Employers increasingly maintain timekeeping systems that require employees to clock in and out of work using their fingerprints to reduce the risk of coworkers clocking in for each other (so-called “buddy punching”) and to increase the accuracy of time reporting. Fingerprints are biometric data, and some employees fear that their data could be stolen or sold, leading to identity theft. The damage caused by identity theft is greater when biometric data is stolen because, unlike Social Security numbers or other personally identifiable information, an individual’s biometrics cannot be changed.
At present, there is no federal statute regulating employers’ use of employees’ biometric data, and just three states — Illinois, Texas and Washington — have laws that specifically regulate biometric privacy.1 Of those three, only Illinois’s law provides a private right of action. In Texas and Washington, the state’s attorney general can bring a claim for violation of the statute.
Illinois Biometric Information Privacy Act
Illinois was the first state to enact a statute governing the privacy of biometric data. The Biometric Information Privacy Act, 740 ILCS 14/1, et. seq. (BIPA), enacted in 2008, was passed in response to the growing use of biometrics and the potential for identity theft if biometric data is compromised. The BIPA’s legislative findings state:
Biometrics2 are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.
To address the risk of identity theft, the BIPA requires that private entities take specific steps before they collect and use biometric information of Illinois residents:
740 ILCS 14/15(a), (b).
The BIPA also prohibits a private entity from selling or profiting from a person’s biometric information. 740 ILCS 14/15(c). Private entities possessing biometric information are required to protect it from disclosure “in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.” 740 ILCS 14/15(e)(2).
The cost of not complying with the BIPA is high; an employer could be liable for damages of up to $1,000 for each negligent violation and for liquidated damages of up to $5,000 for each intentional/reckless violation, as well as attorneys’ fees. The plaintiffs’ class action bar, availing themselves of the private right of action under the BIPA, has filed dozens of lawsuits in the past year (and as recently as this month) alleging that employers failed to comply with the BIPA’s requirements. See, e.g., Jackson v. A. Finkl & Sons Co., No. 2018-CH-07424 (Ill. Circuit Ct. June 13, 2018).
The Texas Capture or Use of Biometric Identifier Act
Texas passed its Capture or Use of Biometric Identifier Act (CUBI), Tex. Bus. & Com. Code Ann. § 503.00,1 in 2009. The CUBI regulates only biometric identifiers3 that are used for a “commercial purpose.” Commercial purpose is not a defined term, and the CUBI does not address explicitly whether it applies to an employer’s use of fingerprints for timekeeping. The CUBI does provide, however (in a section concerning when biometric identifiers must be destroyed), that if an employer collects a biometric identifier for a security purpose, the purpose is presumed to expire when the employment relationship terminates. Id., § 503.001(c-2). That language suggests that the CUBI is intended to apply to employers’ collection of biometric data.
The CUBI prohibits private entities from capturing an individual’s biometric identifier for a commercial purpose unless the individual is informed and consents before the biometric identifier is captured. Unlike the BIPA, the CUBI does not require that the consent be in writing. Id., § 503.001(b).
Similar to the BIPA, the CUBI (1) generally precludes a person from selling, leasing or otherwise disclosing an individual’s biometric identifier to another person, and (2) requires that biometric identifiers be stored, transmitted and protected from disclosure using reasonable care and in a manner that is the same or more protective than the manner in which the person handles other confidential information. Id., § 503.001(c). Under the CUBI, biometric identifiers generally must be destroyed within a reasonable time, no later than the first anniversary after the date that the purpose for collecting the identifier expires.4 Actions under the CUBI may be brought only by the state attorney general, who can recover up to $25,000 for each violation. Id., § 503.001(d).
Washington Law Governing Biometric Identifiers
Washington’s law governing biometric privacy, enacted in 2017, is the most recent. See RCW § 19.375.020. In passing the law, the Washington legislature noted that citizens "are increasingly asked to disclose sensitive biological information that uniquely identifies them for commerce, security, and convenience. The collection and marketing of biometric information about individuals, without consent or knowledge of the individual whose data is collected, is of increasing concern." RCW § 19.375.900.
Notably, Washington’s law addresses only the “enrollment”5 (not simply capture) of a biometric identifier in a database for a commercial purpose. It prohibits enrollment6 “without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.”
