Biometric Data
An increasing number of employers are incorporating biometric data into their workspaces. Companies may collect fingerprints, facial scans, and more to identify and keep tabs on their employees at work. These advancements have some employees worried about their privacy rights.
What are employers doing with this data? Are they allowed to ask for it? Do employees have to go along with it? This page will address these questions and more. For more information, visit Workplace Fairness other pages on privacy rights and workplace surveillance.
Biometric data uses physical characteristics and biological measurements to verify a person’s identity. For example, an employer might require employees to use a fingerprint or retinal scanner at the door before entering certain areas. Other common forms of biometric data include palm scans, face scans, and voice recognition.
Biometrics are not just for government jobs that handle sensitive information. They are used in many industries, from healthcare to restaurants. Biometric data has a variety of uses and benefits in the workplace. Most uses are related to verifying identities and maintaining security. It also can streamline processes and cut down on paperwork. For example, an employer might use a facial scan to track when employees arrive at and leave work, rather than having employees manually clock in with punch cards or by signing a sheet. Using biometrics for clocking in and out of work also helps employers to put the hammer down on “time theft,” which refers to employees clocking in for time they were not at work or were meant to be on unpaid breaks. Biometrics can also be used to limit who has access to sensitive information or restricted areas by verifying workers’ identities.
Several states have laws relating to biometrics in the workplace, with others considering legislation. Current state laws include:
- California – CCPA (California Consumer Privacy Act). Effective since 2020, an amendment to this California law limits use and collection of biometric data. The law is intended to protect consumers, but its broad reach over private entities encompasses many employers as well.
- Illinois – BIPA (Biometric Privacy Information Act). This law was passed in 2008 but did not garner attention until class actions in 2015 alleged privacy violations with social media facial recognition. The Act requires employers to write a policy, notify employees, and obtain written consent before using biometrics. It also prohibits employers from profiting off biometric data they collect and requires them to take care to secure it. Financial penalties for violating the Act range from $1,000 to $5,000 per violation.
- Texas – CUBI (Capture or Use of Biometric Identifier Act). This law, enacted in 2009, limits private entities’ use of biometric identifiers. Employers cannot use biometrics for any “commercial purpose” without consent. They must take care to protect collected information and typically must destroy the information within one year of using it for the last time. Only the Texas Attorney General can bring suit under CUBI, not private individuals. Civil penalties can be as high as $25,000 per violation.
- Washington – H.B. 1493. This law, which became effective in 2017, authorizes the state Attorney General to sue private entities for unauthorized uses and collections of biometric data.
- There is currently no federal law that specifically addresses biometrics in workplaces. Other privacy laws provide some guidance, however. Generally, employers can monitor employees with surveillance cameras, can read their work emails, can search their office, and more because there is not a reasonable expectation of privacy. For more information, visit Workplace Fairness other pages on privacy rights and workplace surveillance. Reference the genetic information nondisclosure act. First attempt to address the use of biometric data. Have a small paragraph in beginning as a reference.
Employers might enjoy the benefits of biometrics, but workers may be hesitant to let their bosses take their fingerprints and scan their faces. They may fear that the information will get into the wrong hands. Although laws regarding biometrics are still speculative, it is likely that employers need to obtain consent before obtaining and using biometric information.
Job applicants already provide a lot of sensitive information when seeking work. Just as employers must keep employees’ social security numbers private, they must take caution to secure any biometric information they collect. If they do not, they may be subjecting themselves to liability.
Although technology can be an invaluable tool, it also has its flaws. Biometric data is the use of technology to verify identities by physical characteristics. Biometrics software and other artificial intelligence can be biased. Programs often refer to and learn from templates; This can be problematic if the template does not account for race, gender, age, disability, and other factors. Some states are protecting workers by implementing laws that regulate AI hiring software to limit bias. See our page on AI hiring for more information.
Using biometrics could open some employers to legal risks, especially regarding privacy rights and discrimination. Employers likely need consent before collecting and using biometric data – even in states that do not have laws that require it. Although there is a lower expectation of privacy in the workplace, it may be crossing the line to assume that workers automatically give up their right to withhold biometric information from employers. However, it may be legal for employers to fire or refuse to hire someone for refusing to share their biometrics.
A court in West Virginia sided with the EEOC in 2017, holding that an employer illegally fired an employee citing religious reasons when refusing to use a biometric scanner for clocking in and out (EEOC v. Consol Energy). The court awarded the former employee over $550,000.
Employers could face harsh consequences if they fail to adequately secure their workers’ private data. Pursuant to an Illinois state law, an employer in 2023 case was liable for over $1,000 per employee and per day for improperly collecting, storing, and using biometric data (Cothron v. White Castle System, Inc.).
AI bias raises other legal concerns. Discrimination might occur if, for example, a fingerprint scanner was more capable of scanning young white workers’ fingerprints than scanning older workers’ or black workers’ fingerprints. Make sure we understand exactly what we are saying. AI and connection. If none, take out.
Consider contacting an employment lawyer if you are either a worker who believes their rights were violated or if you are an employer who wants to use biometrics.
Employers should take care to look out not only for themselves, but for their employees. A spurned employee could very well take legal action against a boss or a company that mishandles biometric data. Reputational Some precautions employers can take to lessen the legal risks with biometrics include:
- Obtain written informed consent from employees before collecting and using their biometric information.
- Write a work policy that explains for what biometrics is used.
- Use security software and do not share employee data, especially for commercial purposes.
- Do your research before choosing what system or software to use for biometrics, as some AI may carry biases and lead to inadvertent discrimination.
- Contact an employment lawyer for more advice.