Biometrics in the workplace gives a plethora of security and efficiency benefits, ranging from face recognition to thumbprints and retina scans. If policies aren’t in place to protect employees, there might be serious consequences. Employers such as those in Hospitality Businesses in the Middle East must become aware of biometric privacy statutes, consumer privacy acts, and data breach notification regulations to avoid penalties.
Illinois, Texas, and Washington are the only states that have passed biometric privacy legislation right now. The Illinois Biometric Information Privacy Act will serve as the benchmark against which all other biometric privacy legislation will be measured.
The BIPA is the only legislation of its kind that allows plaintiffs to recover $1,000 per violation in private enforcement actions. If the infraction is determined willful or reckless, the fine can be doubled to $5,000, with legal expenses. The section of that calculation that says “plus legal costs” is probably the scariest. In connection with the settlement of a BIPA suit, Facebook has been asked for $110 million in attorney fees.
Furthermore, claimants can claim technical infringement of the BIPA without establishing actual harm. Moreover, the Illinois Workers’ Compensation Act does not apply to injuries under the BIPA.
A private entity’s capacity to “collect, capture, purchase, receive through trade, or otherwise access a person’s or a customer’s biometric identification or biometric information” is prohibited under the BIPA in general.
Face and voice recognition, handprints, fingerprints, iris, and retina scans, and other biometric identifiers are all examples of biometric identifiers. Any biometric information derived from biometric identifiers and used to identify a person is also covered by the BIPA. This data is typically gathered for identification purposes and/or verification, such as precise timekeeping, signing on to employer devices, operating machinery, and gaining entry to a facility in the workplace like the Best Resorts in Dubai.
Increased protection for biometric information is justified, according to the Illinois legislature, because once this type of information has been hacked, it can’t be changed without major cosmetic surgery.
Collections for Business
Texas and Washington have similar legislation, however, they only apply to the commercial collection of biometric identifiers, unlike the BIPA. The Texas Act does not define the commercial purpose, but it can be interpreted to cover the process of recruiting and compensating employees, as well as offering employees with secure access to business systems for the purposes of running an international hospitality and service management company.
Commercial purpose is defined considerably more narrowly in Washington law, and only applicable when biometric data are gathered to sell or disclose them to a third party for the marketing of services or goods irrelevant to the transaction in which they were acquired.
It is also prohibited to collect for security or law enforcement purposes. As a result, the accumulation of biometric information in the ordinary course of employment in hospitality service management will not elicit the application of Washington’s biometric data statute.
Another significant distinction between the Texas and Washington legislation and the BIPA is that the former can only be executed by the state attorney general. If infractions are discovered, the penalties can be severe, with fines of up to $25,000 in Texas and up to $500,000 in Washington.
Privacy and data protection rules are also important. Because it protects all California citizens, the California Consumer Privacy Act has gotten a lot of attention including employees since its implementation. Biometric identifiers are included in the CCPA’s broad definition of personal information. Even though CCPA revisions have delayed the introduction of certain CCPA rules for employers until January 1, 2023, the amendments do not allow exemptions for all CCPA obligations.
Employers like Story Hospitality, a Hospitality and Hotel Management company, for example, must notify employees about the types of personal information gathered and why it is being collected, as well as maintain appropriate security standards. An employee may have the right to sue his or her employer if proper security is not maintained and the information becomes the subject of a data breach. California’s data breach reporting regulations were further expanded to include biometric information in 2019.
Everything You Should Know
Local rules and regulations must also be understood by employers in hospitality and tourism operations management. The use of face recognition technology by private organizations in places of public accommodation, such as hotels and restaurants, was outlawed by the city of Portland on Jan. 1. Other jurisdictions have similar rules, although they only apply to government employees.
The Portland ordinance, like the BIPA, allows for a private right of action if a plaintiff is harmed by a material violation, with damages of $1,000 per day of violation and attorney fees as potential damages. Facial recognition technology used for verification purposes by “an individual to access the individual’s own personal or employer-issued communication and electronic devices” is exempt from the Portland ordinance. There is uncertainty, however, as to whether a time clock that scans employees’ faces for the purpose of timekeeping can be considered an exception.
The enactment of unified federal legislation would be useful due to the patchwork of laws and enforcement methods. The National Biometric Information Privacy Act of 2020, which was comparable to the BIPA, was introduced in Congress in August 2020. The bill did not obtain a vote, however, that could change with the new administration. Even if a federal law is passed, there are likely to be more disagreements about whether it supersedes state-level safeguards.