The Collection of Worker Biometrics: Is Consent Really Consent?
By Lynda J. Grant[1]
Over the past few years, there has been an explosion in the use of biometric technology. In the consumer arena, everything from opening i-Phones, to ticketless entry in stadiums, grocery store check outs, and security clearance at airports, turns on the collection and use of biometric information. In the employment field, employers now use biometric technologies to track employees and to analyze or predict their behavior in the name of workplace efficiency. Fast food workers and other low wage earners supply and use their fingerprints to clock in and out in order to avoid “buddy punching”[2], and at the point of sale to open cash registers to ring up sales. Warehouse workers or pickers provide their voiceprints, to train voice reliant systems, which then instruct them to them to pick specific products in designated areas of the warehouse to fill outstanding orders, while monitoring their pick rate. Truck drivers are monitored through iris scans to ensure that they are keep their eyes on the road, noting when they have viewed their cellphones or are getting sleepy, and construction workers supply face scans for use by facial recognition technology to ensure that employers know who is on the job site.[3] In short, the use of biometric technology is ubiquitous.
Unlike passwords, or even social security numbers, that are often used to identify consumer accounts or gain entry to websites, this biological information cannot be changed or altered if it is disclosed to unauthorized third parties or sold or misused by the entity collecting it. Biometric identifiers are immutable biological identifiers such as fingerprints, iris or retina scans, hand scans, voiceprints, and facial geometry. Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/10. Biometrics can also include DNA and genetic information, keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information. Cal. Civ. Code §12798.140(b).[4] Thus, the disclosure of this unalterable identifying information in a data breach, or because it has been sold to or shared with a third party is especially devasting and can easily result in years of identity theft, and financial and other incidences of misuse. Further, it can result in an onslaught of targeting advertising or workplace monitoring and evaluations based upon employee biometrics.[5] Consumers nonetheless often consent to its collection and use for the sake of convenience. Where consumer consent is clear (and often it is not), consumers may have limited arguments when their biometric information is sold or shared by the collecting agent to third parties for advertising or other profit-making purposes.
While a consumer may opt for the convenience of a palm scan to purchase his favorite grab and go sandwich, minimum and low wage workers are often required to provide their fundamental biometric identifiers as a condition of employment. Because of their finances, and their lack of other opportunities and understanding of their rights, these workers may have little choice but to provide their employers with these immutable identifiers or else find themselves without a job. They may not know where this information is stored and if it is protected from hackers, how it will be used or shared with third parties, or whether it will be properly deleted once their employment is terminated. Nonetheless, for them, supplying the fundamental elements of their biology is not a matter of convenience, but rather of survival.
Despite these risks, there are few if any protections or regulations in place to protect workers from the misuse of their biometric information or governing when they can be deemed to have consented to its collection. Moreover, where worker consent to biometric collection is a condition of employment, there is a legitimate question as to whether that consent is knowing and real or whether it is merely window dressing: can a worker can afford to withhold consent when his employment is conditioned on providing it.[6]
There is Little Legislation Protecting Employees
Unsurprisingly, neither the federal government nor most state or city governments have been able to keep pace with the burgeoning use of biometric technology, leaving wide gaps in employee (and consumer) protection. There are no federal laws specifically addressing biometric collection. Although the Federal Trade Commission may have the power to issue pertinent regulations under Section 5 of the FTC Act,[7] see ACLU Comment on Newly Released FTC Policy Statement on Biometrics, May 9, 2023 at 4:00 p.m., ACLU Comment on Newly Released FTC Policy Statement on Biometrics | American Civil Liberties Union, it has not yet done so.
A handful of states and cities have tried to pick up the slack, adopting biometric statutes that offer varying degrees of protection. For the most part, the focus of these statutes is the protection of consumer biometrics, attempting to ensure that consumer consent is obtained before their biometrics are collected, especially where it is or could be shared with third parties for advertising and other profit-making purposes. Where there is a worker-oriented statute, it generally fails to provide a private right of action and often provides fewer protections over worker biometric identifiers than that provided to consumer biometrics. While these statutes may require a worker to consent before collection of his biometric information, they fail to disconnect consent from an offer of employment or continued employment.
