Biometrics in the Workplace The Promise and Peril of It s Use
Panelists John Alvin Henderson Administrative Judge EEOC - Baltimore Sunita Bali Perkins Coie, San Francisco, CA Anthony Zaller Zaller Law Group, El Segundo, CA
Overview What are Biometrics? Title VII and Biometrics Religious Accommodations Biometrics and Medical Records (ADAAA claims) Biometrics State Privacy Laws Illinois California Texas
Biometrics Defined Generally defined as the measurement or analysis of unique physical or behavioral characteristics (such as fingerprints and voice patterns) especially as a means of verifying personal identity.
Examples of Biometrics Fingerprint/palm biometrics: Apple Iphone Government PIV cards Palm reader Facial recognition software Apple Iphone Iris recognition software TSA precheck
Utility of using Biometrics in the Workplace Assures that the actual employee is present at the worksite (no timecard fraud) Site security (lessens chance of unauthorized access to work site) Concerns often prompted by: Costs of policing employees through other means Concerns about safety through unauthorized access/former employees Intellectual property theft/corporate espionage Insurance/other liability risks of not using biometrics
Biometrics and Title VII Title VII religious accommodation EEOC v. Consol Energy, Inc. - Case from West Virginia involving a coal miner, working for Consol Energy. The charging party, Beverly Butcher, was a general laborer for the coal company for 35 years. Company decided to use a new biometric device to make sure that the people who were at the facility were their employees, and that they were showing up to work when they said they were. The biometric device was a hand scanner workers checking in or out at the end of the day would scan his or her right hand through the scanner the shape of the hand was linked to the worker s unique personal number.
EEOC v. Consol Energy Mark of the Beast Butcher was an evangelical Christian and an ordained minister; he believed that the requirement that employees scan their hands in to clock in and out signified the mark of the beast, a reference to a passage from the Book of Revelations, in which the antichrist marked his followers with a sign indicating that they were allied with him. And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads: And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name. (Revelations, 13:16-17) Several cases previous to this, but not litigated with the EEOC, related to bar codes containing the mark of the beast, and religious objections related to that.
EEOC v. Consol Energy Biometrics and Title VII Butcher complains to his supervisors that he does not want to sign in using the device. He writes a letter seeking an exemption from the biometrics policy. Supervisors review the letter, and decide that Butcher s interpretation of the bible is wrong, so they deny him the accommodation. Also, there are other employees who, due to hand injuries, cannot sign in using their hands. They are granted an exemption and can enter their employee identification number on a keypad. Butcher resigns in protest, and ultimately goes to the EEOC. EEOC files lawsuit on Butcher s behalf receives a verdict of $600,000. Consol appealed to the Fourth Circuit the court again found for the EEOC, stating that the question of whether Butcher s beliefs were valid is immaterial. They were sincerely held, and the employer had a reasonable accommodation which was readily available and which would not create an undue hardship.
Confidential Requirements - Biometrics and the ADAAA/GINA ADAAA requires that, with regard to any medical records maintained by the employer, that they be collected and maintained in separate forms and in separate medical files and [are] treated as a confidential medical record. 42 U.S.C. Section 12112(d)(3). Exceptions for supervisors reviewing the medical records related to work restrictions and accommodations, first aid personnel, and the government. ADA also requires that confidential medical information not be disclosed except under limited circumstances. GINA also requires that any employer or union in possession of an employee s genetic information treat the information as a confidential medical record of the employee; that the information be maintained on separate forms and in separate medical files, and that the information not be disclosed to third parties except under certain narrow circumstances. 42 U.S.C. Section 206.
Confidential Requirements - Biometrics and the ADAAA/GINA Biometric data can be considered confidential medical information AND genetic information, within the ambit of the ADAAA and GINA. Employers who do not segregate the data and control its dissemination may be at increased risk of litigation.
Biometrics and State Privacy Laws Washington, Illinois, and Texas all have statutes regulating companies use of biometric data. Illinois has received a significant amount of attention because it s statute provides for a private right of actions for violations of its biometrics law (BIPA), whereas Texas and Washington state do not. Key features of Illinois BIPA (enacted in 2008) Requires company to obtain informed consent prior to data collection Permits a limited right of disclosure Mandates for data protection and destruction Prohibits profiling based on biometrics Negligent violations 1k, intentional, 5k Private right of action
Illinois BIPA What does informed consent mean? Statute requires that collecting entity obtain consent before it may collect, capture, purchase, receive through trade, or otherwise obtain biometric information. Notification must be in writing Must describe the biometric information being collected or stored Must describe the length of time that the information will be collected or stored Must obtain a written authorization prior to collecting info
BIPA - Informed Consent in Texas and Washington Washington requires notice and consent in certain circumstances related to biometric markers requirement that the company first: Provide notice; Obtain consent; or Create a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose Statute directs that notice and consent requirement is context-dependent Texas BIPA states that notice must be given through a procedure reasonably designed to be readily available to affected individuals.
What is a Biometric Marker in the Context of BIPAs? In Washington: Data generated by automatic measurements of an individual s biological characteristics, such as fingerprints, voiceprints, eye, retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual. Excludes: physical or digital photographs Video or audio recordings or data generated from those recordings Data used for health care treatment, payment, or operations under HIPPA Illinois and Texas are similar in their definitions, however they expressly include a scan of hand or face geometry
Illinois BIPA Definition and Exclusions Defines a biometric marker as retinas or iris scan, fingerprint, voiceprint, or scan of hand or face geometry Excludes: Writing samples Written signatures Photographs Human biological samples used for valid scientific tests or screenings Demographic data Tattoo descriptions Physical descriptions (height, weight, eye color, etc.) Information gathered from a patient in a health care setting
BIPAs and Disclosure of Biometric Markers All three states prohibit the disclosure or dissemination of biometric identifiers, except in certain specific instances. If the individual has consented If disclosure required under other laws If in response to court process If the transaction is necessary to complete a financial transaction which the person has authorized
Biometric Marker Data Destruction Illinois: Businesses must destroy biometric information when the initial purposes of collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individuals' last interaction with the private entity, whichever occurs first. Washington: Biometrics should not be kept any longer than is reasonably necessary Texas: Data must be destroyed within a reasonable time, but no later than the first anniversary of the date the purpose for collecting the identifier expires.
Illinois BIPA and Private Litigation Employers sued for using biometric markers (fingerprints) for time clocks and for failing to properly segregate the records: Roundy s, InterContinental Hotels Group, Zayo Group Take-Two Interactive Shutterfly and L.A. Tan Facial Recognition Software Facebook, Google, Apple,