Should You Move To A Biometric Timekeeping Method?
Published by Eric A. Welter and Sarah Tudor Glaser on May 18, 2018
Keeping time records for employees via a scanned fingerprint or iris can have a number of benefits, but are they outweighed by the risks?
If you are considering moving from a standard timekeeping method like punchcards, logging into a computer, or requiring your employees to record their own time to a biometric timekeeping method, you are not alone. In fact, there are a number of companies out there vying for your business. Biometric timekeeping is similar to using a punchcard or having your employee log into your system when they start work—-except the timekeeping system uses a scan of a body feature, like a fingerprint, iris, or retina to identify the employee.
The obvious advantage to this system is that it effectively eliminates any opportunity for employees to clock in for each other and accordingly greatly reduces instances of timecard fraud. In other words, you will be collecting more accurate time data, which helps ensure wages are paid accurately and prevent timecard fraud.
With any new system, however, there are some growing pains and some risks inherent in transitioning before the law has had a chance to catch up. As an example, some, but not all states regulate the collection of biometric information, and each of the state laws that do address the issue differ in certain respects.
How Do Biometric Timeclocks Work?
Biometric timeclocks all function similarly, yet there are key differences between the systems offered. First, there may be a difference among the particular body feature that is captured—-most often it is a fingerprint, but could also be an eye, or the entire face. Second, some systems collect an actual image of the body feature, while others simply analyze biometric features, like the distance between two points on a fingerprint and do not actually store an image of the fingerprint. These differences are important for multi-state employers when it comes to determining which state laws govern your new timekeeping system.
How Are Biometric Timeclocks Regulated?
There are currently three state laws that address the use of biometric timeclocks by employers1. They are listed below with a short summary of their implications. If you intend to use a biometric timekeeping system and you have employees in one of these states, we recommend engaging counsel to ensure you are complying with the laws, which can be complicated and expose the company to the risk of class action litigation.
The strictest and most far-reaching of the three laws is Illinois’ Biometric Information Privacy Act (BIPA), enacted in 2008. Under BIPA, “biometric identifiers,” are defined as a retina/iris scan; fingerprints; voiceprints; and the scan of hand or face geometry. Biometric information relates to any information based on an individual’s biometric identifier, regardless of how that information is captured, stored, or shared (so both kinds of biometric timeclocks are implicated by this law).
Employers’ responsibilities under BIPA include:
- Develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information.
- Provide written notice that biometric information is being collected, including the purpose of collection and the length of storage.
- Obtain a written release to collect the biometric information.
- Safeguard the biometric data using means that are at least as stringent as those established for other confidential information.
The cost of noncompliance is substantial. BIPA creates a private right of action for statutory violations related to the collection, retention, storage, and use of biometric identifiers and information. Private entities can be liable for up to $5,000 per violation in liquidated damages or the amount of actual damages, whichever is greater. Private entities are also liable for reasonable attorneys’ fees, costs, experts’ fee, and injunctive relief.
Class action litigation alleging violations of the BIPA are amassing in Illinois, based many times on technical violations of the statute. Lawmakers have introduced legislation that may reduce the plaintiff bar’s ability to file class actions, but for now, employers in Illinois should obtain counsel to assist them with complying with BIPA.
Texas’ biometric privacy law is significantly limited compared to the BIPA; however, employers in Texas should still review and ensure they are complying with the language of the law. Moreover, Texas’ law does not create a private right of action, but rather is enforced by the Attorney General, who is authorized to seek damages of up to $25,000 per violation.
The Texas statute applies only to “biometric identifiers,” which are defined as fingerprints, retina or iris scans, voiceprints, or a “record of hand or face geometry.” Therefore, in Texas, companies that use biometric timeclock systems that collect information based on an analysis of the biometric identifier, such as the distance between points on a fingerprint, rather than the identifier itself are likely not implicated by the statute.
Additionally, the Texas law does not require employers to share a retention schedule or written policy document, but it does require that employees be given notice and an opportunity to consent to the collection of their biometric information.
New York Labor Law Section 201-a prohibits employers from requiring the fingerprinting of employees as a condition of obtaining or continuing employment. There are limited exceptions to this restriction. For example, the New York State Department of Labor has taken the position that voluntary fingerprinting is permissible. The New York Department of Labor (NYDOL) has taken the position that the statute prohibits: (1) requiring employees to use a biometric timeclock that requires a fingerprint to clock in even if the device does not store the actual fingerprint; (2) taking adverse action against an employee who refuses to use a fingerprint to clock in; and (3) “coercing” employees to use a biometric timeclock that requires a fingerprint to clock in. That being said, the NYDOL also stated that the statute permits instruments that measure the geometry of a hand that do not scan the surface details of the hand and fingers, leaving room for certain timekeeping systems, provided they fall within these parameters.
There are big benefits to moving to a biometric timekeeping system, including accuracy and the prevention of fraud; however, the law continues to evolve, and employers must keep abreast of developments to ensure compliance.
1. Washington State also has a law that addresses the collection of biometric information for commercial purposes, but this law does not affect employers using biometric timeclocks.↩Topics: Class Action, Complex Litigation, compliance, corporate compliance, Data Security, ethics, New York, Retail, Technology, Texas, workplace privacy