Don’t Leave a Print: Biometric Compliance for Employers
With many employers embracing new technology to achieve efficiencies in the workplace, companies using increasingly popular biometric programs must take steps to ensure that the use of these systems does not violate the law in several jurisdictions.
Biometric systems allow employees to punch timecards or authenticate access to certain computer applications through use of fingerprints, scans of facial features or irises, or through voice, hand geometry or palm vein recognition. The technology provides employers with an additional level of security. For example, it is more difficult for employees to punch in for co-workers. Biometric systems are also more secure than traditional passwords, which are easier to compromise.
Many states have passed legislation that limits the use of such information by employers. Illinois, Texas, and Washington have enacted legislation that regulates the collection and use of an individual’s biometric information. New York has not enacted a law specifically targeting biometric information, but does prohibit most private employers from requiring employees to be fingerprinted as a condition of securing or continuing employment.
The Illinois statute contains a private cause of action, and over the past two years individuals, including employees, have filed over 50 putative class action lawsuits seeking redress for corporations’ failure to comply with statutory requirements.
In other states, potential monetary exposure is high, with fines up to $25,000 per violation in Texas and up to $500,000 in exposure in Washington, if the attorney general files suit and establishes a violation. Furthermore, individuals who believe that their biometric information has been misused have increasingly filed common law claims for torts such as invasion of privacy, fraud, and negligence.
While statutory requirements differ from state to state, employers using biometric technology in the workplace should, at a minimum, check the applicable state law requirements and consider taking the following steps:
Adopt and distribute a written policy describing the purpose of obtaining biometric information, including how the information will be used, stored, and disposed when no longer needed;
Obtain written consent from employees before collecting or disseminating biometric information;
Implement protocols to safeguard the biometric information and communicate them to employees;
Recognize that limits may exist on disseminating the biometric information, including to third parties such as payroll providers, and address those contingencies in written policies;
Never use the biometric information for profit;
Review all documents disseminated to consumers and employees to ensure that you have provided proper notice, disclosures, and class action waivers, where appropriate; and
Review the law in each jurisdiction where you are collecting, storing or disseminating the information to insure state law compliance.
Employers that currently make use of biometric technologies (or are considering same) would do well to consult with competent counsel.