After Illinois passed the Biometric Information Privacy Act in 2008, Texas was the second state to pass a biometric privacy law in 2009.
Just recently, Washington has also passed a biometric law.
Additionally, New York State law has restrictions regarding the use of biometric information.
The purpose of this article is to provide guidance for employers to understand and stay compliant with the Texas Biometric Privacy Law, but this article does not include legal advice.
Background Behind Biometric Privacy Laws
In 2007, Pay By Touch first introduced biometric technology and a promise to change the world of payments. Customers linked their credit cards, bank accounts, rewards programs and other information to their fingerprint.
Customers could pay with their fingerprint, instead of by swiping a card. Millions of customers signed up. Unfortunately in 2008, the company closed after it was entangled in litigation.
Since then, biometric technology has advanced and now includes dozens of ways that technology can identify individuals. It includes identification through fingerprints, voice prints, face scanning, iris scanning and many other individual identifiers.
Biometric technology is often used for timekeeping, security, and convenience.
In addition to expanding the way the way we see biometric information Pay By Touch was also the catalyst for the first state law governing how biometric information is collected, stored, and protected.
Biometric Uses Across Industries
As biometric technology advances, more industries are starting to use biometric software. Employers often use biometric time clocks to ensure that the correct employee clocks in and is at the physical location required.
Buddy punching, a common wage theft problem, is when coworkers clock in for an employee who is not at work. The American Payroll Association estimates that 75% of all businesses lose money to buddy punching.
Another use for biometrics in business is found in security. Financial institutions have started using iris scans or fingerprints to secure areas. These security systems are more secure than those secured through a password, which can be guessed or stolen. Some safety deposit vaults and ATMs already use hand geometry or fingerprints to allow access and to prevent fraud in monetary transactions.
Healthcare is rapidly expanding the use of biometric information.
In Florida, one hospital already secures its electronic health care data by fingerprint. Physicians often lend their passwords to secretaries and other support staff and biometric data secures the information to those actually authorized to access it.
Also in Florida, a child’s health care project is using iris scanning technology to identify a child. Physicians can access the network and properly identify a child and their medical records, even if the child can’t communicate.
In Europe airports and schools have started using biometric data to identify travelers and students.
This can reduce passengers waiting in long lines through security. In schools, it can track and limit student access to buildings, track meals eaten, and even track library book checkouts.
However, new laws continue to create protection and security around the use of biometric information.
Texas Biometric Privacy Act
Texas law applies only to biometric identifiers and defines those as specifically a retina or iris scan, fingerprint, voiceprint, the record of a hand or face geometry. It is important to note that it specifically includes the records of the specific biometric data and does not include the analysis of biometric indicators.
- Retina or Iris scan
- Hand geometry record
- Face geometry record
In other words, employers who use biometric time clocks that collect only information based on an analysis of the biometric indicators, such as the distance between points on a fingerprint.
Technology such as SwipeClock’s biometric timekeeping clocks store only an analysis of the biometric indicators, instead of the actual indicators or fingerprints and does not fall under the law.
Texas law also only applies to companies who “capture” biometric identifiers for “commercial purposes”. Unfortunately, the law does not define what it considers commercial purposes.
Compliance When Biometric Identifiers are used for a Commercial Purpose
There are several restrictions on the use of biometric identifiers for commercial purposes. The law is silent as to whether or not non-profit organizations or government agencies fall within the scope of commercial purposes.
Businesses who do use biometric identifiers for commercial purpose must follow several important procedures or risk non-compliance.
If a business is going to sell, lease, or disclose the biometric information to another, they must have inform the person before capturing the biometric information and must obtain consent from that person to capture their biometric information.
When biometric information is captured for commercial purposes it cannot be sold, leased, or disclosed to another person unless one of several scenarios occur:
First the individual must consent to the disclosure for identification reasons in the event of the individual’s disappearance or death.
Second, the disclosure must complete a financial transaction that the individual authorized or requested.
Third, the disclosure must be required or permitted by a federal or a state statute.
Fourth, the disclosure is made to law enforcement for a law enforcement purpose in response to a warrant.
Storage and Retention of Biometric Data
Biometric data stored for commercial purposes must be stored, transmitted and protected from disclosure with at least the same care and manner that other confidential information is also protected.
That means that businesses who have other secure information must provide the same level of security for any biometric information that they have.
Lastly, biometric data must only be retained while it is needed. Once it is reasonable, biometric data must be destroyed. No more time than one year can pass from the time that the biometric identifies expire before it is destroyed.
The only exception is when the law requires a longer period for biometric identifiers to be kept.
Employers must destroy biometric data upon the termination of employment with employees.
Penalties for Violation of Texas Biometric Privacy Law
The law allows for civil penalties of up to $25,000x, but only the attorney general can bring action against companies for biometric privacy violations.
Let SwipeClock Help
Businesses who have employees in Texas can utilize SwipeClock biometric time clocks. That’s because our technology stores a computer hash of a fingerprint. This information is enough to identify specific points on a fingerprint, but a fingerprint cannot be recreated from the information.
As a result, SwipeClock’s timekeeping biometric technology does not fall under Texas law because it does not store the actual fingerprint of the employee.
These employers can eliminate buddy punching while still staying compliant with local and federal employment laws. .
These businesses have to also comply with Federal Overtime Laws, the Family Medical Leave Act and any other national or local laws that are enacted. SwipeClock provides a comprehensive array of workforce management and time tracking tools that can help businesses to more easily stay in compliance with local and national laws.
Records are effortlessly kept for years and accrual is automatically tracked and reported to employees according the state and city laws. Additionally, with geo-timekeeping clocks, businesses can effortlessly track time worked in specific cities to ensure compliance.
Written by Annemaria Duran. Last updated on Jan 1, 2018.