Legal Blog

Biometric Data Privacy and Why Employers Need to Know About It

What is Biometric Data?

Every time you unlock your smartphone with facial recognition or your tablet with your fingerprint, you are using biometrics. Biometrics are a way to measure a person’s physical characteristics to verify their identity. It includes physical traits such as fingerprints, facial recognition, voice prints, and retina and hand scans.

How Does Biometric Data Relate to My Workforce?

Employers use biometric data to control access to worksites, track employees’ hours, monitor when employees pass through checkpoints, or record when employees log into internal company systems. Moreover, many more businesses have started with more employees working remotely and heightened the need to properly verify employee identity.

Depending on where your company is located, we are seeing employees bringing lawsuits for violations of the collection and use of biometric data. For example, last year a large hospitality corporation in Illinois agreed to pay $1.05 million to end biometric privacy claims that its Chicago hotel captured employee fingerprint data for timekeeping purposes without employee consent.

Are There Legal Restrictions on the Use of Biometric Data?

Yes. Right now, only a handful of states and/or cities regulate the way private companies collect, maintain and use biometric data, but more legislation is on the horizon.

For example, both California and Illinois have biometric privacy laws that are proving to be bases for a proliferation of class actions. Class actions pursuant to the Illinois Biometric Information Privacy Act (BIPA) continue to trend upward in favor of plaintiffs. For example, courts have recently rejected the defense that such claims were precluded by workers compensation laws and allowed individuals to pursue claims under the law for technical violations, even when no harm is alleged or sustained. Similarly, litigation under California’s Consumer Privacy Act (CCPA), which grants consumers the right to know what information businesses collect from them, to opt-out of disclosure of their data to third parties, and to access and request deletion of their data, is on the rise.

It appears that similar legislation across the country is on the horizon. There is legislation pending in Pennsylvania; the Consumer Data Privacy Act (CDPA) (H.B. 1049), which is a broad consumer privacy law that encompasses the use of biometric data. If enacted, it would immediately affect businesses that collect and use Pennsylvania residents’ biometric data and would create significant class action liability. Similarly, Maryland and New York both recently introduced biometric privacy legislation that mirror BIPA and provide for private causes of action and plaintiffs’ attorneys’ fees for successful litigants.

Best Practices Tip

First, consider whether you are capturing biometric data for your employees. Most commonly, this is used for time keeping purposes. Next, consult counsel regarding laws in jurisdictions where you operate. There may be small changes you can make, like ensuring you are receiving consent for collection from employees or increased security for how the data is stored, that will reduce exposure and make compliance with new legislation seamless.


Offit Kurman, one of the fastest-growing, full-service law firms in the United States, serves dynamic businesses, individuals and families. With 15 offices and nearly 250 lawyers who counsel clients across more than 30 areas of practice, Offit Kurman helps maximize and protect business value and personal wealth by providing innovative and entrepreneurial counsel that focuses on clients’ business objectives, interests and goals. The firm is distinguished by the quality, breadth and global reach of its legal services and a unique operational structure that encourages a culture of collaboration. For more information, visit