Many employers are beginning to introduce technologies that enhance workplace security and employee monitoring. For example, employers may require employees to clock in and out using fingerprints to streamline timekeeping procedures, use facial recognition or retina scans for entry into certain buildings, or review facial geometry from dash-cam video recordings to ensure safe driving practices. While these measures can greatly enhance and streamline workplace safety, employers must be aware of the legal obligations that may arise from collecting, storing, and using this data.

What is Biometric Data?

Although many states have differing definitions of what biometric data or identifiers are, it generally includes, but is not limited to the following:

  • Retina or iris scans;
  • Fingerprints;
  • Voiceprints or voice recordings;
  • Scan of hands;
  • Facial geometry;
  • Vein patterns; and
  • Other unique biological characteristics or patterns used to identify an individual.

Biometric Privacy Laws

Currently, only three states have enacted laws specifically governing an employer’s collection, storage, and use of biometric data – Illinois, Texas, and Washington. While each of these state laws has different requirements, at a minimum, these laws generally:

  • require notice to the employee regarding the collection of biometric data and how such information will be used;
  • require clear consent (usually written) from the employee regarding the collection and use of the biometric data;
  • restrict an employer’s ability to sell, use, or disclose the biometric data; and
  • Provide specific requirements for confidentiality, retention, and data disposal when the biometric data is no longer needed.

Illinois’ Biometric Information Privacy Act (BIPA) remains the most comprehensive biometric data law in the United States. In addition to broad notice and consent requirements, the BIPA also has specific policy requirements, including a retention schedule and guidelines for the destruction of biometric data. The BIPA also provides a private right of action to any person aggrieved by a violation of the law, resulting in significant litigation against employers and third-party vendors (including class action litigation). As a result, employers conducting business in Illinois must take careful steps to ensure compliance with BIPA requirements— including the notice and consent requirements—to avoid potential litigation.

In addition to biometric data laws, many states have also enacted broad consumer privacy laws to safeguard individuals’ personal information, including biometric data. While most of these consumer privacy laws do not extend to the employment context, a few do, including those in California and Colorado.

Employer Best Practices Related to Biometric Data

The collection and use of biometric data can improve workplace efficiency and safety, but employers must consider the legal implications that accompany these benefits. To ensure compliance, employers should:

  • Evaluate internal technologies to determine whether they collect biometric data (e.g., fingerprint‑based timekeeping systems, workplace video or audio recordings capturing voiceprints or facial geometry, or dash‑cams capturing retina data or facial features).
  • Determine which state laws may apply. For example, BIPA does not require an employer to be located in Illinois; an out-of-state employer may still be subject to BIPA if biometric data was collected or if business activity occurred in Illinois (e.g., a dash-cam collecting biometric data while operating in Illinois).
  • Implement appropriate policies, including notice and consent procedures. If subject to state biometric privacy laws, ensure your policies comply with all applicable laws and include the required notice and consent forms. Additionally, if you are collecting audio and video recordings (e.g., via dash-cam technology), you will want to ensure you comply with all federal and state wiretapping laws, which have specific notice and consent requirements.
  • Ensure that any third-party vendors involved in the collection, storage, or use of your employees’ biometric data also comply with all applicable laws.

Compliance with biometric laws can be complex and daunting. If you currently collect and use biometric data—or plan to do so—and need assistance with compliance or developing appropriate policies and notice/consent forms, please contact an attorney in our Labor & Employment Group.