Legal experts warn of uncertainty and inconsistency in biometric and health-tracking technology rules
Biometric technologies are being rolled out to support health risk evaluations from a distance as people return to work, but the regulations around these technologies remain a complicated patchwork in need of an update, a trio of attorneys from Reed Smith LLP write for Law360.
In the absence of an overarching federal law, state and municipal privacy laws that differ from place to place could prove onerous for companies attempting to deploy them. The circumstances in which a retail store or business can use biometrics and other technologies to determine who can safely enter or work differ depending on the jurisdiction, and are not necessarily clear.
At the same time, the potential for biometrics to irrefutably link people to their health status presents a tremendous potential opportunity. Consent may be required, and businesses putting systems into place may have to meet requirements for notification and disclosure.
The attorneys note that the location of biometric data collection is becoming a “threshold issue” the determines what laws apply. They count 39 laws proposed or already passed at the city, state, and federal levels that could apply to facial recognition or biometrics in general.
Those regulations tend to fall into two categories, requiring either the satisfaction of obligations prior to biometric data collection, or imposing responsibilities on businesses once they have biometric data in their possession, such as for breach protection and notification.
Landlords may also face requirements specific to biometrics when implementing screening systems, depending on what state they are operating in.
The attorneys recommend that real estate owners, operators and managers ask if they are required to provide written notice and receive written consent prior to using biometric screening systems, what the rules are for storing and disposing of biometric data, whether they can sell the information they collect, whether customers can file lawsuits related to biometric data privacy, and whether data can be shared with third parties.
A legal analysis from Bloomberg Law emphasizes that despite the new conditions forcing employers to handle more information about employee health and adopt new technologies, privacy laws remain the same.
The Equal Employment Opportunity Commission has noted that under the Americans with Disabilities Act (ADA), COVID-19 could be considered a direct threat, which would reduce the restrictions on seeking employee health information. The Centers for Disease Control have recommended that workforces be told when an employee tests positive, but without revealing that employee’s identity.
The ADA also requires that any employee health information be kept private and stored separately from personnel files.
Digital tools linking health information with unique identifiers could violate some regulations, and the details of tracking applications are not yet widely understood. Smartphone-based systems also raise the risk of data being inappropriately collected beyond the workplace.
As in the Law360 article, Bloomberg Law writes that state laws could be an additional stumbling block. California, New York and Illinois all impose extra considerations, in the CCPA, SHIELD Act, and BIPA, respectively.
“The pandemic doesn’t shield employers from liability if they collect or handle employee data incorrectly in the name of ‘safety first,’” Legal Analyst Dori Goldstein warns.