The complex legal landscape surrounding privacy, including biometrics, continues to evolve at the state level. Arduous legislation has led to lengthy privacy policies across the internet. Based on a study conducted by former chief technologist for the U.S. Federal Trade Commission, Professor Lorrie Faith Cranor in 2008,
"if you were to go ahead and read all the
privacy policies that you encountered on websites, you
would likely be spending 244 hours per year in order to
do that." – Professor Cranor in a statement to the CPPA in March 2022
Several states now have laws on privacy that generally include a definition of protected biometric data. A controversial topic has been collecting and using employee biometric data by an employer and whether it should be exempt from otherwise consumer regulations.
Two states, in particular, Illinois and Texas, have laws that cover employees' biometric information:
- Illinois Biometric Information Privacy Act (BIPA)
- Texas Capture or Use of Biometric Identifier Act (CUBI)
There are good reasons to use employee biometrics, such as multi-factor authentication and securing perimeters using retinal scans, fingerprints, or facial recognition. Of course, you can't be expected to know every nuance of the law. That's for your legal team. However, if you collect and use employee biometric data, a few things to be aware of and a checklist of good hygiene best practices can help mitigate the threat of litigation.
Common Uses of Employee Biometrics by Employers
- Timekeeping – Biometrics-driven timeclocks
- Security – Retina scans, facial recognition or fingerprint to control access to restricted areas
- Multi-factor Authentication – Biometrics as an authentication factor to control access to computer systems and network resources
- Tracking Productivity – Companies like Amazon are exploring wearable devices to track employees on the job.
- Biometric Screening - Biometric screenings of employees as part of a broader health or wellness program. Employers may also incentivize employees to share biometric data from wearable health and fitness trackers
What is Considered Protected Biometric Data?
BIPA and CUBI define biometric identifiers as:
- Retina or iris scan
- Voiceprint –or–
- Record of hand or face geometry
Other biometric identifiers include:
- Palm Prints
- Other unique biological characteristics used to identify a specific individual
Biometric information generally refers to the data derived from biometric identifiers.
Photograph vs. Facial Scan
BIPA's definition of biometric identifiers expressly excludes photographs. Nevertheless, courts have found that the statute covers technology scans used to identify facial features in digital photographs.
In Facebook Biometric Information Privacy Litigation 2016, Facebook argued that facial recognition for photo tagging could not fall under BIPA because "photographs" are excluded from the definition of biometric information. The court disagreed, holding that the Facebook scans "create a 'unique digital representation of the face.'" Because BIPA's definitions include a "scan of hand or face geometry," this allegation was sufficient to defeat Facebook's motion to dismiss. Facebook eventually agreed to settle the case for $650 million.
Fines and Case Examples
BIPA contains a private right of action allowing any 'aggrieved person' to sue an offending employer. Each person is entitled to liquidated damages of $1,000 or actual damages, whichever is greater, for a negligent violation, or $5,000 or actual damages, whichever is greater, for an intentional or reckless violation. Plaintiffs are also entitled to attorney's fees and costs, injunctive, and any other relief the court deems appropriate.
Because BIPA makes liquidated damages available, it has become a honeypot and the subject of dozens of purported class action lawsuits. CUBI is subject to a civil penalty of up to $25,000 per violation. However, there is no private right of action, and only the attorney general may bring an action to recover the penalty.
In Rapai v. Hyatt Corp. 2017, an employee alleged that they and colleagues were required to use a fingerprint time clock, but Hyatt did not ask for permission and failed to maintain a written policy on using employees' biometric data. Hyatt settled the suit for $1.5 million.
In 2021TikTok reached a $92 million settlement in a class action litigation in which it was alleged TikTok collected, captured, obtained, stored, and disclosed users' facial geometric scans without users' consent.
In June 2021, Walmart settled a lawsuit—for roughly $10 million—based on its employees' use of a palm scanner when checking out and returning cash register drawers. The Walmart case is notable because Walmart (1) permitted employees to choose whether to use the palm scanner or, in the alternative, a personal identification number;, (2) stopped using the palm scanner in 2018, and (3) deleted all data collected by the palm scanner during the period it was in use, and (4) argued that there was no injury to any class member. Nonetheless, the court denied Walmart's motion to dismiss.
Message to Employers
Based on several court cases, any collection or use of employee biometric data without following the strict requirements gives the employee the right to sue the employer, regardless of whether any additional harm resulted.
Employer Best-practices Checklist
For employers who use or would like to start using biometric data in the workplace—for timekeeping, security, or any other procedure—experts recommend the following best practices:
- Audit the use of biometric data
- Consider potential legal ramifications for the use of biometric data - be aware of privacy laws in jurisdictions where you operate
- Provide notice and obtain consent
- Create a written policy on biometric data
- Create a consistent policy for accommodating employees
- Safeguard biometric data
- Properly dispose of biometric information
- Develop responses to data breaches
- Train employees
- Never sell or share biometric data with third parties without consent
- Examine third-party agreements to ensure compliance
- Contact an industry expert to discuss how this applies to your organization
Truvantis Information Privacy Program
The landscape of privacy regulations is vast and continuously evolving. Truvantis can help you select and track which requirements are applicable. In addition, we can help build a solid central privacy program capable of supporting the entire matrix of international, federal, and rapidly changing state laws and regulations to which businesses may be subjected.
Ready to move forward? Contact Truvantis for more information and to start your pre-audit consultation.
Truvantis is a cybersecurity consulting organization providing best-in-class cybersecurity services to secure your organization's infrastructure, data, operations, and products. We specialize in helping our customers improve their cybersecurity posture by implementing testing, auditing and operating information security programs.