What hotels need to know about biometric privacy laws

From face recognition to thumbprints and retina scans, the use of biometrics in the workplace provides innumerable benefits to security and efficiency. There can be some big downsides, too, if policies aren’t put in place to safeguard employees. In order to avoid liability, employers should become familiar with biometric privacy acts, consumer privacy acts and data breach notification requirements.

Currently, three states have enacted biometric privacy laws: Illinois, Texas and Washington. The biometric privacy law against which all other laws will be judged is the Illinois Biometric Information Privacy Act. The BIPA is the only law of its kind that provides for private enforcement actions allowing plaintiffs to recover $1,000 per offense, which can be increased to $5,000 if violations are considered intentional or reckless, plus attorney fees. The “plus attorney fees” of that equation is probably the most scary part. Just ask Facebook: it’s facing a request for $110 million of attorney fees arising from the settlement of a BIPA suit. On top of that, plaintiffs can allege technical violations of the BIPA without the requirement of any actual harm. And injuries under the BIPA are not pre-empted by the Illinois Workers’ Compensation Act. 

Generally speaking, the BIPA restricts the ability of a privacy entity to “collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information.” Biometric identifiers include uniquely human characteristics such as face and voice recognition, handprints, fingerprints, and iris and retina scans. The BIPA also covers any biometric information that is derived from the biometric identifiers and used to identify a person. Such information is usually collected for identification and/or authentication, including in the employment context, for accurate timekeeping, logging on to employer devices, activating machinery and building access. The Illinois legislature stated that heightened protection for biometric information is justified by the fact that once this type of information has been compromised, it obviously can’t be changed (without some serious cosmetic surgery, anyway).

Commercial Collection

Texas and Washington have similar laws but, unlike the BIPA, they only address the collection of biometric identifiers for a commercial purpose. Commercial purpose is not defined by the Texas statute, but can reasonably be construed to include the process of hiring and compensating employees as well as providing employees with secure access to business systems for purposes of operating the business. Under Washington law, commercial purpose is much more narrowly defined and only applies when the biometric identifiers are collected for sale or disclosure to a third party for the marketing of goods or services that are unrelated to the transaction in connection with which the biometric identifiers were were collected. Collection for a security or law enforcement purpose also is excluded. Accordingly, the collection of biometric identifiers in the normal course of an employment relationship may not trigger application of Washington’s biometric data law.

The other big difference between the Texas and Washington laws and the BIPA is that the former are enforceable only by the state attorney general. Although, if violations are found, penalties can be harsh, i.e. up to $25,000 per violation in Texas and as much as $500,000 per violation in Washington. 

Also of relevance are privacy and data protection laws. The California Consumer Privacy Act has received a lot of press since becoming effective and provides protection to all residents of California, including employees. The CCPA contains a very broad definition of personal information that includes biometric identifiers. Although amendments to the CCPA have delayed the implementation of many provisions of the CCPA to employers through Jan. 1, 2023, the amendments do not grant exemptions with respect to all obligations under the CCPA. For example, employers are required to inform employees what categories of personal information are being collected and for what purposes, and employers are required to maintain reasonable security practices. If adequate security is not maintained and the information becomes the subject of a data breach, an employee may have the right to sue his/her employer. In 2019, California also extended the reach of its data breach notification laws to biometric information.  

What You Need to Know 

Employers also need to be aware of local laws and regulations. On Jan. 1, an ordinance of the city of Portland became effective that completely bans the use of facial recognition technology by private entities in places of public accommodation, which include hotels and restaurants. Similar laws exist in other jurisdictions, but only apply to the public sector (i.e., law enforcement). Like the BIPA, the Portland ordinance also allows for a private right of action if a plaintiff is injured by a material violation with possible damages of $1,000 per day of violation and attorney fees. The Portland ordinance does exclude facial recognition technology used for verification purposes by “an individual to access the individual’s own personal or employer-issued communication and electronic devices.” However, it is not clear whether a time clock that scans employees faces for purposes of tracking time would fall within this exception.

With the patchwork of laws and enforcement procedures, the enactment of a uniform federal law would be beneficial. In August 2020, the National Biometric Information Privacy Act of 2020 was introduced in Congress and was similar to the BIPA. The bill didn’t receive a vote, but with the incoming administration, that may change. But even if a federal law is enacted, there are likely to be further disputes regarding whether it trumps protections offered under state laws. 

Tara L. Lattomus is an attorney with Eckert Seamans Cherin & Mellott.