Q: Are there considerations our company needs to address if we use biometric time tracking software for our employees to record their hours worked?

A: Yes, Illinois, Texas and Washington enacted laws that impose requirements on private entities in connection with the possession, collection and receipt of biometric data in employer-employee relationships, among others.

Of these states' laws, the Illinois Biometric Information Privacy Act (BIPA) is the only one that provides for a private cause of action. BIPA requires private entities to:

  • Develop a publicly available written policy establishing a retention schedule and guidelines for permanently destroying biometric data the earlier of (1) when the initial purpose for collecting or obtaining the biometrics has been satisfied or (2) within three years of the individual's last interaction with the entity.

  • Provide written notice – prior to collecting or obtaining any biometric data – clearly informing individuals that biometric data is being collected or stored, and the specific purpose and length of time for which the biometric data is being collected, stored and used.

  • Obtain a written release executed by the subject of the biometric data.

  • Ensure a policy and practice whereby a private employer does not sell, trade or otherwise profit from a person's biometric data, or disclose or disseminate a person's biometric data except where permitted by law.

  • Store, transmit and protect from disclosure all biometric data in the private entity's possession using reasonable standards of care; and store, transmit and protect from disclosure all biometric data in a manner that is the same as or more protective than the manner in which it stores, transmits and protects other confidential and sensitive information.

BIPA provides for an aggrieved person to recover reasonable attorneys' fees and costs, and damages that are the greater of (1) actual damages or (2) liquidated damages of $1,000 for each negligent violation or $5,000 for each reckless or intentional violation. This statutory damages scheme has contributed to a cottage industry of class action lawsuits arising under BIPA. Legislation generally based on BIPA's framework is currently pending in a growing number of states, including California, Kentucky, Maine, Maryland, Massachusetts, Missouri and New York.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.