In the latest Weekly Wright Report:
- Employers Beware: The Use of Biometric Technology Comes with Some Risks – read now
Employers Beware: The Use of Biometric Technology Comes with Some Risks
By now, most people have an understanding of what Biometrics are. At a minimum, they have seen a fingerprint being loaded into a national crime data base for comparison with millions of other fingerprints in the data base or they have seen a movie actor use a contact lens to deceive a retinal scanner in order to gain access to the Pentagon. Others know that Biometrics are becoming increasing popular with employers as a more reliable manner in which to ensure that the person gaining access to highly proprietary private information on their systems are in fact authorized to access such data.
This latter use of Biometrics Technology is the most common form of use by employers, but it is certainly not the only one. In addition to being used as a gatekeeper to things such as buildings, sensitive areas and servers, it is also used by employers for payroll and attendance purposes and as a way of monitoring and promoting the health and welfare of employees. A multitude of other purposes and uses are in place or are being developed.
Because Biometric Technology involves the collection of information about an employee that is unique to that employee and is unalterable (fingerprints, retina patterns, DNA), governing bodies have realized that it is the most personal of personal information and that the employee’s right to privacy must be protected. For this reason and others, some states and to some extent, the federal government, have begun passing laws that regulate the manner in which employers and other entities can collect, convert, use and maintain the unique biometric identifiers of their employees and customers.
Generally, there are two basic steps involved in an employer’s use of Biometrics:
1. The collection of Biometric “Identifiers” – that is, the biological traits of a person that are unique to that person alone, such as:
- Retina or iris patterns
- Face geometry
- Palm prints
2.The conversion of those collected Identifiers into metadata that will be used to verify the identity of the person from whom the Identifiers are collected. This metadata is usually called Biometric “Information.” Biometric Information is converted mathematically into a format such that it provides, externally, no information that would allow it to be traced back to the individual from whom the Identifiers were collected.
Currently, three states have passed laws that directly deal with an employer’s duties on this subject. The granddaddy of these laws is the State of Illinois’ Biometric Information Privacy Act (BIPA) which was passed 14 years ago. BIPA has since been followed by the Texan Capture or Use of Biometric Identifier Act (CUBI) and then the State of Washington’s Biometric Identifiers Law which was enacted 5 years ago. Far and away BIPA is the most thorough of the three statutes and is the only one of the three that permits lawsuits (that is, private causes of action) to be filed by aggrieved individuals, such as employees. The other two states only permit the attorney generals of their respective states to bring an action against an employer who violates the law. Primarily, due to Illinois having a private cause of action, most of the substantive law has come out Illinois courts and class actions regarding BIPA are commonplace in that state.
Other states have enacted laws pertaining to Biometric Identification/Information, but are more related to the protection of consumers whose information is collected by financial institutions and credit lenders. Both Maryland and Virginia have passed Biometric Identification laws. One of Maryland’s laws is focused on and deals with the use of facial recognition technology in the interview process of employment candidates while the Virginia law is part of its Consumer Data Privacy Act that pertains to the collection and protection of Non-public Private Information, including Biometric Identifiers and Information. The Virginia Law does not go into effect until January 1, 2023.
The laws that have been enacted to date have some primary similarities in attempting to address the issue of the collection and use of Biometric data by employers. All three laws regulate, in different manners, what notice the employer provides to the employee before the data is collected; require employee consent prior to its collection: require the protection of the data collected; restrict how the data is used and shared; regulate when and how the data can be retained and when it must be destroyed; and finally, provide the remedies for the failure of a company to comply with the law. Each state’s law treats each of these subjects differently with BIPA (Illinois) being the most comprehensive.
The consequences for failing to comply with these laws can be devastating, especially with BIPA. BIPA permits private actions against violators provided the individual or class of individuals can establish being aggrieved by the employer’s non-compliance. Class actions have been commonplace since its passage. The Texas and Washington laws do not permit private actions, but heavy fines can be levied against a company that violates the statute.
These laws are evolving. Under BIPA, photographs were specifically excluded as a form of Biometric Identifier. However, a recent decision from the United States District Court for the Northern District of Illinois ruled in a class action, that photographs self-submitted by users of a website in order to verify their identity are in fact Biometric Identifiers despite BIPA’s specific exclusion. This ruling opens up another element of risk to companies using biometric technology. See, Sosa v. Onfido, Inc., 2021 WL 38141 (N.D. Il. 2021); affirmed, Sosa v. Onfido, Inc., 8 F.4th 631 (7th Cir. 2021).
With the potential liabilities facing a company that is considering the use of biometric technology, it is imperative that it retain competent assistance to provide guidance and counsel as to how to create a mechanism or system that is compliant with all applicable laws currently on the books and that anticipates and adapts to new legislation and laws as they come into effect.
If you have questions, please email me at firstname.lastname@example.org.
Want more? Visit the Weekly Wright Report page to browse past issues.