Attendance on Demand will require employee consent to use and store biometric templates used by clocks as of August 1, 2022.
Biometrics is the technique of recognizing people with their unique physiological patterns. Leveraging biometrics for user identification and authentication improves security and convenience, especially to verify an employee’s identity when they punch or perform other transactions at the time clock.
The biometric template consists of a series of measurements of the employee’s fingerprint, hand, face, or iris and is turned into a digital value. These characteristics are unique to an individual and do not typically change over time. Because of this, biometrics has gained popularity in recent years due to its speed and accuracy.
Privacy advocates often express concerns regarding collecting and using biometric data. Unfortunately, no all-encompassing law protects user privacy and regulates the collection and usage of personal information by private or government organizations. However, several states have started to make their own laws around biometrics.
Illinois
Illinois became the first state to enact Biometric Information Privacy Act (BIPA) in 2008. BIPA requires businesses and organizations to establish a policy for collecting, storing, and destroying biometric data and making it publicly available. Users should be served with a notice before collecting their biometric identifiers with the purpose and duration of such collection. The statute requires consent before collecting biometric data and prohibits companies from selling or making a profit from it. Illinois’ BIPA is unique because of its “Private Right to Action”. Rather than a government body, individuals can file a lawsuit against the employer for violating the BIPA. Unfortunately, cases totaling nearly $50 million have hit companies for even minor violations of the BIPA.
Texas
Texas codified the use of and capture of biometric identifiers (Texas Business and Commerce Code 503.001) in 2009, which states a person may not capture a biometric identifier of an individual for a commercial purpose unless the person informs the individual before capturing the biometric identifier and receives their consent to capture the biometric identifier. In addition, biometric identifiers cannot be sold or disclosed to other parties unless certain conditions are met as detailed in the law. The most significant difference between Texas and Illinois is that only the attorney general may bring action against the Code in Texas.
Washington
Governor Inslee signed House Bill 1493 in 2017, which sets forth requirements for businesses that collect and use biometric identifiers for commercial purposes. The legislation puts both notice and consent requirements like Illinois and Texas versions of BIPA.
Other states have bills in place that are similar to those cited above as part of their Privacy Act but do not specifically discuss biometrics, including Arkansas, California, Colorado, Maryland, New York, Oregon, and Virginia.
What does this mean for you?
The biometric clocks below will be updated to prompt for biometric consent no later than August 1, 2022:
- GT-400 Hand Scanner
- IDPunch 7
- IT 3100
- IT 3200
- All IntelliTouch models
The IRIS ID iT100 already requires biometric consent.
Consent for the use of biometrics must be received from every employee using a biometric clock.
Employees enrolled before this required biometric consent will now be asked to provide consent after they punch in or out. If employees cancel the consent screen or walk away from the time clock, the prompt for consent will appear at each punch for the following ten days, after which their template is removed. After giving consent, they can continue to use the time clock as usual. If the employee does not consent, it immediately deletes their biometric templates. The next time they attempt a transaction at the time clock, they will not be able to use the biometric clock successfully. A supervisor must re-enroll the employee to continue using the clock, and the employee will require consent during the enrollment process.
If employees do not punch for 90 days, a supervisor will have to re-enroll them upon their return to work. This occurrence may happen with seasonal employees or someone on extended leave. If the employee does not use the clock for 90 days from the time of the update, their biometric template is removed.
In addition, employees can revoke consent at any time. When employees revoke consent, their templates are deleted immediately. The next time they attempt a transaction at the time clock, they will not be able to use the clock successfully.
The Biometric Consent Language is posted here.
How can we help?
Time Equipment Company has always secured, and protected biometric data and will continue to do so. We find the best way to minimize this transition is through proper communication with your employees. If you have one of the listed biometric clocks, you should receive communication from Time Equipment Company in mid-June to discuss how to navigate this process best. For more information about biometric consent, contact Time Equipment Company at 800-997-8463 or sales@timeequipment.com.