In response to the COVID-19 crisis, many companies are developing new biometric technologies to control the spread of the virus. Even more employers have begun collecting employee health data, such as recording employees’ temperatures or conducting COVID-19 tests on-site. In the coming months, privacy issues regarding the collection, storage and transmission of biometric data will undoubtedly push to the forefront, forcing employers to establish new security protocols.

State Regulation of Biometric Data

Several states already have laws regulating collection and use of biometric information. As biometric technology advances, it is likely that current laws will be strengthened, and new laws will be implemented. Here is a sample of existing state legislation regulating biometric data.

  • California Consumer Privacy Act (CCPA)
    This law provides both consumers and employees the ability to control their personal information. CCPA covers “biometric data generated from measurements or technical analysis of human body characteristics such as a fingerprint, retina or iris image, used to authenticate a specific individual.” CCPA applies to employers or businesses that 1) have annual gross revenue exceeding $25 million; 2) receive the personal information of over 50,000 customers, or 3) derive more than 50% of annual revenues from selling consumers’ personal information.
  • Illinois Biometric Information Privacy Act (BIPA)
    BIPA allows individuals to sue for damages resulting from unlawful storage and collection of biometric data, which is defined as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” There were over 200 BIPA class action lawsuits filed in 2019 alone.
  • New York State Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)
    Effective in March 2020, this law broadens the scope of information covered under the existing data breach notification law and updates the notification requirements.
  • Other States
    • Arkansas has updated its legislative code to include biometric data in the definition of “personal information.”
    • In Texas, the Business and Commerce Code now applies to anyone who uses biometric identifiers for “commercial purposes.”
    • Washington prohibits anyone in the state from “enrolling a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.”
    • There are at least 10 other states, including Arizona, Florida and Massachusetts, that are actively developing biometric statutes.

The Role of the Federal Government

Weeks before the pandemic took hold, Congress was attempting to create national data privacy legislation, but there was disagreement on whether to include a private right of action. Major business lobbying organizations are now asking Congress to create legislation that would specifically curb liability for businesses reopening from COVID-related closures. There has also been discussion of whether individuals should be willing to forego some data privacy in the name of public health. It remains unclear what role the federal government might take in limiting liability for businesses that collect biometric information.

In the absence of nationwide action or clarity, businesses must pay close attention to applicable state laws as they begin to reopen and familiarize themselves with notice, disclosure and consent requirements, not only in the states where they operate but in the states where employees reside and information is collected.

Interested in Learning More?

To discuss the impact of biometric legislation on your operations, please connect with your Sequoia Risk Advisor directly in HRX.

Disclaimer: This content is intended for informational purposes only and should not be construed as legal, medical or tax advice. It provides general information and is not intended to encompass all compliance and legal obligations that may be applicable. This information and any questions as to your specific circumstances should be reviewed with your respective legal counsel and/or tax advisor as we do not provide legal or tax advice. Please note that this information may be subject to change based on legislative changes. © 2020 Sequoia Benefits & Insurance Services, LLC. All Rights Reserved

Mary Beth Downs – Mary Beth Downs is a Senior Risk Advisor for Sequoia, providing property and casualty consulting services to our clients helping them protect assets, scale in the marketplace, and manage risk. As a Bay Area resident for the past 27 years, she enjoys volunteering in her local community and traveling within the state as much as possible.