RCW § 19.375.020. The law does not require any particular type of notice or consent, stating that it is context-dependent. “Commercial purpose” is defined as “a purpose in furtherance of the sale or disclosure to a third party of a biometric identifier for the purpose of marketing of goods or services when such goods or services are unrelated to the initial transaction in which a person first gains possession of an individual’s biometric identifier.” RCW § 19.375.010(4). Commercial purpose specifically excludes a “security purpose,” which encompasses preventing fraud or any other misappropriation or theft, and protecting the security of any person.
RCW § 19.375.010(4) & (8). Washington’s law provides that entities that collect, capture, enroll or store a biometric identifier in furtherance of a security purpose are not required to provide notice and obtain consent. This exemption likely applies to the use of biometrics for two-factor security authentication.
Given the narrow definition of commercial purpose, the use of fingerprints for timekeeping may not be covered by Washington’s law. That practice does not appear to be in furtherance of the sale or disclosure of fingerprints to a third party for the purpose of marketing goods or services unrelated to capturing fingerprints or handprints for timekeeping. Even if it met that general definition of commercial purpose, biometric timekeeping arguably serves a security purpose of preventing fraud or theft, in which case Washington’s law does not apply. If the Washington law does apply, the potential penalties are significant; the statute authorizes the state attorney general to enforce violations under Washington’s consumer protection act, which provides penalties of up to $500,000.
New York Law Prohibiting Fingerprinting
While not a biometric privacy law, New York has a law that generally prohibits private employers (except legally incorporated hospitals, supported in whole or in part by public funds or private endowment and medical colleges affiliated with such hospitals or private proprietary hospitals) from requiring employees to be fingerprinted as a condition of securing employment or of continuing employment. NY Labor Law 201-a. Under this law, New York employers cannot require employees to use their fingerprints to punch a time clock.
Common Law Claims
In addition to statutory protection of biometric data, employees also have remedies at common law. For example, employees who are concerned about how their biometric data is collected and disseminated can assert common law claims for negligence and invasion of privacy. See, e.g., Jackson v. A. Finkl & Sons Co., No. 2018-CH-07424 (Ill. Circuit Ct. June 13, 2018) (plaintiff filed a putative class action under the BIPA, including a claim for negligence). Under a negligence theory, employees could argue that their employer had a duty to exercise reasonable care in the collection and use of their biometric data and breached that duty by failing to protect and secure the data, increasing the risk of access by third parties and identity theft.
Employees also can claim invasion of privacy, asserting that they have a right of privacy in their biometric data that outweighs their employer’s business purpose in using a biometric time clock system because the employer can track employee work time in other, less invasive, ways. The law of privacy varies from state to state. Some states recognize a much broader right of privacy in the workplace setting than other states. California and New Jersey, for instance, recognize broad rights of privacy for employees of private sector employers. In light of the recognition of the potential negative impact on privacy caused by the use of biometric data in the workplace, we expect invasion of privacy claims to be brought whenever damage is caused by the data’s use.
General Data Protection Regulation (GDPR)
Finally, employers that have employees or operations in the European Union should be aware that the GDPR, which went into effect on May 25, 2018, imposes restrictions on the use of biometric data and generally requires “explicit consent” that is given freely to process such data.
In this era of public data breaches and high sensitivity to the risk of identity theft, employers that collect biometric information from employees should proceed carefully, even if they do not operate in Illinois, Texas, Washington or New York. Other state legislatures are considering laws to regulate the use of biometric data. And, in some states, biometric data is identified as a type of personal information (either by itself or in conjunction with other information) that, if disclosed, will trigger data breach notification obligations.
Even when not statutorily required, employers that use employee biometric information should consider taking the following steps to minimize the risk of a claim under a state statute or common law:
1 Biometric privacy laws have been proposed in several other states.
2 The BIPA defines "biometric information" as any information, regardless of how it is captured, converted, stored or shared, based on an individual's biometric identifier used to identify an individual. A "[b]iometric identifier" is a retina or iris scan, fingerprint, voiceprint or scan of hand or face geometry.
3 Biometric identifiers are defined as a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry. Id., § 503.001(a).
4 As discussed above, if a biometric identifier that has been captured for a commercial purpose is collected by an employer for “security purposes” (not defined in the CUBI), the purpose for collecting the identifier is presumed to expire on termination of the employment relationship.
5 “Enroll” is defined as capturing the biometric identifier of an individual, converting it into a reference template that cannot be reconstructed into the original output image, and storing it in a database that matches the biometric identifier to a specific individual.
6 The Washington law does not apply to financial institutions or their affiliates that are subject to Title V of the Gramm-Leach-Bliley Act or to activities subject to Title V of the Health Insurance Privacy and Portability Act.
The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.