The model for most biometric statutes is the Illinois Biometric Information Privacy Act or BIPA. BIPA provides workers with the greatest protection of their biometric information.[8] Unlike many other state statutes, BIPA specifically requires that “private entities”, which has been interpreted to include employers, that collect and use a person’s biometric data first have a written biometric policy made available to the public, that, inter alia, discloses when the biometric information will be deleted. 740 ILCS 14/15(a). It further provides that no biometric information may be collected, captured, purchased or received through trade, unless the subject has been informed of the collection, and the reason and length of time for which the information is being collected and used, and the collecting entity obtains a written release. 740 14/15(b)(1)-(3).[9] BIPA, however, only applies to private entities that collect biometrics in Illinois from those working in Illinois. Miller v. Southwest Airlines Co., 926 F.3d 898, 905 (7th Cir. 2019). Enacted in 2008, BIPA has inspired an avalanche of litigation against Illinois located employers, who failed to comply with its dictates. This is undoubtedly because of BIPA’s private right of action, which allows wronged employees to sue their employer for statutory damages ranging from $1,000 to $5,000, depending on the circumstances, and to recover attorney’s fees and expenses. 740 ILCS14/20 (a)(1)-(3).[10]
Modelled to a large extent on BIPA, Texas adopted its own biometric statute known as CUBI—the Capture or Use of Biometric Identifier Act. Tex. Bus. & Com. Code Ann. §503.001 et seq. CUBI is generally believed to cover the collection of biometric information from employees and to be applicable in the employment situation, although it does not explicitly discuss employee biometric information. Biometric Identifier Act, Ken Paxton Attorney General of Texas, https://www.texasattorneygeneral.gov/consumer-protection/file-consumer-complaint/consumer-privacy-rights/biometric-identifier-act (last viewed on January 20, 2025). Like BIPA, CUBI provides that before the collection of biometric information can occur, a company must provide notice and obtain an individual’s consent. Unlike BIPA, however, CUBI fails to provide a private right of action and is enforceable only by the Texas attorney general’s office. Id. Colorado too just recently enacted H.B. 24-1130, an amendment to the Colorado Privacy Act (“CPA”), which will become effective on July 1, 2025. H.B. 24-1130 explicitly requires employers to obtain consent before collecting and using biometric information. However, the requirements for collecting employee biometric information are far less comprehensive than the those that the CPA imposes for collecting consumer information and again fails to provide a private right of action. Perhaps most disturbing, the statute specifically allows employers to condition continued employment on a worker’s consent to the collection of his biometric information in situations where employers most commonly collect biometric identifiers—effectively undercutting the very purpose of providing notice and consent to workers in the first place.[11] Further, H.B. 24-1130 violations are only enforceable by the Colorado attorney general and district attorneys.
California’s Consumer Privacy Act of 2018, Cal. Civ. Code §1798.100-1798.199.100 (“CCPA”) imposes a somewhat different regime, providing employees with the right to know when their employers are collecting their data, the right to access that data, the right to correct and delete that data, and to limit their employer’s right to use the sensitive data, among other things. The Act is enforceable by the California Privacy Protection Agency and the California Attorney General, which may impose fines on the employer, but does not provide a private right of action. See Kung Feng, Overview of New Right for Workers under the California Consumer Privacy Act, December 6, 2023, https://laborcenter.berkeley.edu/overview-of-new-rights-for-workers-under-the-california-consumer-privacy-act/#:~:text=The%20CCPA%20applies%20to%20a,not%20meant%20for%20the%20employer,.
Finally, New York State has a provision that precludes employers from taking employee fingerprints “as a condition of securing employment or of continuing employment”, N.Y. Lab. Law §201-A (“Section 201-A”), but says nothing about the collection of other biometric identifiers.[12] New York City has its own biometric policy, that requires businesses using biometric technology to post a specific warning to those entering its premises (thereby presumably obtaining consent), but seemingly applies only to consumers and certain kinds of businesses. See Local Law 3, N.Y.C., Admin. Code, title 22-1201, et seq. (“New York City Biometric Identifier Information Law”).
While several other states and cities have adopted biometric statutes, they are not generally interpreted as applying to the employment situation. See, e.g., Washington Biometric Privacy Protection Act (H.B. 1993); Oregon Consumer Identity Theft Protection Act (“CITPA”), Ore. Rev. Stat. §646A.602; Portland City Code, Title 34.10.010-34.10-050. Other privacy statutes related to biometrics specifically exclude the employment situation from their scope. See Virginia Consumer Data Protection Act, Code of Virginia, §§59.1-575, et seq. (specifically excludes employment context); The Connecticut Data Privacy Act (“CTDPA”)(applies to consumers); Utah Consumer Privacy Act (“UCPA”), Utah Code §13-61-101(applies to consumers).
This brief survey of biometric statutes reveals that only a handful of states and cities provide protection to worker biometric information, and an informed consent regime. Despite the fact the most low wage and minimum wage workers have little choice but to agree to supplying their biometric information, the current statutory schemes fail to provide them with a right of action or the extensive protections provided to consumers’ biometric data.
