Some states regulate the collection, use and disclosure of biometric data, which may include the data collected by finger- or hand-scanning time clocks. The following is a brief description of some of these state laws. Please read on to help ensure that your company is staying compliant.
Illinois
To date, the law with the broadest reach is the Illinois Biometric Information Privacy Act (BIPA). BIPA requires that companies in possession of biometric data develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric data within a certain period of time. It also requires that companies make certain disclosures and obtain a written release before collecting and storing biometric data, and that they use a certain standard of care to store, transmit and protect the data from disclosure.
Courts have not yet determined whether BIPA applies to the data collected by biometric time clocks. But given the risk that BIPA could be found to apply, and the number of lawsuits that have been filed, we previously provided you with information about BIPA’s requirements and other helpful materials.
ADP® offers the following resources to help you comply with the requirements of BIPA:
o A sample notice/written release to be used before enrolling an employee in the time clock
o A sample retention and destruction policy
o Information on how to destroy biometric data collected and stored by the time clock. You should purge data when it is no longer needed (e.g., when an employee is no longer employed or moves to a position that no longer requires use of a time clock). You should also notify ADP that any biometric data on ADP’s systems should be purged.
All of these materials are included in the Employer Toolkit.
California
It is a misdemeanor under California law to require an employee or applicant, as a condition of obtaining or securing employment, to provide fingerprint for the purpose of furnishing that information to a third party, and “these…fingerprints could be used to the detriment of the employee or applicant.”
In addition, the California Consumer Privacy Act (CCPA) applies to the collection, use, and retention of biometric data. Certain provisions of the CCPA apply to biometric time clocks used to collect employee biometric data, including, among other things, the requirement that, before such collecting biometric data, a business must disclose what information is being collected and the purpose of that collection.
New York
Under New York law (New York State Labor Law Section 201-a), employers may not require employees to be fingerprinted as a condition of securing or continuing employment, except as otherwise provided by law. While the New York State Department of Labor has interpreted this law to prohibit employers from requiring employees to use finger-scanning technology, employers may request that employees use the technology on a purely voluntary basis.
Texas
Texas law (Tex. Bus. & Com. Code Ann. §503.001) requires that companies obtain consent before collecting “biometric identifiers” for a “commercial purpose.” It also imposes specific requirements on how such biometric identifiers may be stored and used and when they must be destroyed. The law does not define “commercial purpose.”
On the horizon
Both the federal government and other states are considering laws that will regulate biometric information. ADP is here to help you stay on top of relevant legal developments where the law is fluid and unsettled.
In the attached Employer Toolkit, we’ll share some tips and best practices for you to consider if using biometric technology.
If you have any questions, please reach out to your HR Business Partner.