Many employers have adopted various technologies for tracking employee worktime.  One type commonly used is the biometric timekeeping system (e.g. fingerprint or retina scanners) that employees use to clock-in and clock-out of work.  A recent putative class action filed in Illinois should act as a reminder that such biometric systems may be subject to state disclosure, consent and security laws.

In the Illinois lawsuit, a group of Chicago-area employees filed a class-action suit against their employer alleging that it violated Illinois’ biometric information privacy laws by using their fingerprints to track their work hours.  The employees complain that their employer: (1) failed to inform them in writing of the purpose for which their fingerprints were being collected and the length of time they would be stored; (2) did not provide them a publically available retention schedule and guidelines for destroying their fingerprints; and (3) did not obtain written consent to take their fingerprints.

Starting with Illinois in 2008, states began passing biometric information privacy laws. Violation of these laws can carry high penalties, especially for employers.  Employers that use biometric data should stay up to date on these rapidly changing laws to ensure compliance.

Texas has a biometric information privacy law similar to the one at issue in the Illinois class action.  Under Texas law, an employer may not capture a fingerprint, iris or retina scan or use facial geometry (i.e., using facial recognition software) of an individual for a commercial purpose unless the person: (1) informs the individual before capturing the biometric identifier;  and (2) receives the individual’s consent to capture the biometric identifier.  Additionally, employers that do inform their employees and receive their consent to use their biometric information must comply with regulations on selling or otherwise disclosing the information; how the information is stored and secured; and destroying the information within a reasonable time.  Employers that do no follow these rules could be subject to fines up to $25,000 for each violation.

Employers using biometric systems should ensure they comply with the state laws that may restrict the collection, use and retention of such information.