Biometrics at Work: The Latest

Think of your daily use of biometrics—you likely apply a fingerprint to log into your phone. Or maybe you have voice recognition tied to your bank account. You might submit to iris or hand scanners to gain access to certain things and spaces (for example, my family doctor recently installed a hand scanner for fast check-in at the front desk).

Even amusement parks use biometrics—Disney’s “ticket tag” system in use at the entrances of many of its theme parks helps to manage re-entry of guests and prevent fraud. The Disney technology involves the guests placing a finger on a reader, which then scans and converts the fingerprint image into a unique number associated with the individual’s admission ticket. Disney says the fingerprint images are discarded immediately—the images are not stored.

In the workplace, employees are increasingly using biometrics to enter and exit workspaces, log in to computers, to access sensitive data, etc. The Wall Street Journal speculated last week that the days of badging into work with a swipe of your ID card are nearly over, asserting:

“Plastic cards may soon give way to biometric systems, microchip implants, gait recognition, and other technologies that aim to improve security, generate health data and monitor workers.”

And as the Institute for Corporate Productivity’s (i4cp) talent acquisition study noted in 2018, software that runs AI in the background assessing eye contact, facial expression, and verbal tones during video interviews is becoming more commonplace in the hiring process. But concerns understandably persist. As i4cp’s major 2019 study, Automating Work: The Human/AI Intersection noted:

“When asked about advanced work automation and ethics, the top two issues cited by organizations were privacy regarding data collection (45%) and security regarding data warehousing (44%). These are both foundational aspects of using modern technology and, due to the prevalence of broadly publicized data breaches, the concerns are warranted.”

The rapid evolution and adoption of personal data collection technology requires us to stay on top of what’s new. It also asks us to trust the entities that are collecting our data. For some, this is no big deal. For others, a corporation (or any entity for that matter) asking us to simply trust that they will protect our personal data, to include our biometric data, is a little too much.

For the lawmakers in some U.S. states, the latter is of enough concern that they have passed legislation to oversee the collection, use, and storage of this very personal data.

So far, Illinois, Texas, and Washington have biometric privacy laws in place, and California’s Consumer Privacy Act (“CCPA”) went into effect this month. The CCPA is quite sweeping, allowing California residents to access and obtain copies of the data that companies store on them, and the right to delete that data and opt-out of companies selling or monetizing their data.

Experts at the National Law Review predict that other states will soon follow suit with their own versions of data privacy laws that may have implications for employers; Michigan, New Hampshire, Arizona, Alaska, Montana, Florida, and Massachusetts have each introduced legislation addressing biometric privacy.

The Illinois Biometric Privacy Act (“BIPA”) has set down strict requirements for businesses that collect the biometric information of applicants and/or employees. Businesses must obtain written consent from individuals before obtaining their biometric data, and in the process of seeking that consent, they are required to disclose the nature of the data they are collecting, why, and their policies for usage and storage. See a sample biometric data consent form here. Further, the state’s Artificial Intelligence Video Interview Act, which took effect in January 2019, explicitly requires that employers also provide candidates information about how any video technology in use works and obtain their consent.

 A few additional points of note:

• Each state that has passed legislation regarding biometrics defines the term in its own way. For example, California’s biometrics privacy act is broad. As the National Law Review reported this month, California’s regulations cover “physiological, biological, and behavioral characteristics and includes not only the traditional fingerprint and retinal scan, but also keystroke and gait patterns as well as sleep, health, and exercise data that contain identifying information.” Illinois and Texas legislation define biometric identifiers as specific to fingerprints, retina or iris scans, voiceprints, or scans or records of hand or face geometry. The Illinois law further defines biometric information to include “any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual.”  
• There are exemptions in some states specific to organizations collecting the personal information of their employees as long as doing so is reasonable and within the scope of employment. Some legislation, such as a bill that has been proposed in Arizona, doesn’t apply to employers colleting biometric identifiers for employment purposes, unless the company sells or discloses that data to a third party.

What’s ahead? Look for more states to pass legislation similar to that of Illinois. The sweeping California legislation is often referenced in current literature in the context of a U.S. version of the European Union's General Data Protection Regulation (GDPR), considered the benchmark for online data privacy. It’s worth looking into your own organization’s current use of biometrics and plans to expand doing so in the future and assessing what it will take to get into compliance now (or at least start heading in that direction).