Throughout the United States, employers’ use of biometric data is increasing. Biometrics are the measurements of a person’s physical being. Biometric data may include an individual’s facial recognition, retinol scans, hand geometry, and fingerprints. As use of biometrics increases, more states are adopting regulations on the collection, use, and preservation of such data.
What is Biometric Data?
Employers utilize biometrics to record employee hours, to restrict access to specific areas, computer systems, devices or data, to promote employee health through wellness programs, and for safety. In 2008, Illinois was the first state to implement a law regulating the collection, use and retention of biometric data, became known as Biometric Information Privacy Act (“BIPA”).
BIPA requires employers to obtain consent prior to collecting an individual’s biometrics. The law allows private citizens to commence an action against employers that collect their information without notice and consent. Shortly after BIPA was enacted, Texas endorsed a similar law. The Illinois and Texas laws are unique because many states laws focus on barring the collection of biometric data from minors in an educational setting.
Why Regulation is Needed?
The Federal Trade Commission in 2012 issued a report “Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies” to address companies’ use of facial recognition technology and to protect the privacy of individual information. In 2014, the Chinese government employed hackers to break into computer systems at the Office of Personal Management. These hackers stole sensitive personal data which included the fingerprints of 5.6 million people.
In addition to stealing fingerprints, face-shape data can be hacked as well. The issue with biometrics is that they cannot be changed. For example, if a law enforcement database contains images of an individual’s 10 fingerprints, replacing them is not an option. The hacking of an individual’s biometrics is unlike a stolen password because there is no way to change it. The loss is serious and permanent.
Recent Settlement
In Sekura v. L.A. Tan, a class of tanning salon customers in Schaumburg, Illinois sued the franchise under BIPA for its failure to obtain written consent prior to using their biometric data and not advising the customers how such data would be stored and eventually destroyed. There was no allegation that the company lost or did anything improper with the information; rather, the suit focused on the company’s failure to treat the data carefully, as required under the law.
This case was the first to settle under BIPA for $1.5 million. While there are currently only one (1) dozen lawsuits commenced under BIPA, it is predicted that more suits are on the horizon if employers fail to handle biometric data properly.
State Laws on Biometric Data
Until recently, Illinois and Texas were the only states with laws addressing biometrics. However, a new wave of high-exposure litigation under BIPA has had an impact on other states’ decisions to introduce legislation on the matter. Earlier this year, Washington became the third state to enact a biometric data law. Bills are pending in Alaska, Connecticut, Massachusetts, and New Hampshire.
In 2015, New York legislators proposed bills that would regulate biometric information notice and consent requirements and limit retention and sale of such information. The bills even provided statutory damages for the individuals harmed. However, the bill never made it out of the committee.
New Jersey’s Identity Theft Prevention Act protects individuals from identity theft. The Act requires business to notify individuals when their data has been compromised and requires these companies to destroy personal information when it is no longer needed. However, unlike the biometric laws, this law does not require consent prior to collecting a person’s biometrics.
Implications
With the use of biometrics and regulation of such use on the rise, employers currently using or considering utilizing biometric data are encouraged to ensure their use complies with the growing regulation in this area.