Cotney Newsletter
The Risks of Using Employees’ Biometric Information
As new technology continues to evolve, it is easy to become intrigued with new options for security and tracking. However, if you utilize your employees’ fingerprints or retina scans for timekeeping or other records, be careful. Recent lawsuits suggest that improper use can cost you.
Class-Action Settlement
In June 2021, the Topgolf company reached a settlement with a group of its employees who claimed the entertainment group used a finger scan timekeeping process that collected and disclosed their biometric information in ways that violated the Illinois Biometric Information Privacy Act (BIPA). Although Topgolf denied the alleged violations, it agreed to an award of more than $2.6 million, which will be split among more than 2,600 employees and has been approved by the U.S. District Court for the Northern District of Illinois.
What BIPA Provides
BIPA, which passed in 2008, includes stipulations relating to collecting, storing, and disclosing biometric identifiers—such as fingerprints, voiceprints, retina or iris scans, and hand or facial scans—and biometric information gathered via such identifiers. Depending on circumstances, BIPA violations call for statutory damages of 1,000 or $5,000 per violation.
According to BIPA, employers who use biometric identifiers are required to create a written policy about how long such information will be stored and when it will be destroyed. This policy must be publicly accessible.
Also, per BIPA, private entities are prohibited from collecting, capturing, purchasing, trading, or otherwise obtaining biometric identifiers and biometric information unless the following requirements are met:
- The entity informs the applicable individuals or their representatives in writing that biometric information is being collected or stored.
- The entity informs the applicable individuals or their representatives in writing about the purpose of this data collection, as well as how long the information will be collected, used, and retained.
- The entity obtains from the applicable individuals a written release executed by them or their legally authorized representatives.
Laws in Other States
Similar laws are rare in the United States, but some states and regions are starting to put them in place. For example, Washington and Texas have set restrictions on collecting biometric identifiers and using them for commercial reasons. And New York City adopted a law in January 2021 that addressed the practice of commercial establishments collecting and using their customers’ biometric identifiers. Other states have also proposed and passed legislation about consumer data privacy, and more states will likely follow suit.
Additional Lawsuits
Topgolf is just one of the businesses being affected by the biometric information issue. In June 2021, Apple was hit with a lawsuit filed by a group of consumers who protested the company’s use of electronic facial recognition and fingerprinting for its products.
In July 2021, Walmart found itself facing a class-action lawsuit from employees who argued that the company broke the law by tracking their work using voice recognition software. Earlier this year, the company also faced claims from employees for mandating the use of palm-scanning devices without written consent. In that case, Walmart agreed to a settlement of $10 million. It seems probable that more employees will file these kinds of lawsuits in the months and years ahead.
Advice for Employers
The use of electronic fingerprinting, hand scanning, or facial recognition can be an efficient and effective procedure for timekeeping and other tasks. This technology prevents workers from clocking in or out for others, and it can be easy to use. However, as employees grow more concerned about their personal data and privacy rights, you should be aware of the added legal risk. It is crucial that you are transparent about how and why the data is being collected and how long it will be stored.
It is also possible that some workers could object to offering their biometric identifiers, even if the purpose is explained. For example, they may have disabilities that interfere with the technology, or they may have cultural or religious issues to consider. In those cases, you are advised to provide accommodations, allowing workers to manually perform timekeeping or other tasks.
If you use third parties to collect and store biometric information, you must also ensure those companies are not mishandling the data but are complying with all applicable privacy laws.
There is no doubt that utilizing technology can help streamline your processes and cut down on paperwork. However, you must be honest with your employees about how their information will be guarded. You do not want to lose their trust in an attempt to chase efficiency.
Disclaimer: The information contained in this article is for general educational information only. This information does not constitute legal advice, is not intended to constitute legal advice, nor should it be relied upon as legal advice for your specific factual pattern or situation.