Consent Tied to Employment Is Ephemeral
Even more concerning is the fact that worker consent to supplying biometric data, can be tied to employment—effectively placing low wage and minimum workers in a “take it or leave it” situation. Consumers who are unhappy with the protections being afforded their biometrics, can merely avoid using the technology. For instance, a baseball fan can opt for purchasing and carrying hard copy tickets to the stadium rather than enrolling in a biometric program for ticketless entry. iPhone users can opt for using a numeric password rather than providing their facial scan or fingerprint to open their phones. Low or minimum wage earners do not have that luxury– they cannot simply walk away from a potential or current job in order to avoid providing their biometric identifiers. This is especially concerning since the type of jobs available to them, are the very types of jobs where biometric technology is most commonly used, i.e. jobs where workers clock in or out, or where the speed or rate of their performances is measured and monitored. With the exception of New York’s Section 201-A, virtually none of the statutes decouple employment from consent and thus risk of supplying biometric information. In fact, as noted above, Colorado’s newly enacted H.B. 24-1130, explicitly allows an employer to tie continued employment to the provision of biometric information, albeit for specific purposes. Thus, the current crop of biometric statutes, to the extent that they protect worker biometrics at all, exacerbate rather than ameliorate the power disparities that already exist between those workers and their employers.
That is even true of BIPA, the paradigm for other biometric statutes. Case law notes that the heart of BIPA is its informed consent provision—Section 15(b), which in turn is based upon the fallacious reasoning that workers who are presented with statutory consents have the option to forego engaging with a biometric system and refusing to consent. Courts have held this even when the record in the action makes clear that the plaintiff’s continued employment is conditioned upon consenting to the use of the biometric technology. See, e.g., Cothron v. White Castle Sys., 467 F. Supp. 3d 604, 612 (N.D. Ill. 2020) (explaining that plaintiff, a long time manager of a fast food restaurant, was presented with a BIPA policy and consent years after defendants’ adoption of a biometric time clock system, use of which was a condition of her continuing employment, and that had she been timely presented with it, might not have opted to engage with it); Figueroa v. Kronos Inc., 454 F. Supp. 3d 772, 779, 781 (N.D. Ill. 2020) (assuming that plaintiffs, who provided their fingerprints as a condition of employment, which was then relayed to a third party time keeping company, could have objected to the way in which their biometric data was handled, thus finding that they thereby had standing to assert a claim under Section 15(b)). Plaintiffs in BIPA cases have seemingly failed to argue that BIPA’s informed consent statute is ineffective for many classes of workers who have no choice but to accept these terms for employment. Consequently, the cases, and the Illinois State legislature has been able to avoid the thorny issue of whether the informed consent scenario is actually effective in protecting workers’ biometrics and rights or merely coercing them into an untenable situation.
The Risks of Collecting Workers’ Biometrics
Some of the risks to workers of the collection of their biometric identifiers are apparent: the potential that these personal identifiers are disclosed in a data breach, hack or ransomware attack leading to identity theft, or the misuse of that information at financial institutions, i.e. the duplication of their voices which is then used in engage in voice enabled banking, or use at other institutions to bypass authentication measures.[13] Without a detailed regime governing the use of worker biometric identifiers, moreover, employers may transmit such information to third parties, including vendors upon whom the employer relies for biometric services. In that case, control over that information is lost, or may be subject to a less comprehensive compliance system of a third party of which the worker is unaware.
The use of biometric technology in the workplace, moreover, may raise civil rights violations. Biometric technology is notorious for misidentifying and misclassifying individuals, especially individuals of color, and could well result in businesses wrongly matching employees with criminals or others associated with wrongdoing. See, e.g., CPA, §2(a)-(b) (noting the high incidences of misclassification resulting from the use of biometric technology). Moreover, it can result in the violation of religious and other personal precepts. See United States EEOC v. Consol. Energy, Inc., 860 F.3d 131 (4th Cir. 2017)(holding that employer’s failure to provide employee with a reasonable alternative to a biometric hand scanner, which, based on religious convictions, employee believed was the “mark of the beast”, constituted a violation of Title VII of the Civil Rights Act of 1964, especially because it resulted in employee’s constructive discharge, and other employees had been allowed to use keypad clock ins).
As the use of biometrics in the employment arena increases, it is clear that further legislation is needed to address the issues raised here and that less risky alternatives to the use and collection of worker biometric identifiers is needed. Minimum and low wage workers must be provided with a real choice as to whether to provide their identifiers and such collection and use should not be tied to their ability to secure or maintain employment. Given businesses’ increasing reliance on ever more sophisticated biometric technology to decrease their costs and increase their profits, it seems highly unlikely that such legislation will be passed in the near future.
[1] Lynda J. Grant is a well-known class action attorney in New York City, practicing in the privacy, biometric and data breach fields.
