How to Stay Within the Law When Using Biometric Information

​Imagine a new technology that enables HR professionals to accurately monitor employee attendance and ensure facilities are accessed only by authorized personnel. Best of all, this technology is impervious to abuse and falsification, cuts costs and administrative time, and can be operated by anyone with just the touch of a finger.

Companies are increasingly incorporating technologies into the workplace that use employee biometric data to accomplish these objectives. But the benefits of these technologies are accompanied by legal scrutiny, so companies must remain aware of their obligations regarding employee biometric data.

What Is Biometric Information?

Biometric data refers to unique, measurable human biological or behavioral characteristics that can be used for identification. Biometric identifiers include fingerprints, voiceprint, retina or iris scans, and scans of hand or face geometry.

In the workplace, the most common example of biometrics involves the use of employee fingerprints to access facilities or clock in and out through timekeeping systems. Companies are gradually incorporating biometric identifiers into other consumer transactions, such as using facial recognition software or fingerprint scans to authenticate users' identities when making ATM withdrawals or unlocking their phones, for example.

What Legal Restrictions Apply?

As biometric technologies become more common, laws continue to develop and provide more guidance to employers about properly collecting, storing and using biometric information:  

Biometric information privacy statutes. Several states have passed laws that regulate how companies may collect, store and disclose biometric information from employees or other individuals. Illinois took the lead with this legislation, passing its Biometric Information Privacy Act (BIPA) in 2008. Citing the public's concern with the use of biometrics for business transactions and the heightened risk of identity theft that biometric information entails, the Illinois Legislature sought to protect individual privacy and encourage private entities to bolster information security. The statute flew under the radar until a surge of class-action lawsuits was filed in 2015, targeting companies such as Facebook and Shutterfly for alleged violations. More-recent lawsuits have taken aim at smaller employers in Illinois. And it's easy to see why attorneys have taken notice: The penalties associated with BIPA range from $1,000 to $5,000 per violation and include attorney fees.

BIPA requires employers to adopt policies regarding biometric data collection and retention, obtain consent before collecting biometric data, and take steps to securely store and protect from disclosure any biometric information that is collected. Additionally, employers may not disclose biometric information except in limited circumstances. Employers may not sell, lease, trade or otherwise profit from any individual's biometric information.

Other states have followed Illinois' lead on biometric-information privacy laws: Texas and Washington have similar laws on the books, although they entail less-comprehensive requirements and do not offer the opportunity for individuals to bring private lawsuits for violations. Comparable legislation is pending in several other states. As concerns about privacy increase, this trend is likely to expand to more and more states.

Data breach notification statutes. State data-breach notification statutes include biometric information in the definition of protected personal information. Under these statutes, an employer must notify an employee if his or her biometric information is exposed through a breach of the employer's records. Each statute includes specific requirements regarding when notification must be provided and what type of activity constitutes a breach that triggers the notification requirement. Violations of these laws can lead to state agency investigations and steep penalties. For example, the New Mexico statute authorizes civil penalties of up to $150,000.   

[SHRM members-only toolkit: Introduction to the Discipline of Human Resources Technology]

Practical Suggestions for Compliance

To ensure compliance, employers should:

• Audit the workplace. Perform an audit of the workplace to identify any biometric information that is in use. Review the company's policies and procedures related to the storage, retention, disclosure and destruction of such information. When considering the implementation of any new technology, such as a timekeeping system, determine whether it will collect or use biometric data.
  
• Familiarize yourself with the law. Review applicable state and federal law to determine any legal obligations related to handling employee biometric information. Don't forget that obligations likely also extend beyond employee information to include the handling of client or third-party biometric information. If you are unsure which laws apply, it's a good idea to consult an attorney for clarification.
  
• Adopt appropriate policies. Draft policies that comply with state laws and that advise employees of their rights and the company's obligations related to the collection, storage and usage of their biometric information. Don't forget to review any data-breach notification policies to ensure that they include "biometric data" within the definition of protected information. Even if an employer's state has not passed any laws that affect the organization's use of biometric information, the company might also consider adopting similar policies if the organization already is using biometric data in the workplace. It may also be necessary to create an authorization and release related to the collection and use of biometric information, depending on applicable law.
  
• Consult with service providers. Many companies outsource aspects of HR to third-party providers. If an employer has engaged a payroll company or any other HR provider that collects or uses employee biometric information, it should discuss the service provider's obligations with respect to this data and the provider's efforts to comply with applicable law. Make sure that everyone is on the same page when it comes to compliance.
  

Lauren A. Daming is an attorney with Greensfelder, Hemker & Gale PC in St. Louis.

Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.