Biometric Data: What Rights Do Employees Have?

The Digital Workplace

Advancements in technology have brought about many changes for modern society. These have affected various aspects of our life, including the workplace. One way in particular has been with keeping track of employee attendance and hours worked.

The Good Ol’ Days of Hourly Work

One of the older methods employers use to keep track of their employees’ work is to have them fill out timesheets. Alternatively, employees can physically “clock in” using a time card or other physical medium. But this method has disadvantages, especially from the employer’s perspective.

Therefore, many employers have looked for alternatives to this physical form of obtaining and storing employee timesheet information. Many have settled on fingerprint or other biometric scans of their employees as a means of clocking in and out of work each day.

The Digital Workplace 

Using an employee’s fingerprint makes it easier for employers to calculate time worked, as well as comply with record-keeping requirements. It also prevents “buddy punching” where an employee would clock in for himself and another worker, even if that other worker never showed up for work.

But using an employee’s biometric data raises the stakes when it comes to employers gathering and storing an employee’s personal information. It’s one thing to have physical papers in an employee’s locked personnel or medical file that’s located in an office. It’s totally different when it’s digital information that can seamlessly transfer from one electronic device to another with the help of the Internet.

To regulate how employers use biometric technologies in the workplace, some states have begun enacting laws. These laws create rules to protect employees from employers misusing the biometric data or failing to protect the biometric data they collect. One such state leading the way is Illinois and its Biometric Information Privacy Act.

The Biometric Information Privacy Act

Illinois was one of the first states to implement a law that specifically protects an individual’s biometric data. The Biometric Information Privacy Act (BIPA) has been in effect since 2008 and applies to consumers and employees. The BIPA requires that private entities gathering or making use of the biometric data must:

  • Not profit from biometric data.
  • Store or transmit the biometric data using the reasonable standard of care for their industry.
  • Inform the subject that his or her biometric data is being collected, the reason for gathering that data and how long that data will be used.
  • Have a written policy outlining the rules in how biometric data will be collected, stored and destroyed.
  • Obtain written consent to gather and use biometric data.

If an employer or other private entity subject to the BIPA violates one of its provisions, those adversely affected may bring a private cause of action, including class-action lawsuits. Recoverable damages include:

  • Liquidated damages of $1,000 or actual damages (whichever is greater) if the defendant acted negligently;
  • Liquidated damages of $5,000 or actual damages (whichever is greater) if the defendant acted recklessly or intentionally;
  • Reasonable attorney’s fees and costs; and
  • Other appropriate relief, such as an injunction.

There have been many lawsuits brought because of BIPA, but some of the most common involve employee fingerprint scans.

Sherman v. Brandt Industries

This was a case where the employer, Brandt Industries (Brandt), required its employees to use their fingerprints to clock in and out of work. One of the employees, Joseph Sherman (Sherman), alleged that Brandt violated the BIPA because it:

  • Failed to give proper notice concerning the biometric data;
  • Did not obtain written consent from the employees; and
  • Did not publish its policies explaining how it would store and destroy the fingerprint data.

Sherman sued Brandt in a class-action lawsuit. The case is still in the early stages of litigation, although Sherman obtained an initial victory when he survived Brandt’s motion to dismiss.

Country Mutual Insurance v. Jet’s America Inc.

The underlying facts of this case are similar to the Sherman case in that it involves an employer’s use of fingerprint scans to keep track of when its employees clocked in and out of work. Specifically, Robert McDonald (McDonald) worked for Jet’s Pizza and alleges that the defendant violated BIPA because it never:

  • Informed him or his fellow employees about its biometric data collection activities and
  • Did not obtain written consent to collect the biometric data.

McDonald filed suit against Jet’s Pizza (which is the trade name of Jet’s America, Inc.), but one of the preliminary issues to resolve is if Country Mutual Insurance Company should defend Jet’s America against McDonald’s lawsuit. Therefore, it may be a while until this case gets to trial (assuming it does).

What’s Next for Employees?

The lawsuits and biometric data protection laws aren’t very big right now. But it’s only a matter of time before that changes. Other states are trying to follow Illinois by enacting their own biometric privacy law. One such state is Maryland.

Maryland House Bill 218 (and its companion Senate bill, SB 16) is similar to BIPA in that imposes comparable requirements on private entities concerning the collection, storage and use of biometric data. It also provides aggrieved individuals the right to bring a private cause of action. But Maryland’s proposed law differs from the BIPA in that it’s only a proposed law and it’s currently a long way from going into effect.

Like Maryland, New York has its own proposed biometric data privacy law that largely parallels the BIPA.

Illinois isn’t the only state with a biometric data privacy law in effect. Other states with laws in force include Texas, Washington State, Arkansas, and California. But many of these laws aren’t as protective as the BIPA or provide aggrieved individuals the same ability to enforce their rights.

Bottom Line

The use of biometric data by employers will inevitably increase in the coming years. States are trying to protect employees (and others donors of biometric data, like consumers) by passing new laws. But we’ll have to see if the states can act fast enough.

If you want to read more about employee privacy rights, including the use of biometric data, check out my Forbes article, “Employee Data Privacy Lawsuits: A Growing Trend.”