Biometrics refers to the use of technology which identifies individuals based on their physical characteristics or habits, which may include fingerprints or keyboard typing. The use of biometrics has both positive and negative reviews.

Some individuals claim that biometrics increases security measures and contributes to the protection of personal information. Other individuals claim that biometric methods may be invasive because they often use physical characteristics in order to obtain information.

A biometric identification system is commonly used when granting or denying access to a secured area or secured information. Biometric technology is commonly used for other things as well, including:

  • Immigration. Biometrics is used to confirm the identity and immigration status of a particular alien. The Secure Communities Program uses biometric fingerprint technology to identify and deport certain illegal aliens;
  • National security concerns. Biometrics is used to identify potential terrorists; and 
  • Various health service applications. Biometrics may have many uses, including:
    •  accessing records; 
    • maintaining medical files; 
    • storing pharmaceutical; 
    • medical histories; and
    • other possible applications.

Biometric technology is becoming more widely used for everyday purposes, such as commercial transactions, or making purchases, in addition to the common uses listed above. A biometric system utilizes computer technology to scan for characteristics which are unique to each individual. 

Identifying characteristics used in biometrics can be divided into two separate groups, physical traits and personal habits.

A physical trait may include a scan to determine characteristics such as:

  • Facial structure;
  • Fingerprints;
  • Eye structures;
  • Thermal emissions, or heat signatures;
  • Chemical compositions; and
  • DNA signatures.

The reading of a personal habit may include an analysis of:

  • Voice prints;
  • Keyboard stroke habits;
  • Typing habits;
  • Handwriting samples; and
  • Signatures. 

The distinction between a physical reading and a habit reading is very important because the method employed may raise different legal issues. For example, many individuals would perceive DNA samples or eye scans to be an invasion of property. On the other hand, fewer individuals would likely feel that a handwriting analysis is an invasion of their privacy.

If a company is considering using biometrics, it should:

  • Clearly state the purpose and uses of the biometrics system in the company policies or handbooks. These policies should provide avenues for an employee who is concerned to voice those concerns or to file a complaint;
  • Indicate whether the biometrics system is being used for verification or identification purposes; and
  • State whether the biometrics technology is optional or is required, or voluntary or compulsory.

What Does California Law Say About Biometrics and Privacy? 

Because biometric technology is so new, there are very few laws which specifically address the use and application of biometrics. There are, however, many laws which govern confidential information and employees’ privacy laws and employees’ privacy rights, including the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act (HIPAA)

These are, however, very general laws which deal with overall confidentiality in a particular sector. They may cover issues such as employee privacy rights regarding personal information. As the use of biometric technology increases, there will likely be an increase in these types of laws with more specific applications, such as biometric privacy laws.

California has recently passed some laws related to biometric privacy. The California Consumer Privacy Act (CCPA), effective January 1, 2020, requires an employer to comply with requirements regarding biometric information, including:

  • Collection;
  • Storage; and
  • Use.

The State of California has statutes which require some form of notice and voluntary consent prior to biometric information being collected by a private company. The CCPA applies to an employer’s collection of data for job applicants and employees.

The CCPA applies to a company doing business in the State of California which meets any of the following thresholds:

  • An annual gross revenue exceeding $25 million;
  • The company annually receives, buys, or shares the personal information of more than 50,000 households, consumers, or devices for commercial purposes, separately or in combination; or
  • The company derives 50% or more of its annual revenues from selling personal information of consumers.

What are Some Common Privacy Concerns Connected with Biometrics? 

A major concern regarding the use of biometric technology is the issue of violation of privacy. Individuals who are subjected to a biometrics reading or scan typically feel that the procedure is physically invasive, especially if it involves a reading of body parts.

Another major concern regarding the use of biometric technology is information security. A biometric reading is often stored in a database which may be accessed by the employer or a government agency.

There are questions which have been raised regarding the use of information that is obtained using biometric systems. This information may include very private information, including bank accounts and medical histories.

Currently, if a legal issue is raised regarding biometrics, it will typically be resolved using a traditional balancing test used to determine privacy rights. A court will weigh the individual’s expectation of privacy versus the public need to obtain the information. 

For example, a court may analyze an individual’s handwriting for national security reasons. Because the public concern for national security is very high, a court may conclude that it is necessary to review an individual’s handwriting in order to preserve national security.

How are Biometrics Privacy Violations Remedied?

As noted above, there is not a large body of law regarding biometrics and, in many cases, the traditional privacy analysis will be used. There are, however, some state laws which may apply.

The California Labor Code section 1051 prohibits a California employer from obtaining a photograph or fingerprint from an employee and then sharing this information to a third party. A violation of this Code section is a misdemeanor. Therefore, pursuant to this section, an employer may use biometric information in the workplace but the employer is prohibited from sharing this information with an outside third party.

In addition, the previously discussed CCPA provides a consumer with a private right of action that applies in a limited set of circumstances. A consumer may pursue an individual or class action litigation if their personal data is impacted by a data breach and the breaching entity violated its duty to maintain reasonable security measures.

A consumer may be able to recover between $100 and $750 in statutory damages per incident of privacy violation. For other violations that are not included in these limited sets of circumstances, the power of enforcement rests with the California Attorney General. In these cases, a business may be liable for civil penalties of $2,500 for each violation and $7,500 for each intentional violation.

Are There any Defenses Available in California for Biometrics Privacy Violations?

Although these laws are still evolving, there are some defenses which may be available to an accusation of privacy violations. These may include:

  • There was no intent to invade the individual’s privacy;
  • The individual had no expectation of privacy; and
  • The individual gave consent.

Should I Hire a Lawyer for Help with Biometric Privacy Laws? 

Yes, it is essential to have the assistance of an immigration attorney or an California employment lawyer for any biometrics privacy issues you may be facing. The type of attorney you should consult with will depend on the circumstances of the situation in which the biometric technology was used.

It is important to consult with your attorney as soon as possible following the violation of your rights. Your attorney can review your situation, advise you regarding the options available under privacy laws, and represent you if a lawsuit becomes necessary.

If you are an employer who wishes to use biometric technology at your workplace, an attorney can help ensure its use complies with the law. These laws are evolving as the use of biometric technology evolves, so it is important to consult with your attorney regularly to ensure your business is in compliance with current laws.