Obtaining informed consent and creating a careful procedure for data storage are just two things management must do to comply with laws.
By Molly McGinley
In recent years, businesses across many industries have adopted biometric technologies to make record-keeping more efficient and secure. These tools save time and money, but they also raise questions about privacy, and, in response, some states have passed legislation that governs how biometric information can be collected and stored. Now that safety precautions related to COVID-19 will force management to make changes to workplace procedures, it will be important to stay up to date on relevant legislation.
A Snapshot of Privacy Laws
With a few exceptions, the collection, use and storage of biometric data in the U.S. is not currently regulated by federal law, so companies should be looking to state laws to ensure that their collection of data does not create liability.
Four states have biometric privacy laws: Illinois, Texas, Washington, and California. Although each of the four state laws differ from one another, they require employers to: (1) provide notice and consent prior to collecting, possessing or processing biometric data; (2) restrict the onward disclosure of biometric data to third parties; (3) restrict the length of time for which biometric data may be retained; and (4) maintain the biometric data in a secure manner. In addition, New York and Oregon have laws governing the security and destruction of such data.
While the type of information included in the definition of “biometric” data differs among the laws, they all govern data that is used to identify an individual and may include retina or iris scans, fingerprints, voiceprints, scans of hand or face geometry, keystroke patterns or health data. Companies must obtain informed consent from individuals before collecting this information and must have policies in place governing the timely destruction of such data. Generally, the laws require disclosing not only the fact of collection of the information but also the purpose of collecting the data.
Here are answers to a few of the questions employers may be facing when it comes to biometric privacy and the post-COVID return to work:
Gloves and masks interfere with the tools we use to track employees’ hours and grant security access, so we are going back to an older low-tech system. Will this change trigger any compliance issues?
While it might seem like ceasing or pausing the use of these biometric tools is a straightforward internal decision, management will want to consider what it plans to do with the biometric data already collected. If the change in procedure means you are no longer storing the data for its disclosed intended purpose, your stated policy and/or applicable state laws themselves may require the deletion of that information to eliminate the risk of a data breach. As noted above, privacy laws and their requirements differ a great deal from state to state, so it’s important to get wise counsel on the laws that apply to your company. The guiding principle here should be ensuring the individuals of the use and storage of their data.
The COVID-19 era has caused our company to furlough employees and/or lay off a portion of our workforce. Are there issues we need to consider with respect to biometric data we have already collected?
The answer to this question may seem obvious, but shifts in the workforce outside of the normal processes may inadvertently cause the company to store information of former employees that is no longer needed for the disclosed intended purpose. The company should review its existing policy to ensure that data is being deleted consistent with the stated guidelines.
We would like to adopt a new technology, a wearable device that tracks the physical location of our employees. What are our responsibilities for letting employees know about the change?
Geolocation data is not considered biometric information under any of these statutes; however, the California law covers geolocation data, and other states have proposed similar legislation that would cover such data. Moreover, wearable devices may collect more than geolocation information, so it is imperative that the company understands what information is being collected. In most cases, a company cannot simply notify employees and begin using a new tool to collect personal information. Best practices require that you disclose the type of data you will collect, as well as how that data will be stored and protected. Then you must obtain employee consent. In addition, it will be necessary to review your existing policy and make updates, including an update to the employee handbook.
To help mitigate the spread of COVID-19 in our workplace and reassure our staff about the safety of coming back to work, we would like to track employees’ temperatures. What do privacy laws say about this practice?
Again, while much depends on the specifics of the laws in your state, most biometric privacy laws focus on the storage of biometric data. If your plan is to take each employee’s temperature with a simple digital thermometer for screening purposes, you obtain consent and do not store the data, you are likely to be in compliance with privacy laws. But some thermometer devices also collect identifying information, such as facial geometry. If facial geometry information is being collected, the company must ensure that it is complying with the biometric privacy laws.
Complying with privacy laws regarding biometric information is a resource-intensive process. Therefore, it’s important to be sure that the benefits of gathering the data outweigh the costs and the risk of falling out of compliance. In general, companies should never collect more information than they absolutely need, and they should not retain it for longer than necessary.
As more states “re-open” their economies and employees return to work, business owners face truly unprecedented challenges that will impact the way they operate for years to come. A thorough understanding of privacy laws — and the counsel of a knowledgeable attorney — will ensure your company gets back to work and stays in compliance with the law.
Molly McGinley is a partner at K&L Gates and focuses her practice on helping businesses navigate the fast-moving field of biometric privacy legislation.