Over the past few years, Arkansas, California, Illinois, New York, Texas and Washington have all enacted legislation that impacts how businesses can use an individual’s biometric data. As a result of the COVID-19 pandemic, businesses face imminent and critical questions about collecting and handling such data. Many employers across the country have already begun collecting employee health data, such as asking employees to complete online questionnaires, taking employees’ temperatures or conducting COVID-19 tests on-site. In the coming months, privacy issues will likely be at the forefront of concerns. It is also likely that new biometric laws will be implemented or current laws strengthened, forcing employers to establish new protocols for data collection, handling and storage.
Historically, biometric data has included information such as a retina or iris scan, fingerprint, voiceprint or facial printing/recognition. In response to the COVID crisis, many companies are now developing new biometric technologies that are rapidly being released in efforts to contain the crisis.
For example, in China, tablets on public buses record passengers’ body temperatures as well as photos of their faces. In the United States, some police departments have reportedly considered adopting drone technology capable of monitoring biometric information. Many U.S. companies are already either requiring employees to take their temperature when they arrive at work or having thermometers available if employees would like to voluntarily check. As states and cities relax lockdowns and more places reopen to the public, similar practices will likely extend to customers as well. In addition to the operational and reputational implications, businesses should consider the possibility that attorneys may scrutinize these efforts and file class actions claiming violations of existing statutes.
Biometric Tools for Businesses
Some businesses are considering or implementing temperature screenings at their entrances as a potential protective measure. It should be noted, however, that such screenings may have limited utility in detecting infection, particularly in asymptomatic individuals, and could also violate existing biometric and privacy statutes.
Instituting temperature screenings at businesses will require thoughtful consideration. Of note, those administering these tests will be put at higher risk of potential infection. Further, biometric instruments such as thermometers can malfunction and training is required to ensure appropriate use. Businesses will also need to ensure these tests are administered in a manner that preserves privacy, limits potential exposure to contaminated materials, and ensures HIPAA compliance. In addition, just as there have been cases of individuals refusing to wear masks when entering businesses, it stands to reason that temperature screening may be met with similar resistance from customers and employees alike who view it as even more invasive.
Some businesses have also begun using cellphone applications or websites where employees and/or patrons answer a questionnaire to certify a lack of COVID-19 symptoms or exposure before entering the premises. Unfortunately, collecting this information carries risk as storing sensitive data creates the possibility of data breaches. Employee privacy, sense of safety at work and consent are all considerations before requiring any biometric or health data to be collected. Businesses will need to be aware that daily data collection relies on employee and that patron veracity, consistency, and understanding, and human error and application fatigue from daily entries are possible.
Regulation of Biometric Data
Several states have laws regulating collection and use of biometric information. California, Illinois, New York, Arkansas, Texas and Washington have their own biometric statutes and many states are exploring similar measures. Only California and Illinois currently provide a private right of action, whereas the other states are silent on the topic or expressly give enforcement powers to the state attorney general. Key provisions of these regulations include:
California. California recently enacted the California Consumer Privacy Act (CCPA), which provides both consumers and employees the ability to control their personal information. Individuals can bring a private right of action for a data breach if a business fails to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” The biometric data covered by CCPA includes “biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina or iris image, used to authenticate a specific individual.”
CCPA applies to employers or businesses that: 1) have annual gross revenues exceeding $25 million, 2) receive the personal information of over 50,000 customers, or 3) derive more than 50% of annual revenues from selling consumers’ personal information. The law dictates that businesses must provide notice to consumers before collecting data and creates procedures that allow consumers to opt out or have their data deleted. Furthermore, California Labor Code section 1051 prohibits employers from sharing biometric information with third parties.
Illinois. Enacted in 2008, the Illinois Biometric Information Privacy Act (BIPA) allows private individuals to sue for damages resulting from unlawful storage and collection of biometric data, which it defines as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” If they can establish liability, “aggrieved parties” can receive $1,000 to $5,000 per violation. There has been a significant increase in BIPA lawsuits in recent years, with over 200 BIPA class action lawsuits filed in 2019 alone.
New York. In March 2020, the New York State Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) went into effect, broadening the scope of information covered under the existing data breach notification law and updating notification requirements. Specifically, the SHIELD Act expands the definition of “personal information” to include biometric data. The law mandates that businesses and organizations protect the private information of New York’s residents by implementing and maintaining adequate information security protocols. This law does not have a private right of action, but gives the state’s attorney general authority to bring an action, including fines of $20 per instance of failed notification with a maximum penalty of $250,000 per enforcement action. As the law was only recently enacted, the statutory language is still open to judicial interpretation.
Arkansas, Texas, Washington and others. Arkansas recently updated section 4-110-103(7) of its legislative code to include biometric data in the definition of “personal information.” In addition, the Texas Business and Commerce Code section 503.001 was revised to apply to anyone who uses biometric identifiers for “commercial purposes.” (The law does not define what is considered a “commercial purpose.”) Finally, Washington’s House Bill 1493 (2017) prohibits anyone in the state from “enrolling a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.” At least 10 other states are also actively developing biometric statutes, including Arizona, Florida and Massachusetts.
The Possibility of Federal Regulation
It is unclear what role the federal government might take in limiting liability for businesses that collect biometric information. Weeks before the pandemic took hold, there was an attempt by Congress to create national data privacy legislation, but there was disagreement on whether to include a private right of action. Major business lobbying organizations are now asking Congress to create legislation that would specifically curb liability for businesses reopening from COVID-related closures. There has also been discussion of whether individuals should be willing to forego some data privacy in the name of public health.
In the absence of such nationwide action or clarity, businesses are already beginning to reopen in some regions and must pay close attention to any applicable state laws as they do so. Some states, such as California, will likely still enforce local laws in response to violations.
Business should also familiarize themselves with notice or disclosure requirements and consent requirements in not only the states where they operate, but the states where employees reside and information is collected. Additionally, businesses must review existing data retention and destruction policies with applicable state laws in mind.