Blog

Beware of Biometrics

By Lehr Middlebrooks Vreeland & Thompson, P.C.

March 29, 2018

Biometric authentication technology is becoming widely used by employers to track employee data, employee work hours, and employee locations. This creates a potential source of employer liability.

Biometric data generally involves information that is associated with an employee’s physical characteristics. That information is then used through technology to analyze the employee’s physical characteristic data. The biometric data may include employee fingerprints, DNA, voice prints, and facial recognition technology. The use of this biometric data is an efficient and reliable way for employers to have a safe and secure workplace and accurately determine where employees are at a particular point in time and when they are working.

Recent litigation under the Illinois Biometric Information Privacy Act (“BIPA”) has brought to the forefront the need for employers to establish clear policies and protocols when collecting and using biometric data. Several class actions have been filed against employers in Illinois for violating BIPA. For example, the Illinois Act requires tha employers provide employees with advance notice of the data that will be collected, the amount of time that the data will be maintained, and to obtain express consent from the employee in order to secure and retain the data. Employers also have a general duty of care in how the information should be handled and retained, so that employee privacy interests are protected.

Employers who violate BIPA are subjected to attorney fees, liquidated (“double”) damages, costs, and injunctive relief. States which have also enacted or are considering enacting similar legislation include Alaska, Connecticut, New Hampshire, Texas, and Washington.

Even states that are not contemplating enacting a statute comparable to Illinois have as a matter of common law the expectation that employers will take great care when collecting, using, and storing employee confidential information. Therefore, the following suggestions are for employers to ensure that the use of biometric data does not create an employee cause of action:

1. Establish a written policy that addresses the collection, use, storage, and destruction of biometric data. Consult with counsel to ensure your policy meets the requirement of any laws applicable in your jurisdiction.

2. The policy should state the purpose for which the biometric data will be used. It should also include a statement that it will not be used in any manner that is considered a violation of the employer’s policies which prohibit discrimination. Furthermore, the policy should explicitly state who may have access to the data and under what circumstances.

3. An employee should authorize in writing the collection of use of the biometric data according to the employer’s policy. This may be disclosed in the “agreement” section of the employment application, covered during the on-boarding process, or otherwise reviewed with employees in conjunction with other policy changes or communications

4. You should also have periodic inspections to determine that the security around the collection and retention of the biometric data is in place. Do not wait for a breach. Determine if there are preventative steps that can occur on a spot-check audit basis to prevent the disclosure of such information.

Tweets Follow

We are having a problem with our Twitter Feed right now.