🎁 'Tis the season to support public service journalism Donate Now
Can your workplace store your fingerprint or facial scan data?
Oct 19, 2022

Can your workplace store your fingerprint or facial scan data?

Rules around biometric data collection vary from state to state, but Illinois is at the forefront of regulating this space.

They have our Social Security numbers and probably our Amazon shopping lists. But should employers be collecting data on, say, our fingerprints, voices or retinas?

After all, these things are unique physical identifiers. And if they were somehow stolen in a data breach, they’re not easily changed like a password.

A legal case in Illinois provided one of the first tests to a state law that protects this type of data — the Biometric Information Privacy Act, or BIPA. Last week 45,000 truck drivers won their suit against BNSF Railway for collecting their fingerprints without consent.

Marketplace’s Meghan McCarty Carino recently spoke with Alan Butler, executive director and president of the Electronic Privacy Information Center, a nonprofit research organization. He said Illinois is at the forefront of a growing movement to regulate biometric data.

Below is an edited transcript of their conversation.

Alan Butler: Under the Illinois law, if an employer is going to collect biometric identifiers or biometric information from employees, they have to first disclose what they’re collecting, how long they’re planning to retain that data and what purposes they’re collecting that data for. And they have to obtain written authorization from the employee before collecting that data.

Meghan McCarty Carino: And other states do have some provisions that protect this data, right? How do they compare with Illinois?

Butler: Sure, well, Illinois is certainly the most advanced in specific protection on biometric information collection, because its law has been around for the longest, and importantly, the Illinois law has a private right of action. And what that means is that individuals or groups of individuals whose rights under the law have been violated can bring a case in court themselves directly against the company or entity that violated the law. Other states have begun to pass a number of privacy protections for many different types of data, including in California, Colorado, Virginia and Connecticut. Those laws recognize biometric information typically as a category of sensitive data. And many of them require similarly that individuals either consent to collection in advance or have strict controls on, or abilities to limit, the uses of that data or to require its deletion. But none of those laws have a private right of action like Illinois does.

McCarty Carino: What kinds of real-world biometric data collection have you seen in recent years that have been contested?

Butler: Well, fingerprinting, iris or face scanning, timesheet or some other authentication or identification regime for employees done without the requisite notification and written authorization in advance. But we’ve also seen increasingly efforts to collect broader and broader forms of biometric data, even data beyond the context of identification. So for example, companies are really trying to create tools that detect “emotion,” quote unquote. There is a significant concern that it could ever be accurate. And it certainly is a very invasive sort of monitoring, especially in the employment context, but it is something that is being both researched and discussed pretty broadly.

McCarty Carino: In the context of security authentication, I can see how biometric inputs like fingerprints, or facial recognition would be really appealing to companies, which are now, you know, sort of all dealing with cyber vulnerability and that kind of thing. I mean, do you see any path where both sides could sort of have their cake?

Butler: I think in the identification context, if you look at BIPA as a model, what it’s requiring is not so burdensome that the identification uses can’t happen. But there need to be adequate protections in place, given how sensitive that data is. And if, for example, a database of employee fingerprints were breached, it’s a recognition in advance that that would be a disastrous and sort of irreconcilable outcome for the employees. There’s no way for them to get that data back. And so there needs to be sufficient protections upfront so that that doesn’t happen.

Bloomberg Law reports the truck drivers who sued BNSF won $228 million — that’s applying the maximum $5,000 penalty for each violation of the law for each one of the 45,600 plaintiffs whose fingerprints were collected without proper consent.

Alan Butler also mentioned this trend of companies trying to use biometric data to detect emotion.

Back in 2019, Butler’s organization EPIC filed a complaint with the Federal Trade Commission against a company called HireVue. It’s a recruiting platform employers use for those video interviews that are becoming more common.

EPIC alleged that HireVue’s software collected facial recognition data from candidates without any real transparency over how it would be used.

HireVue told The Washington Post in 2019 that its algorithms helped employers determine things like how excited an applicant seemed about a certain task, but one expert called it pseudoscience.

HireVue later removed the facial analysis part of its video software.

The future of this podcast starts with you.

Every day, the “Marketplace Tech” team demystifies the digital economy with stories that explore more than just Big Tech. We’re committed to covering topics that matter to you and the world around us, diving deep into how technology intersects with climate change, inequity, and disinformation.

As part of a nonprofit newsroom, we’re counting on listeners like you to keep this public service paywall-free and available to all.

Support “Marketplace Tech” in any amount today and become a partner in our mission.

The team

Daniel Shin Daniel Shin
Jesus Alvarado Assistant Producer