More businesses are using biometric technology to identify employees and secure points of access. The challenge is ensuring compliance with emerging state laws.
As information security becomes paramount, organizations are looking for ways to boost accuracy and lower friction when identifying employees and gating access. One solution is biometrics: technology that uses unique human characteristics to positively ID your staff members. As Security Boulevard notes, by 2022, 40 percent of businesses plan to adopt biometric technology with the intent of reducing total infosec costs and limiting fraud.
Given the highly personalized nature of the data being collected, however, some states are crying foul and developing legislation to regulate biometric use. While many employers mean no harm, it's now critical to understand the evolving legal landscape before deploying any bio-driven ID solutions.
What are "Biometrics?"
Author Arthur C. Clarke famously noted that, "Any sufficiently advanced technology is equivalent to magic." Today, technology once confined to the realm of science fiction is commonplace, and biometrics represents the cutting edge of tech solutions that leverage individualized human data to produce actionable results.
The term "biometrics" generally refers to the measurement and analysis of certain biological characteristics of an individual, such as fingerprints, facial geometry, retinal scans and voiceprints. Biometric solutions are now being used for such functions as gating access to smartphones and bank accounts. Indeed, biometric technology stands as a promising development in the ongoing effort to ensure that sensitive information can only be accessed by authorized individuals.
Common Uses for Biometrics
In the workplace, some employers use biometric technology to limit access to restricted areas by requiring biometric identity confirmation. Others use biometric time clocks to help verify employees' identities when they clock in or out by scanning a portion of the employee's finger or hand and comparing that with records on file. The time clocks do not collect or store an exact image of the employee's finger or hand print; rather, they create and store an encrypted mathematical template of a portion of the scanned finger or hand. No part of the finger or hand scan is stored.
As these technologies evolve, organizations have greater expectation that staff will provide biological data to improve security. State governments, meanwhile, are now moving to regulate the collection, use and disclosure of biometric data — including data collected by time clocks that scan fingers and hands.
A recent decision by the Illinois Supreme Court holds that any wrongful collection and use of an individual's "biometric data" is actionable against the collecting business, even if the individual suffers no actual harm. In practice, this means that if you're using biometric solutions in Illinois (such as time clock technology), you must ensure that you're compliant with applicable laws. In the case of Illinois, employers must ensure that their operations are in accordance with the Biometric Information Privacy Act ("BIPA") by consulting with legal counsel, providing sufficient notice, obtaining consent, and storing and deleting biometric data as required.
The Illinois law is effectively a precursor, and organizations should expect other states to draft similar legislation. In the meantime, businesses would do well to adopt privacy-first biometric policies ahead of any new compliance expectations.
Evolving Legal and Compliance Considerations
BIPA represents the broadest application of biometrics law. Specific provisions for your business include:
- The creation of written policies that are available to the public detailing the handling of biometric data
- The establishment of retention schedules and guidelines for permanently destroying biometric data within a certain period of time
- The disclosure of use purposes for employee biometric data
- The acquisition of a written release before collecting and storing biometric data
- The development of reasonable procedures to store, transmit and protect this data from disclosure
It is worth noting that BIPA provides avenues for individuals to file lawsuits. Since July 2017, more than 240 class action lawsuits have been filed under BIPA against employers operating in Illinois. Statutory damages range between $1,000 and $5,000 per violation.
This legislation is also evolving: On January 25, the Illinois Supreme Court ruled in the case of Rosenbach v. Six Flags Entertainment Corp that actual harm is not required to bring an action for a BIPA violation. To begin legal action and seek damages against a business, individuals need only demonstrate that biometric data has been collected without written consent or proper disclosure of intent. As a result, BlPA class action suits are now easier to file and substantiate in Illinois.
Developments On the Horizon
While Illinois is on the forefront of biometrics legislation, other states, including Washington and Texas, have also developed laws to regulate biometrics. Others are considering such laws, including Arizona, New Hampshire and Michigan.
At ADP, it's our goal to embrace cutting edge technology while helping our clients stay up to date on compliance requirements related to emerging legislation.
For additional insights on biometrics and other important law-related matters, view our webcast: Workplace Compliance Spotlight: Hot Employment Law Topics.