fingerprints. Some employers are starting to use facial recognition technology to monitor employees. While the use of these technologies can cut down on fraud and other employment-related problems, there are significant legal risks that accompany their use.
In recent years, several states have enacted laws that directly or indirectly regulate the collection and use of biometric information. Other states are actively considering such laws. If your company has implemented (or is considering implementing) technology that collects biometric information, we recommend you consult with legal counsel who can advise you on applicable privacy, employment, and breach notification laws.
Below, our Privacy & Data Security team answers some frequently asked questions regarding the current regulatory regime for biotmetric data. You can also click to download the handout.
What is biometric information?
Definitions vary by state, but in general, biometric information refers to unique biometric identifiers such as fingerprints, facial patterns or scans, voice patterns, and iris recognition.
How are companies collecting biometric information?
Biometric information is increasingly collected and used by businesses for many reasons, including payment authentication, security screening, timekeeping systems, and fraud detection.
How common are biometric privacy laws?
Laws regulating biometric information are increasingly being enacted by the states:
- Three states have passed biometric privacy laws that directly regulate collection, use, disclosure, and destruction of biometric information: Illinois, Texas, and Washington.[1]
- Nineteen states have incorporated biometric data into their definition of “Personal Information,” requiring notification to affected individuals in the case of a data breach.[2]
- As discussed below, five states have enacted laws that, while not explicitly introduced as biometric privacy laws, regulate biometric information in some way: California, Colorado, New York, North Carolina, and Florida.
- Municipalities are also starting to pass biometric related laws, such as San Francisco’s facial-recognition ban.
How do biometric privacy laws work?
Biometric privacy law varies from state to state and city to city; however, the laws all generally require some form of notice and consent before the biometric information is collected from an individual. Illinois also requires a “written policy” to be made publicly available with specific requirements as to its content. Sale, lease, or disclosure of biometric information to third parties is generally prohibited unless the individual consents or an exception applies.[3]
Each biometric privacy law requires that the biometric information be destroyed when it is no longer needed for the purpose for which it was collected, subject to applicable legal requirements that may mandate a longer retention period. Some states specify when data must be destroyed. For example, Texas requires that data be destroyed within a reasonable time, but not later than the first anniversary of the date when the purpose for the collecting expires, unless another law provides for a longer maintenance period.
What are the potential penalties/risks for violating biometric privacy laws?
The remedies available for violations of biometric privacy laws vary from state to state. In Texas, the only available remedy is for the attorney general to seek a civil penalty for up to $25,000 per violation. In Illinois, however, any “aggrieved” person can file suit for either liquidated or actual damages, attorneys’ fees, and injunctive relief. Class actions are also permitted. After the Illinois Supreme Court’s recent decision in Rosenbach v. Six Flags Entertainment Corp., a plaintiff no longer needs to show he or she was injured from the violation, opening companies up to the potential for large class actions for liquidated damages and attorneys’ fees.[4]
What other states have laws with restrictions relating to biometric information?
California
California labor law makes it a misdemeanor for an employer to require an employee to be fingerprinted as a condition of employment if the employer plans to provide the information to a third party and if the information could be used to the employee’s detriment.[5]
New York
New York labor law prohibits employers from fingerprinting employees as a condition of employment or continued employment unless specifically authorized by another law.[6] On April 22, 2010, the New York Department of Labor issued an opinion clarifying that if a finger print is captured, even if it is not stored, it is prohibited under the law.[7] Voluntary fingerprinting of employees is not prohibited under this law. However, employees cannot be coerced into volunteering. In short, a time clock that captures fingerprints should not be used in New York unless the employee volunteers to use the system.
Colorado
Colorado requires employers to develop policies to properly secure and dispose of paper and electronic documents containing “personal identifying information,” which is defined to include biometric information.[8]
North Carolina
North Carolina includes biometric data, when attached to a person’s name, as personal information for purposes of its Identity Theft Protection Act.[9] Entities that have such information must take reasonable measures to protect against unauthorized access to this information. In addition, North Carolina requires development and implementation of policies relating to proper disposal of this information.
Florida
Florida bars public schools from collecting, obtaining or retaining any biometric information from their students or their immediate family members.[10]
What are some best practices regarding biometric data?
The landscape regarding biometrics laws is changing rapidly and varies from jurisdiction to jurisdiction. While there is not a one-size-fits-all approach, there are several best practices that you can follow when collecting biometric data.
- Provide notice before collecting, using, or disclosing biometric information. That notice should include information about the data that is being collected, what it will be used for, who it will be shared with and for what purpose, and how long it will be stored.
- Obtain consent before collecting biometric information.
- Use, share, and disclose biometric information only as set forth in your biometric notice.
- Store biometric information securely and only for as long as needed.
- Develop policies and procedures to securely destroy biometric information when it is no longer needed.
- If you have a data breach, consider whether a breach of biometric information should be reported under applicable laws.
- Consult your attorneys before collecting biometric information from your employees or other individuals, as this area of law is rapidly developing.
[1] Ten additional states have proposed biometric privacy legislation that has not yet been enacted: Alaska, Arizona, Connecticut, Delaware, Florida, Indiana, Massachusetts, Michigan, Montana, New Hampshire, and New York. Many of these bills failed or died in committee, but it is likely that legislators will continue to be active in this area going forward.
[2] Those states are: Arizona, California, Colorado, Delaware, Florida, Illinois, Iowa, Louisiana, Maryland, Missouri, Nebraska, New Mexico, North Dakota, North Carolina, Oregon, South Dakota, Texas, Wisconsin and Wyoming.
[3] For example, the laws generally permit disclosure to complete a financial transaction authorized by the individual and in cases where the disclosure is required by law. Texas law permits disclosure for identification purposes in the event of the individual’s disappearance or death.
[4] Rosenbach v. Six Flags Entertainment Corp., No. 123186, 2019 IL 123186 (Jan. 25, 2019).
[5] Cal. Lab. Code § 1051.
[6] N.Y. Lab. Law § 201-a.
[7] The opinion is available here(. Instruments that measure the geometry of the hand are permissible under the labor law so long as they do not scan the surface details of the hand and fingers in a manner similar to scanning of a fingerprint. Id.
[8] Colo. Rev. Stat. Ann. § 6-1-713(1), (2).
[9] N.C.G.S. 75-61, 65.
[10] Fla. Stat. § 1002.222(1)(a).