[2] Buddy punching occurs when one worker punches a time clock in or out for another worker—conduct that can be avoided with biometric time keeping systems.
[3] Biometric data is the result of specific technical processing on key features of a person’s physical identity that cannot be easily changed, like facial features, eye shape, and the sound of a voice. Biometric data used in a recognition system is a unique identifier that can link across multiple databases. Although the biometric information is stored in digital form as a series of numbers, in many cases it can be reversed engineered and used to identify the original biometric sample and infer some of a person’s characteristics. Gwynneth Tan, Niamh Millais, Shoosmiths, ICO issues updated guidance on using biometric data in monitoring workers, https://www.shoosmiths.com/insights/articles/ico-issues-updated-guidance-on-using-biometric-data-in-monitoring-workers.
[4] As explained in BIPA, “[b]iometrics . . . are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.” Id. at Section 14/5 (c).
[5] See Anna Patty, How biometric monitoring can impact on your career, The Syndey Morning Herald, January 5, 2019, https://www.smh.com.au/business/workplace/how-biometric-monitoring-can-impact-on-your-career-20181203-p50jy6.html; Elizabeth Brown, A Healthy Mistrust: Curbing Biometric Data Misuse in the Workplace, Vol. 2, 23 Stan. Tech. L. Rev. 252, 257-58 (2020), https://law.stanford.edu/wp-content/uploads/2020/06/Brown-A-Healthy-Mistrust.pdf (focusing on workplace wellness programs, and noting, inter alia, that the potential misuse of biometric health monitoring in the workplace raises unique issues given the relationship of trust inherent in the workplace and the immutability of biometric data).
[6] Employers, of course, condition employment upon this purported “consent” as otherwise they would be unable to effectively employ biometric technology in their operations.
[7] The FTC issued a policy statement entitled Policy Statement of the Federal Trade Commission on Biometric Information and Section 5 of the Federal Trade Commission Act. See Commission Policy Statement on Biometric Information. The policy specifically states that it does not confer any rights on any person and does not bind the FTC. Id. at note 1. Moreover, it primarily concerns consumer rather than employee biometric data collection.
[8] Notably, BIPA never specifically states that it applies in the employment situation. However, it applies to any “private entity” collecting biometric information, and its requirements for pre-collection consent apply to any “person” or “customer”. Section 15(a)-(b).
[9] BIPA further prohibits a private entity from selling, leasing, trading or otherwise profiting from a person’s or customer’s biometric identifiers. 740 ILCS 14/15(c).
[10] Some employers have tried to combat BIPA class actions, seeking millions in statutory damages, by inserting arbitration clauses covering all employment related claims into their employment agreements, and have been generally successful in compelling arbitration. Illinois courts have found that BIPA claims can be arbitrated. See, e.g., Tyson v. Margolin Shoes, Inc., Case No. 19 CH 11040, 2020 Ill. Cir. LEXIS. 1255, at *16-17 (Cir. Ct., Cook Cty. Mar. 4, 2020)(finding that BIPA claims fell within the scope of the arbitration agreement).
[11] Under the CPA, employers can condition employment on consent for the collection of biometric identifiers to: permit access to physical locations, to clock in and out, to monitor workplace safety or security and to monitor the security of the public. CPA, §§6-1-1314, Section 6 (I)-(IV).
[12] Significantly, the New York Department of Labor (“NYDOL”) has issued an opinion that employees using fingerprint scanning biometric time clocks violate this provision. Specifically, the NYDOL explained that: (1) requiring employees to use a biometric timeclock that requires a fingerprint to clock in and out likely violates Section 201-a, even if the device does not store the actual fingerprint; and that (2) taking adverse action against an employee who refuses to use a fingerprint to clock in; and (3) “coercing” employees to use a biometric timeclock that requires a fingerprint to clock in, is not permitted. However, the NYDOL made clear that the statute permits: (1) voluntary fingerprinting of employees; and (2) instruments that measure the geometry of a hand that do not scan the surface details of the hand and fingers. NYDOL Opinion, April 22, 2010. In the event of a violation, New York law allows employees to bring civil actions against their employers for liquidated damages. See N.Y. Lab. Law §215(2)(a).
[13] Biometric data are digitized data, and stored as 1s and 0s on a server. Once saved, they can be coped onto backup files and stored on servers anywhere in the word. If one of the servers is compromised, the biometric data can be stolen and copied. Julia O’Toole, The Real Risks of Biometric Authentication, Spiceworks.com, July 12, 2023, https://www.spiceworks.com/it-security/identity-access-management/guest-article/the-real-risks-of-biometric-authentication/. Because of technological advances and artificial intelligence, hackers can easily recreate biometric data from photos or voice recordings. Id.