Today's computer technology improves exponentially from year to year, putting tiny, yet ever more powerful, computers in the palms of our hands, on our bodies, or even under our skin. With the proliferation of wearable "Internet of Things" devices, many new technologies that track our physical and physiological traits are moving into the workplace - yet, our privacy laws are struggling to keep up. This gap between technology and the law can put employees' privacy rights at risk.
What Are Biometrics?
"Biometrics" refers to data associated with distinctive, measurable body characteristics. Biometric identifiers take many forms, including:
- Voice prints
- Palm vein and hand geometry
- Face recognition
- Retina and iris scans
- Body odor and scent recognition
Instead of a password or keycard, these identifiers can significantly improve security and reduce fraud because they are extremely difficult to imitate or copy.
Biometrics are already incorporated into consumer technology such as Touch ID and Face ID on the Apple iPhone and Windows Hello, and they are becoming more prevalent in work settings as employers use employees' personal characteristics for a wide range of purposes.
How Do Employers Use Biometrics?
Employers increasingly adopt biometric-tracking technology not only to control employees' access to sensitive or restricted areas but also for timekeeping, logging into software and computer systems, and activating machinery.
There are undeniable economic and security benefits. Timeclock systems that require a fingerprint or facial scan can reduce timesheet fraud to essentially zero. Implementing a biometric access protocol to allow use of a "bring-your-own-device" (BYOD) mobile phone lets employees work remotely while reducing the risk to the employer's secure network. Requiring biometric approval of multiple employees to access secure information or areas can prevent industrial espionage and embezzlement.
At some point, however, possible misuse of biometric data outweighs the benefits to the employer, threatening individuals' privacy rights and posing real dangers.
What Are the Risks to Employees?
Once collected, opportunities for employers to exploit biometric data, and the possibility that an unauthorized third-party could obtain and misuse the information, raise important questions and concerns. For example, unauthorized access and copying of an employee's fingerprints may enable someone to get into the employee's personal devices and the financial, medical, or other private data stored there. As "smart homes" get smarter, stolen biometric information could be used to gain broad access to an employee's life, opening the potential for identity theft, financial fraud, theft of personal property, and even physical assault.
Equally disturbing, insurance providers or potential employers could use biometric data to discriminate against potential or existing policyholders or employees who have characteristics deemed undesirable or who show signs of medical issues. Biometric information could be misused to access confidential or secure areas, threaten public security, or subvert security restrictions like no-fly or terrorist watch lists. At the far extreme, entrepreneurial blackmailers could demand ransoms in exchange for not planting biometric evidence at crime scenes (an incident that could be part of the plot on an upcoming episode of "CSI").
Many employers who collect and store biometric data use third-party vendors to gather and maintain this information, further increasing the potential for security breaches or abuse. Regardless of who is responsible for maintaining the security and integrity of this data, it is vital to develop legislative protections, protocols, and penalties to punish misuse.
Legislative Protection from Developing Technology
Progressive state governments and activist groups have started to propose and enact legislation regulating the collection, maintenance, and use of employee biometric data by private organizations. Currently, three states have laws regulating the collection and storage of biometric data. Illinois's Biometric Information Privacy Act ("BIPA") was passed in 2008; Texas passed a similar law in 2009, followed by Washington State in 2017.
Several other states (including Alaska, Massachusetts, Montana, and New Hampshire) have introduced legislation related to biometrics that has not been enacted. The three pending laws all regulate the collection and storage of "biometric identifiers," including but not limited to eye scans, fingerprints, and voiceprints.
Illinois' BIPA and the Washington law go above and beyond protecting the actual biometric data to also address the collection and storage of data that has been converted into some type of code or template. For example, the BIPA regulates "any information, regardless of how it is captured, converted, stored, or shared," that is "based on an individual's biometric identifier" and is "used to identify an individual."
Litigation's New Frontier
The few state laws that regulate biometric data all impose civil penalties for violations, but Illinois' BIPA is the only statute that provides for an individual private right of action to recover liquidated damages and attorneys' fees. (By comparison, in Texas and Washington, the state attorneys general are responsible for bringing suit to crack down on offenders.) Each violation of the BIPA that is found to be "willful and/or reckless" can result in a fine of up to $5,000, and an employer can be fined $1,000 for each "negligent" violation-even where no actual damages, losses, or privacy breaches have occurred.
Numerous class-action lawsuits are now pending in Illinois alleging employer violations and technical failures to conform to the BIPA's stringent requirements. Illinois Policy reports that most of the suits claim employees were required to use fingerprint-operated time clocks, and that through those devices their employers collected and stored "biologically derived, or biometric, information in a manner that violates the consent, notice and disclosure requirements of the BIPA."
The defendants in the pending cases span a number of different industries, including gas stations and convenience stores, emergency medical transportation, janitorial services, hotels and restaurants, and food manufacturing and packaging. Actions alleging consumer privacy violations have been brought in Illinois courts against Facebook, Google, Snapchat, Shutterfly, United Airlines, and others, prompting state lawmakers to consider easing BIPA's strict application - and potentially "gutting" workers' and consumers' data privacy protections.
As states slowly address biometric data concerns - against the lightning speed of technological innovation - it will be a constant struggle to balance employers' business interests with the desire to protect what remains of employee privacy.