In an effort to improve data security, many companies have begun using biometric data, such as fingerprints and other unique physical features, as high-tech replacements for passwords. In fact, the use of “biometric time clocks” – fingerprint recognition technology that authenticates when an employee clocks in and out of work — is becoming increasingly more common in the workplace. In view of these efforts, legislatures in a handful of states have passed biometric privacy laws that are intended to govern the use of – and prevent the misuse of – this data.
Biometrics usher in new privacy laws, litigation risks
While the state laws governing the use of biometric data are well-intentioned, these laws create a significant risk of liability for all companies that collect biometric data, including those that use biometric data for internal purposes and for purposes wholly unrelated to security. For example, the Illinois Biometric Information Privacy Act (BIPA) requires all private entities in the possession of “biometric identifiers” (including retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry) to develop written, public policies concerning the use, retention, and destruction of biometric identifiers. In addition, BIPA prohibits the collection, capture, purchase, receipt through trade, or other acquisition of a person’s biometric information without first obtaining an informed release from that person. Those aggrieved by a violation of BIPA can obtain liquidated damages in the amount of $1,000 for a negligent violation and $5,000 for an intentional or reckless violation.
The broad sweep of BIPA, coupled with the statutory damages provision, has resulted in a rush of class action lawsuits alleging violations of BIPA by a range of businesses, from tanning salons to Google. And a California federal court recently certified a class in one of those lawsuits, In re Facebook Biometric Information Privacy Litigation, holding that the individual members of the class were entitled to recover statutory damages under BIPA even if they could not establish any individual injuries.
Employer next steps for reducing risk
As In re Facebook demonstrates, state laws governing the use of biometric data can and will substantially impact companies across the nation. Even if your company does not currently collect or use biometric information from residents or employees in U.S. states that currently have biometric privacy laws, you need to be prepared for the possibility of similar laws being adopted in Oklahoma and other states in which you do business.
Those that collect and use biometric data face the difficult task of complying with a complex web of regulations governing the use of that data, a task that will become more difficult as additional states enact biometric privacy and other data privacy laws. Companies that collect and use data gathered from their employees and customers should take note of the risks associated with the use of that data, and should begin taking steps to minimize those risks. Best practices for employers include enacting written policies governing the collection, use and storage of biometric data, updating employee handbooks to provide proper notice of those policies, obtaining consent prior to the collection and use of biometric data (even if the use is not commercial in nature), and monitoring legislation at the state and federal level to ensure continued compliance with all new and existing laws governing biometric data usage.