Employers across the country are increasingly using employees’ biometric data—e.g., fingerprints, retina scans and facial recognition software—as a form of identification. This technology offers a number of advantages to employers. Employee identification badges can be lost, and passwords can be stolen—which could give unauthorized persons access to sensitive company data. Biometric data, however, is not subject to either of these risks.
While this method of identification provides an added level of security in some regards, it also brings issues of employee privacy into question. Employees of a Chicago-based company have filed a class-action lawsuit against their employer for unlawfully using their biometric information. According to the plaintiffs, their employer violated privacy law by improperly requiring employees to scan their fingerprints as a means of clocking their working time. The lawsuit alleges that the employer failed to:
- Get written consent from its employees to record their fingerprints,
- Provide written information to its employees about the purpose of the fingerprinting and
- Inform employees how long the biometric data would be stored and how it would be destroyed.
In 2009, Texas passed a biometric privacy law, which is similar to the Illinois law in many regards. If a Texas employer wants to capture any biometric data from its employees, it must notify the employee in advance and obtain the employee’s consent. If both of these criteria are met, then the employer must also follow additional regulations on how to secure and store the data, how and when to destroy it and whether it can be sold or disclosed to a third party.