Using Biometric Timekeeping? Be Aware of Potential Compliance Risks
Human resources professionals could certainly be excused for feeling frustrated with the fact that every technological advance improving business operations comes with new legal landmines to manage. For example, increased connectivity has greatly enhanced productivity opportunities. But at the same time, it has created new challenges with data management and integrity, off-the-clock work risks, and even management of “work from home” entitlement beliefs. Similarly, increased automation and other changes in manufacturing techniques that increase productivity could also mean challenges with collective bargaining agreements and labor relations.
And so it is with an increasingly popular way of managing timekeeping: “biometric” time clocks that record employee punch in and out times through the use of physically unique identifiers, such as hand, fingerprint or even retina scans. Through these devices, which require biometric information from a user when making a timekeeping entry, employers have an easy way to ensure employees are only punching in and out on behalf of themselves. Biometric timekeeping can severely limit, if not outright eliminate, opportunities for employee abuse and misconduct that can occur through timeclock manipulation. A biometric system thus substantially increases an employer’s confidence that an employee’s timekeeping records accurately portray an employee’s time worked, rather than being subject to challenges that someone improperly or inaccurately entered timekeeping data on behalf of another employee.
The balance of the employment law landscape of course demands that an equal set of consequences must come with such benefits. For example, in 2008, Illinois passed the Biometric Information Privacy Act. The Illinois law requires companies that collect and store biometric data to obtain written consent to do so and maintain policies and notices communicating the purpose for collecting biometric data and the protocol for destroying it once the reasons for collection and storage terminate. The law seemingly has as its principal purpose protection against identity theft concerns in the financial arena. As a result, Illinois employers utilizing biometric time clocks may have unwittingly neglected to take the steps necessary to achieve technical compliance with the law (such as by not obtaining consent to collection of biometric information or establishing proper protocols for purging biometric data following termination), even if there is no apparent risk of an actual privacy breach.
In the last few months, approximately two dozen opportunistic-looking class action lawsuits have been filed in Illinois based on such technical non-compliance, and while there is some reason to think these types of technical “gotcha” claims will not yield the penalties sought, most employers would certainly prefer to avoid class action litigation altogether rather than defend against even highly defensible claims. It is also not difficult to imagine other states joining Illinois in passing laws specifically addressing employer use of biometric timekeeping practices and attempts to use more general privacy doctrines to pursue legal claims, such that viewing biometric timekeeping compliance as a strictly Illinois issue would probably be unwise.
It can take time for the compliance landscape to unfold in the wake of new technology, and prudent employers do their best to stay ahead of emerging compliance waves, not get caught in their backwash. With biometric timekeeping, this should once again hold true. Employers using such technologies should be aware of this emerging compliance area and, whether in Illinois or elsewhere, it would behoove them to seek counsel for review of any existing policy materials or obtain assistance with preparing policies, notices and consent forms to include as part of their manuals and orientation materials! It would also be wise to have any policy materials and user agreements provided by biometric time clock vendors reviewed for legal compliance and best practices.