All states have enacted legislation to protect consumers’ private information, but some have more stringent laws that involve employees, and biometric data in particular.
Biometric data derives from human features. This includes fingerprint scans, voice recognition and facial recognition. To date, only three states (Illinois, Texas and Washington) have laws on the use and collection of biometric data from employees.
The recently minted California Consumer Protection Act (CCPA), which takes effect Jan. 1, 2020, address biometric data, but only as it applies to consumers.
It requires many businesses to provide consumers with notices regarding what type of information they collect, what they use it for and with whom they share it. It also requires these businesses to allow consumers to opt out of the sale of their data and to request that their data be deleted.
While the CCPA is not yet in effect, Illinois already is seeing litigation over its privacy laws – which extend biometric privacy rights to employees. After a month of employment for a Hilton Doubletree Hotel in Chicago, housekeeper Taylor Booker complained that the requirement to scan her fingerprint as a time-tracking authentication method violated the state’s Biometric Information Privacy Act because it unlawfully collected, used and stored her and other workers’ “sensitive and proprietary” biometric data as a condition of employment without ever obtaining their informed consent.
"Unlike ID badges or time cards — which can be changed or replaced if stolen or compromised — fingerprints are unique, permanent biometric identifiers associated with each employee,” says her lawsuit. “This exposes defendants’ employees to serious and irreversible privacy risks.”
While the CCPA applies directly to consumers, California businesses should still be wary about employee privacy issues. The author of the CCPA, Assembly member Ed Chau, introduced AB 25 that attempts to make certain the CCPA does not cover employees of businesses.
However, an opposing coalition, expressing concern that the exemptions would go too far in eroding the rights of employees who also are consumers, fought the bill in the Senate Judiciary Committee.
Chau agreed to amend it to clarify that employers subject to the CCPA would still be required to inform employees (who also are consumers) of what categories of personal information can be collected and for what purposes.
Chau agreed to look at this issue further in the future, with AB 25 sunsetting at the end of 2020. Governor Gavin Newsom signed AB 25, so the exemption for employee data will only be effective until Jan. 1, 2021 unless the legislature acts again.
While the CCPA therefore is unlikely to extend privacy rights to employees over biometric data in 2020, California is likely to revisit this issue.
Employers who currently use employee biometric data should anticipate future issues now by ensuring that such data is securely stored and encrypted. Employers also should take steps to notify employees that they are collecting this information and will limit its use to a narrow employment-related purpose.
Employers who take these steps will find themselves well positioned to respond to changes in the law in the future. (Wards Industry Voices contributor Monica Baumann, left)
Monica Baumann is a member of the Data Protection, Privacy, and Cybersecurity team at California law firm Scali Rasmussen. As a certified information privacy professional, she advises dealer clients.