Minimize Litigation Risks When Using Biometric Data

​This is the second article in a two-part series on biometric technology and the law. The first article explains the legal requirements for using biometrics in the workplace. This article provides tips on avoiding liability.

Companies that acquire and use biometric data face the thorny task of complying with an intricate web of regulations governing the use of that data—a task that will only become more difficult as more states adopt their own versions of biometric data privacy legislation.

A new wave of biometric-data lawsuits, particularly in Illinois, will likely build as a result of the Illinois Supreme Court's Jan. 25 ruling in Rosenbach v. Six Flags Entertainment Corp., No. 123186, which determined that plaintiffs can pursue claims for mere technical violations of Illinois' Biometric Information Privacy Act (BIPA), even absent any actual injury or harm. Many lawsuits have not centered on challenges to employers' use of biometric data but instead have focused on the collection of such data.

Fortunately, employers can implement several best practices to minimize the risk of becoming embroiled in litigation stemming from the use of workers' biometric data.

Written Guidelines, Notice and Consent

A good starting point for employers is to devise and publish clear written guidelines for the company's collection, use and storage of biometric data, as well as for how the company will respond to any breaches.

Companies should establish a retention schedule and guidelines for permanently destroying biometric data when the employer's initial purpose for collecting that information has been satisfied, or within one to three years of the individual's last interaction with the employer, depending on the applicable regulation. The guidelines should bar employees from disclosing any worker's biometric data without his or her consent, and from selling or otherwise profiting from any biometric data.

Distribute the policy—which should detail the organization's purpose for obtaining and using biometric information and the security measures developed to safeguard employee biometric data—to all employees, and include it in the company's personnel policies as appropriate. All biometric-data policies should contain a written statement in which employees acknowledge proper notice regarding biometric data use in the workplace and consent to the collection and use of biometric data in the workplace.

Employers also should provide individualized written notices to all employees before collecting, storing or using any biometric data.

To comply with BIPA, all written biometric-data notices must contain at a minimum:

• Language informing the data subject that biometric data is being collected and stored.
• The specific purpose for and length of time during which the data is being collected, stored and used.
• When applicable, language that informs the data subject that his or her biometric data will be shared with service providers or third parties.

[SHRM members-only online discussion platform: SHRM Connect]

The Final Word

Employers that collect and use employee biometric information should develop and maintain an understanding of the significant risks associated with biometric data and try to minimize them.

Employers that operate in Illinois, Texas and Washington must take proactive measures immediately—if they have not already done so—to ensure compliance with these states' biometric data privacy regulations.

Even employers in other states should strive to be proactive in how they collect, handle, store and dispose of biometric data, as it is only a matter of time before additional states enact legislation.

Ana Tagvoryan, Brooke T. Iley and David J. Oberly are attorneys with Blank Rome in Los Angeles; Washington, D.C.; and Cincinnati, respectively.