Employers Using Biometrics
What should employers do before collecting biometric information? Biometrics is on the cutting edge of technology and more and more employers are using biometrics in the workplace. Employers use biometrics to activate machinery or computer devices, to track employee time and attendance, and can be used to gain access to specific secured environments. The most common example of employer use of a biometric recognition system is the fingerprint.
Expert Lee Neubecker and Vedder Price Shareholder David Rownd discuss the necessary steps that all employers should do before installing biometrics.
Part 3 of our 3-Part Series on Biometric Data
The Video Transcript Follows.
Lee Neubecker (LN): Hi, I’m here again with David Rownd. David, thanks for being back on the show.
David Rownd (DR): Oh, thanks for having me again.
LN: So we are continuing our series talking about BIPA, the Illinois Biometric Information Protection Act. And what employers should do, especially those New York employers that have satellite offices in Chicago that track their employees and whatnot and how they should, things they might want to do beforehand so that they don’t get into trouble. With that David, what are some of the concerns and responsibilities employers have under BIPA?
DR: Well, first of all, they have an obligation to notify employees that they are using biometric information. And they have to tell them why they are using biometric information. They have to safeguard the information. They have to have policies in place to safeguard the information. And they are absolutely prohibited from selling the information to third parties.
LN: That would mean if they are using time tracking software they might want to check to see what adaptations those software companies have in terms of how they protect employees’ fingerprints and whatnot.
LN: And is it a good idea for the employer to actually get the employee to sign a consent form?
DR: Absolutely. In fact, they are required to obtain consent
DR: before doing this. And this is an important consideration for employers and it should be something that is well thought out and a program put into place that complies with the law before embarking on the use of biometric information.
LN: So employers if you have a trading firm here in New York that has a satellite trading, possibly an option firm, options are big in Chicago. What would you advise them to do just to do a check-up to make sure they are OK?
DR: Well, if you are going to be using your employee’s biometric information in Illinois it would be covered by BIPA. And you need to make sure you are in compliance with the law. And I think it makes sense for your in-house legal team or whatever counsel you rely on to go over what you planned to do and ensure that what you are going to be doing is in compliance with the law.
LN: So I think the intent though of a lot of these tracking features of time tracking software really is to try to protect employees from punching in for, you know, their friend that is running late. But there are other ways that employers can still do that without relying on fingerprints or retina scans.
DR: There are other ways. Smartphones can be used and they can be used without taking any biometric information. And there are other ways of doing it as well. But if you are going to be using biometric information, you certainly should make sure that you are in compliance with BIPA because it’s been a very active, very buried in litigation. There’s been a lot of class actions lately and a lot of companies have had some issues. Most employers would be well advised to make sure they don’t run afoul of the law.
LN: So why are we suddenly hearing so much about BIPA in Illinois? What happened last year that changed things?
DR: Well, there was an Illinois Supreme Court case that really kind of open the floodgates for plaintiffs to be able to sue. Normally in order to bring a lawsuit, you have to be able to show that you suffered some specific harm which is referred to in the law as damages, and that is an element of most civil causes of action. However, under the way, BIPA is written an aggrieved party can bring a private right of action under BIPA. And there’s the Illinois Supreme Court, a case called Rosenbach, last year, basically held that the mere violation of the law with the respect to someone’s biometric information makes that person an aggrieved party. So, the fact that your biometric information has come out of compliance in a program means you’d have the standing to bring a lawsuit. And more importantly, that you could potentially be the lead plaintiff in a class-action lawsuit which ups the ante significantly for employers and exposes them to much more significant liability.
LN: So this could expose any employer using time tracking that has a biometric component in Illinois?
DR: Potentially, yes.
LN: Now are there things that can help protect those employers though from getting in the crosshairs if they are using that software?
DR: Well, I mean, ensuring that you’re in compliance with the law, certainly. Which means making sure you’re getting consent. Making sure that the concent is informed consent and the consent is in full compliance with the requirements of BIPA. Not doing anything that BIPA prohibits such as selling the information to third parties. It sounds pretty obvious but it’s something that’s important to make sure you’re in compliance with the law.
LN: Now there was a case in Illinois involving, it was an athletic gym that had customer information and some of that information was alleged to have gone to outside parties. And I think that case settled, but it certainly not only employers could fall into the snare of BIPA, but consumers as well, people who do business with companies that choose to take their biometric data.
LN: Like possibly even Google and Facebook.
DR: Potentially, yes.
LN: Well, thanks a bunch. In our next segment, we’ll talk a little bit more about what is happening nationally with BIPA. And thanks again for being on the show.
DR: Thanks for having me.