Employment Checklist - Best Practices for Using Biometric Information for Timekeeping
Reproduced with permission from Bloomberg Law Reports. Copyright 2018 by The Bloomberg Bureau of National Affairs, Inc. http://www.bna.com.
Editor's Note: This checklist assists in-house counsel, human resources professionals, and management in understanding and addressing the risks involved in using a biometric timekeeping system, such as one that requires employees to clock in and out of work using their fingerprints.
Why Use Biometric Timekeeping?
- “Punching” a time clock with a fingerprint avoids the practice of co-workers clocking in for each other.
- Biometric timekeeping systems provide a more accurate record of the time that the employee is “on the clock.”
Understanding the Risks of Biometric Timekeeping
- If biometric information is stolen or sold, it can lead to identity theft. This is because biometric information constitutes personally identifiable information (PII). PII is any information that could potentially identify a specific individual, including any information that can be used to distinguish one person from another and can be used for exposing anonymous information.
- Theft of biometric information can be more problematic than theft of other types of PII because biometric information, such as a fingerprint, can't be changed (unlike, for example, a Social Security number).
Complying With the Laws Regulating Employer Use of Employee Biometric Information
- Currently, there is no federal statute prohibiting employers from:
- collecting employee fingerprints
- storing employee fingerprints, or
- requiring employees to clock in and clock out with their fingerprints.
If the Employer Has Operations or Employees in Illinois
- Illinois has the Biometric Information Privacy Act (BIPA), 740 ILCS 14/1, et seq. , which provides a private right of action. If an employer possesses employee biometric identifiers or
information, it must do the following under BIPA:
- Provide prior written notice that an employee's biometric identifier or biometric information will be collected or stored and for what purpose, and of the length of time for which the biometric identifier will be collected, stored, and used.
- Obtain a signed written release from the employee.
- Develop a written, publicly available policy containing a retention schedule and guidelines for the permanent destruction of biometric identifiers and information when the purpose for collecting or obtaining them has been satisfied or within three years of the employee's last interaction with the employer.
- Not sell, lease, trade, or otherwise profit from the employee's biometric identifier or information.
- Protect biometric identifiers and information from disclosure in a manner that is the same as or more protective than the way in which the employer treats other confidential and sensitive information.
If the Employer Has Operations or Employees in Texas
- Texas has the Capture or Use of Biometric Identifier Act (CUBI), Tex. Bus. & Com. Code §503.001, which provides a right of action by the state attorney general (but not an individual). CUBI regulates biometric identifiers that are used for a “commercial purpose.” CUBI doesn't define commercial purpose or state whether it applies to employees, but its language suggests that it does regulate employers’ collection of employee biometric information.
- To comply with CUBI, employers must:
- Obtain consent (which doesn't have to be in writing) from employees before capturing their biometric identifiers.
- Store, transmit, and protect employee biometric information with reasonable care and in a manner that is the same as or more protective than the way in which the employer handles other confidential information.
- Destroy biometric identifiers within a reasonable time that is no later than the first anniversary of the date that the purpose for collecting the identifier expires. If an employer collected the biometric identifier for security purposes, the purpose expires when the employment relationship terminates.
- Not sell, lease, or disclose an employee's biometric identifier to another person.
If the Employer Has Operations or Employees in Washington State
- Washington has a law governing biometric privacy (RCW §19.375.020), which provides a right of action by the state attorney general (but not an individual). Washington's law is limited to biometric information used for “commercial purposes.”
- Commercial purpose is defined as a “purpose in furtherance of the sale or disclosure to a third party of a biometric identifier for the purpose of marketing of goods or services when such goods or services are unrelated to the initial transaction in which a person first gains possession of an individual's biometric identifier.” RCW §19.375.010(4).
- Using employee biometric information for timekeeping is likely not a “commercial purpose.” Even if it were, a commercial purpose excludes a “security purpose,” which encompasses preventing fraud or other misappropriation or theft, and protecting the security of any person. Biometric timekeeping serves a security purpose.
If the Employer Has Operations or Employees in Other States
- Other states have proposed similar biometric privacy laws, but haven't yet enacted any of them (as of September 2018).
- New York has a law that prohibits employers from requiring employees to be fingerprinted as a condition of employment. Under this law, New York employers can't require employees to “punch” a time clock with their fingerprints.
- Under the California Consumer Privacy Act (CCPA), effective Jan. 1, 2020, employees will have the right to know what personal information (which includes biometric information) their employers are collecting and how it is being used, to request that their information be deleted, and to opt out of the sale of their biometric information to third parties. These provisions may change before the CCPA becomes effective, and employers should monitor developments.
- Employees who complain about the collection or use of their biometric information also have remedies under common law, such as claims for invasion of privacy or negligence.
Best Practices for Employers
- Ensure compliance with the applicable laws regulating the use of employee biometric information in the states where the employer operates or has employees.
- Even if there is no applicable statute addressing biometric timekeeping, consider taking the following actions:
- Draft a policy regarding the collection, use and storage of employee biometric information that:
- explains why the employer collects biometric information
- describes how the information will be used
- addresses how biometric information is secured and protected from disclosure
- sets forth the time frame for which biometric information will be retained
- details how the biometric information will be destroyed, and
- informs employees how their biometric information will be treated after their employment ends.
- Draft a policy regarding the collection, use and storage of employee biometric information that:
- Prepare a consent form for employees to sign that authorizes the employer to collect, use, and store their biometric information.
- Consider whether to require that new employees sign a written consent as a condition of employment, if permitted by state law (New York wouldn't permit this requirement).
- Decide whether to require current employees to sign a written consent as a condition of continuing employment and how to address an employee's refusal to sign.
- Include a provision that permits the employer to share biometric information with third parties that will have access to the information, such as a vendor retained to store the information, if permitted by state law.
- Protect the security of employee biometric information and treat it as sensitive and confidential information.
- Ensure that employee biometric information is protected according to the same protocols that employers use for other PII.
- Train employees who deal with biometric information on how to protect its security.
- Be prepared to respond to requests from employees to be excused from biometric timekeeping as an accommodation for religious beliefs or medical conditions.
- Comply with the applicable state breach notification laws in the event a security breach affects employee biometric information.
- Ensure that any vendor retained to collect and/or store biometric information has processes to protect the security of the information and is obligated to follow those processes under the contract between the employer and the vendor.
The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.