By Glenn Duhl
Biometrics is the measurement and analysis of an individual’s unique physical and behavioral characteristics which can be used as a form of identification and access control. Examples of physical biometrics include fingerprint, face, hand, eye or ear features. Examples of behavioral biometrics include an individual’s gait, voice, and typing rhythm.
More and more employers are using employees’ biometric data to control access to buildings and equipment, and track employees’ hours. Employers that use biometric data should be informed of the developments in biometric data legislation and update their internal policies to ensure compliance.
A number of states have laws regulating the collection and use of individuals’ biometric data. For example, Illinois’ Biometric Information Privacy Act (BIPA), enacted in 2008, requires that, among other things, private entities obtain written consent to collect individuals’ biometric data, inform individuals why the information is being collected, develop a written policy regarding use of such data, comply with retention and destruction requirements, and avoid selling or otherwise unlawfully disclosing biometric information. In enacting BIPA, Illinois legislatures were concerned with the risks associated with the use of biometrics because they “are biologically unique to the individual,” meaning “once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”
BIPA provides for a private right of action, which permits individuals to sue a company for its negligent, reckless or intentional biometric data privacy violations. Ruling in the 2019 case of Rosenbach v. Six Flags Entm’t Corp., the Illinois Supreme Court clarified that an individual does not need to allege an actual injury beyond infringement of the rights afforded under BIPA to bring a claim under the law.
Since 2015 when a series of five class action lawsuits were brought against businesses alleging BIPA violations, employers have been exposed to an ongoing threat of lawsuits for the use of biometric information in tracking employees’ hours. Employers such as Hyatt Corporation, Topgolf and Walmart have all recently settled lawsuits brought by employees for BIPA violations related to timeclocks which used biometric data.
A recent case decided by the United States District Court addressed an insurance carrier’s duty to defend an employer for alleged BIPA violations.
An employer required its workers to use their fingerprints as a means of authentication. Two class actions were filed against the employer alleging BIPA violations for requiring its employees to use a fingerprint-based timekeeping system without obtaining informed consent, failing to inform employees of the risks associated with that data collection including whether it was disclosed to third parties, and failing to maintain and adhere to a public retention policy. Both class actions also alleged that the employer violated its employees’ rights to privacy. The employer provided notice of the class actions to its insurance carrier, which denied coverage and filed a lawsuit in the United States District Court seeking a declaration that it owes no insurance obligations to the employer with respect to the claims.
The district court granted the employer’s motion for summary judgment finding that the BIPA violations alleged in the class actions fell within the Employment Practices Liability Coverage because (a) it covers a breach of the employer’s employee handbook, which requires employees to use its designated timekeeping system and states that the employer will comply with all applicable laws, including BIPA; and (b) it covers an employment-related invasion of privacy, which was clearly alleged in the underlying complaint. The district court found that the insurance carrier had a duty to defend the employer against the class actions.
In addition to Illinois, other states including Arkansas, California, Colorado, Connecticut, Maryland, New York, Texas, Virginia and Washington also regulate the collection, storage and use of biometric information. With the increase in legislation related to biometric information, employers that use biometric technology should be aware of the laws and take steps to implement and review their policies. And, most certainly, anyone using biometrics should make sure that it has secured signed consent forms from each of its employees so as to avoid any claim that any employee information was misused.
Glenn Duhl is a management-side employment and litigation lawyer at Zangari Cohn Cuthbertson Duhl & Grello P.C. Please visit www.zcclawfirm.com.
The information contained in this article is general in nature and offered for informational purposes only. It is not offered and should not be construed as legal advice.
—