Biometric Information in the Construction Industry: Best Practices on the Job Site
By: Bill Toliopoulos
What is the Illinois Biometric Information Privacy Act?
The Illinois Biometric Information Privacy Act (referred to as BIPA or the Act) is legislation enacted in Illinois aimed at regulating how private entities collect, use, and share biometric information and biometric identifiers, collectively referred to as biometric data, and imposes certain security requirements upon those entities. Under the Act, a “private entity” includes contractors, subcontractors, and vendors. BIPA is widely considered the most rigid of all biometric privacy laws in the nation and to date is the only biometric privacy law in effect that allows for a private right of action for both statutory and negligent damages. Notably, the Illinois Supreme Court has ruled that no harm must be proven in order for a claimant to recover and also allows for the award of attorneys fees and costs to a prevailing party. BIPA has been interpreted by courts as very favorable to plaintiffs and with potentially uncapped damages available, has become fertile ground for plaintiffs’ attorneys.
Illinois was the first state to enact biometric privacy legislation, however, there are many states that have created substantially similar laws using BIPA as a model. In addition to Illinois, there are currently seven more states that have created laws to manage the collection of biometric information (Texas, Oregon, California, New York, Louisiana, Washington, and Arkansas). In addition, Massachusetts, Hawaii, and Arizona currently have biometric privacy legislation pending in their state legislatures. Since 2017, eight other states (Michigan, Alaska, Delaware, Florida, New Jersey, New Hampshire, Montana, and Rhode Island) have unsuccessfully proposed legislation similar to BIPA. Even though these measures failed in some states, the increased collection of biometric information by employers and other private entities will likely prompt all states to continually reexamine biometric privacy. As detailed below, best practices dictate even if a particular jurisdiction does not have statutorily mandated guidelines, collection and storage procedures for biometric information need to be critically examined and thoughtfully implemented.
What is Biometric Information?
It is generally accepted by all jurisdictions that have enacted biometric privacy laws that biometric data consists of physical characteristics that can be used to digitally identify a person. Physiological biometrics pertain to the human body and include DNA, retinal scans, fingerprints or other characteristics (such as the shape of a person’s hand or face or the sound of their voice) that can be used as an identifier. Some states, such as California, have expanded this definition to include behavioral characteristics such as specific movements, actions, and even thought-patterns. Likewise, some states include language that can be considered a “catch all.” In Illinois, for example, the definition of biometric information is expansive and “means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.
Given the state-specific definitions and variations as well as the continued evolution of these concepts, it is prudent to identify what is and what is not considered biometric data under the current laws of your particular jurisdiction.
BIPA on the Job Site
Each day, there are construction workers coming in and out of the job site. Many contractors have implemented some sort of biometric data collection system, mostly for the purposes of managing time and labor, minimizing losses due to timecard infractions, monitoring site access, preventing theft of construction tools and materials, and addressing other safety issues. Whether the data being collected are fingerprints or retinal scans, contractors must understand that these practices constitute the collection of biometric data and these procedures may be creating an element of liability not previously contemplated. These same considerations can be applied to subcontractors, vendors, and other persons who enter the site. As general contractors manage and restrict site admission, and biometric identifiers increasingly are used to gain access to a job site, the general contractor must also be aware of potential liabilities created by the collection of this data.
When utilizing biometric data to manage your job site, it is important to adhere to a few best practices as set forth by BIPA. When collecting biometric information, contractors should provide notice to all persons whose information is collected, preferably in writing, that their biometric data is being collected. This notice should be followed by gaining consent – preferably in writing – from the person. Contractors should also advise these persons about the retention policies of the contractor that describe in detail how the biometric data is being stored, the length of time it is being kept on record, and the procedure for dispensing of the information. Contractors or subcontractors collecting biometric data should also provide a description of how the information is being secured as well as a guarantee that the biometric data collected will not be sold by the contractor to any third-party vendor responsible for securing the data.
COVID Considerations & Temperature Screening
During the Covid-19 pandemic, it has become common practice to scan the temperature of each person entering a job site. This practice has been supported by the Centers for Disease Control and Prevention (CDC) as well the Equal Employment Opportunity Commission (EEOC) in an effort to curb the spread of Covid-19.
