BCLPatWork.com
U.S. COVID-19: Biometrics and Business Re-Opening
May 14, 2020Now that wearing gloves has become the new normal because of the COVID-19 pandemic, biometric privacy litigation, which in recent years has centered on employers’ use of finger-scan timekeeping technology, may ultimately shift in focus to the measures that businesses implement as employees return to the workplace and customers begin to frequent their favorite establishments. Body temperature checks, used to screen employees and visitors for a fever, are one such measure being considered as a first line of defense for public health.
To mount a defense against, or avoid altogether, biometric privacy class action litigation, businesses open to the public and employers must have a comprehensive understanding of the thermometer or thermal imaging technology selected—and the data it captures—before rolling out temperature screenings on a widespread basis. Among the technologies available are:
- Non-contact infrared thermometers that use lasers to measure temperature from a distance;
- Thermal imaging cameras that detect elevated skin temperatures compared against a sample of average temperature values;
- Monitoring systems that use thermal and color visual imaging to detect fevers in high-volume pedestrian areas; and
- “Wearables” that can use radiometric thermometry measuring electromagnetic wave emissions.
While temperature screening has been endorsed by the Centers for Disease Control and Prevention, the Equal Employment Opportunity Commission, and various state and local governments, biometric privacy laws have not been suspended or amended. The Illinois Biometric Information Privacy Act (“BIPA”) regulates the possession, collection, capture, purchase, receipt, and sale of “biometric identifiers” and “biometric information”—defined to include retina or iris scans, fingerprints, scans of hand or face geometry, and “any information [based on those biometrics], regardless of how it is captured, converted, stored, or shared.” Both Texas and Washington have biometric statutes covering similar information, and the California Consumer Privacy Act (“CCPA”) and New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) now cover biometrics.
Business owners, operators, and employers should thoroughly assess whether their temperature screening methodologies implicate any of these laws. Whether biometric-specific statutes are triggered can depend on: what the device scans and how; the extent to which temperature information is associated with a specific individual; and whether temperature data is saved or immediately overwritten.
At this time, there is no legal authority to state that collecting body temperatures, on their own, constitutes a collection of “biometric information.” However, out of abundance of caution, to ensure full compliance with the BIPA and similar biometric privacy laws, businesses may want to consider taking the following steps:
- Making publicly available a policy/notice that describes what information is (or is not) being collected;
- Informing visitors, employees, and anyone else entering the premises about the reason for using the technology;
- Establishing retention and destruction guidelines for any data collected; and
- Obtaining consent (ideally, in writing) prior to any temperature screening. State laws may need to be consulted regarding the sufficiency of electronic signatures or non-signature consent processes.
Related Practice Areas
-
Employment & Labor