Continuing our series, we look today at what a company should think about when collecting biometric data. Three U.S. states—Illinois, Texas, and Washington—have laws on-point. The Illinois statute is the most specific requiring written notice disclosing the purpose of collection and the length of time biometric information will be stored. It also requires companies to obtain each individual’s written consent. Texas requires companies to inform individuals of collection and obtain consent, but neither must be written. In Washington, companies may either give notice, obtain consent, or “prevent the subsequent use of a biometric identifier for a commercial purpose.” Companies in compliance with the Illinois law would also satisfy the other states’ less specific requirements.
The Illinois statute provides a private right of action, and dozens of class action complaints against companies have recently been filed alleging inadequate notice and/or a failure to obtain written consent before collection. As we have written previously, many of these relate to employers’ collection of fingerprints for time tracking systems.
Putting it Into Practice: Companies that collect biometric information should look at their collection practices and assess if notice and consent is needed and sufficient.