It is widely accepted that temperature screening is not considered to be the collection of biometric data, as temperature does not fall within the definition of biometric information. However, the act of taking one’s temperature for the purpose of allowing that person to enter the job site is typically considered an involuntary health examination under the Americans with Disabilities Act (ADA). While the EEOC has issued a temporary suspension of claims for mandatory temperature screening due to the pandemic, contractors should be aware that this moratorium of claims will likely come to end and does not preclude contractors from following best practices.
In order to avoid liability for mandatory temperature screening, it is important for contractors to take precautionary actions both in practice and procedure. When choosing a device to collect someone’s temperature, contractors should only use non-contact devices. With a market full of different types of temperature collecting devices, contractors should also pay close to attention to what data is being collected by the device, as some devices collect data beyond just a person’s temperature.
Similar to the collection of biometric data on the job site, contractors should also provide written notice of the temperature screening procedure and obtain written consent from those who are screened. Contractors should also provide everyone screened with a written description of how the data is being stored and secured. Notably, the EEOC requires that temperature readings must remain confidential and stored separately from an employee’s personnel files.
Merger of BIPA and COVID Precautions – Best Practices
Considering the continued rise in popularity of using biometric information in a variety of employment settings, states will be forced to continue monitoring these practices. This will result in an evolving body of law for those jurisdictions that currently have biometric privacy laws, as well as pressure those states who do not into considering new legislation to protect employees. Regardless of whether your state currently has laws governing the collection of biometric data, all contractors collecting biometric data should consider the following guidelines and best practices in order to avoid or mitigate liability.
Prepare for the temperature screening exception to end. Contractors should prepare for the moratorium on non-voluntary temperature screening claims under the ADA to end as the Covid-19 pandemic winds down. In order to best prepare for this process ending, and to mitigate the different possible reactions individuals may have based on their personal beliefs, contractors should continue to provide sufficient notice to individuals, secure their written consent to the screening, and provide updates on storage, retention, and safety protocols.
Update the Terms & Conditions of your contracts. Contractors should consider updating the Terms & Conditions of their contracts to include language allowing for unilateral modifications. In Pond v. Shutterfly, a 2020 case stemming from Cook County (IL), two plaintiffs brought a claim against Shutterfly claiming its use of facial recognition was a violation of BIPA. Of the two plaintiffs, only Pond decided to keep her account and in order to complete the registration process, she had to agree to Shutterfly’s Terms, which included a revision clause and a waiver clause. This revision clause stated that Shutterfly may “revise these Terms from time to time by posting a revised version” thus allowing for future unilateral modifications to their agreement. Three months after Pond brought suit, Shutterfly altered their Terms to include an arbitration clause stating that all users agree to arbitrate any claims. The court allowed the clause to stand and, in doing so, forced Pond to arbitrate her claim.
Develop and implement policies and procedures that address notice, collection, and retention of biometric data. As referenced previously, notice must be provided to any individual that is subject to the collection of biometric information. As a best practice, that notice should be in written form and should address the capturing of biometric data, including the type of technology being used, the purpose for capturing the data, how the data will be captured, and how the data is being stored. Contractors should also develop a written policy that establishes a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within an amount of time prescribed by your state. Contractors should also make the policy available to the public and make sure to comply with the retention schedule and destruction guidelines provided in the notice, subject to any judicial process that would require a longer retention period.
Consent. Before collecting any biometric data from an individual, contractors should obtain consent for collection and storage of biometric data. As a best practice, this consent should in written form and filed along with a copy of the notice given to that individual.
Disclosure. Contractors should also take steps to ensure that neither the business nor any vendor storing biometric data on behalf of the business sells or discloses the data. Again, as a best practice, the steps taken should be documented in written form and a copy provided to individuals whose biometric data has been collected.
Security. Contractors must also create, implement, and document security protocols for the protection of biometric data.
Vendors. Contractors should also include appropriate provisions in vendor contracts ensuring that vendors comply with existing laws and that the contractor may retain the right to request information and have the right to be notified in the event of a suspected breach of the vendor.
Article Content is Not Legal Advice. This article is for informational purposes only. The content in this article is not legal advice and should not be construed nor relied upon as such. This is not a substitute for personal legal advice.
© Copyright 2021, Laurie & Brennan, LLP