The California Data Privacy Implications of Using Facial Recognition in the Wake of the COVID-19 Pandemic
On May 4, 2020, California Governor Gavin Newsom announced that the state would begin the process of allowing various businesses to reopen physical locations as part of a four-phase plan that seeks to gradually re-establish business operations in light of the ongoing COVID-19 pandemic. While a welcome sign for many businesses and employees, the phased re-opening of California brings about a flurry of return-to-work issues, one of which is how businesses can reduce the number of physical touch points in the workplace.
Employers Are Looking to Eliminate Heavily Trafficked Physical Touch Points
For many employers, one of the most frequented physical touch points in the workplace is the time clock. Be it a keypad, fingerprint, or touchscreen time clock, nearly every clock-in/clock-out device used by businesses requires repeated physical contact by employees. Therein lies the dilemma: how can a business resume “regular” operations as quickly as possible but allow employees to record hours worked without coming into contact with one of the most heavily trafficked physical touch points in the workplace? For many employers, the answer may be found in facial recognition technology.
Once relegated to the realms of science fiction, facial recognition technology has evolved to become a viable touchless time clock. Commercial vendors market facial recognition time clocks as the solution to timecard fraud; they claim that such time clocks speed up the entire time punch process. Now, however, the chief selling point may be the fact that such technology requires no physical contact from employee-users.
Recent California Supreme Court Decisions Incentivize the Use of Facial Recognition
In February 2020, the California Supreme Court announced its Opinion in Frlekin v. Apple, which answered a key question that had been jostled around various lower courts for years: is time spent on an employer’s premises waiting for, and undergoing, security searches compensable under California’s Wage Orders? The Supreme Court answered, yes.
This answer, however, levied a significant quandary upon businesses that operate retail stores, warehouses, and other locations where security searches are commonplace: how are they going to accurately record compensable time? At first blush, the easy answer would be to place time clocks after security checkpoints. But in some locations, architectural barriers, customer-facing concerns, or other business considerations preclude such an option. Moreover, such a plan would likely trigger significant physical distancing concerns as employees line up to clock out.
The practical concerns associated with the wake of Frlekin are compounded by the California Supreme Court’s 2018 decision in Troester v. Starbucks. In Troester, the California Supreme Court significantly limited the use of the de minimis doctrine, which was often invoked by employers in defense of claims by employees who claimed that brief periods of time spent between clocking out and physically exiting the employer’s facility was compensable under California law.
The Troester and Frlekin decisions call for new solutions to these wage-and-hour problems. Using facial recognition technology to track employees entering or leaving a work site could be the solution employers are looking for.
Employee Privacy Implications of Using Facial Recognition Technology
The decision to utilize facial recognition technology to replace traditional time clocks is one that requires vendor due diligence and balancing of employee privacy issues. As an initial matter, data processed or stored on time clock systems using facial recognition technology will likely constitute biometric data protected by section 1798.82 of the Civil Code, known as California’s data breach reporting law. Employers that opt to use facial recognition technology should be cognizant of their obligations to secure biometric data using appropriate measures like encryption.
Another source of potential regulation is the California Consumer Privacy Act (CCPA), which applies to certain covered employers in California. As previously reported in Employee Privacy by Design: Guidance for Employers Beginning to Comply with the California Consumer Privacy Act and Big Bang! California Expands Employee Privacy Rights & Insights from the Office of Attorney General, the CCPA is one of the most significant pieces of privacy legislation in the United States. The CCPA provides California consumers and employees certain privacy rights and protections over their personal information collected by businesses. Under the law, covered employers must provide employees with disclosures about the types of personal information they collect from employees and why they collect them. One form of personal information regulated by the CCPA is biometric data.
For now, the CCPA does not expressly restrict an employer’s ability to implement facial recognition technology to track an employee’s work hours; the covered employer must simply provide its employees with a notice at collection that sets forth specific information regarding the facial recognition time clocks and the use of the employee’s biometric data. In 2021, however, employees will have additional rights under CCPA, including the right to request access and deletion of their personal information. In addition to providing notice to employees, companies must ensure that biometric data is processed, handled, and secured in an appropriate manner. Failure to reasonably secure data could result in significant penalties under the CCPA if the data is compromised.
Given its present lack of restriction on the use of biometric data, the future of the CCPA’s regulatory landscape may resemble Illinois’ Biometric Information Privacy Act (BIPA), which we have written about here and here. Like the CCPA, the BIPA sets forth various notice requirements for private entities that collect “biometric identifiers” and “biometric information,” which include a scan of a person’s facial geometry. From there, the BIPA goes further than the CCPA by requiring employers to obtain consent before collecting their employee’s biometric data. Among other things, the BIPA also requires employers to develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and information when the initial purpose for collecting or obtaining the identifiers or information has been satisfied, or within three years of the employee’s termination, whichever occurs first.
Facial Recognition Technology Is Here to Stay
As the world adjusts to a new “normal” that involves physical distancing and a heightened focus on sanitation, businesses are going to look toward reducing the number of physical touch points in the workplace. Facial recognition technology – already under consideration following the California Supreme Court’s decisions in Troester and Frlekin – will likely play a key role in the future workplace.
As you are aware, things are changing quickly and there is no clear-cut authority or bright line rules. This is not an unequivocal statement of the law, but instead represents our best interpretation of where things currently stand. This article does not address the potential impacts of the numerous other local, state and federal orders that have been issued in response to the COVID-19 pandemic, including, without limitation, potential liability should an employee become ill, requirements regarding family leave, sick pay and other issues.