A Spiceworks survey shows that 62% of organizations currently use biometric authentication technology in the workplace and that an additional 24% plan to implement biometric technology within the next two years.

Employees are quick to ditch memorizing long, lengthy passwords and HR is on board to implement biometric technology to help accomplish a wide of range of objectives in the workplace, specifically employee labor reporting validation and overcoming daily people challenges like buddy punching.


Biometrics are physical unique characteristics that can be used to digitally identify an individual. A biometric identifier might include facial recognition, iris recognition, fingerprint scanner, or voice recognition.

Organizations may adopt biometric technology in the workplace as a more secure method for employees to access business applications that contain sensitive data such a time and labor reporting.


In the past few years, there has been a significant amount of attention and a surge in class-action lawsuits surrounding the collection, usage, and storage of biometric data.

As of today, Illinois, Texas, and Washington are the only three states that have biometric privacy laws in place. With California’s, California Consumer Privacy Act (CCPA) to take effect on January 1, 2020.


Illinois Biometric Information Privacy Act (BIPA) was the first biometric privacy law and has been in effect since October 2008. Under BIPA, organizations that collect biometric information are required to inform an individual that his or her biometric data is being collected, the purpose of the collection, how long biometric data will be collected, stored, used, and retained, along with a retention schedule. Organizations must also receive a written consent form from each individual before collecting biometric data.

In addition to these requirements, the BIPA includes a private right of action for any individual that is “aggrieved by a violation of this Act”. Since the BIPA does not define what it means to be “aggrieved by a violation of the Act”, individuals may file suit for even the slightest violation of the law, leaving it to the courts to decide the level of harm that was caused.

The Illinois Supreme Court’s unanimous decision in a very well-known case, Rosenbach v. Six Flags Entertainment Corpwill affect more than 200 pending cases. 


Texas was the second state to pass a biometric privacy law in 2009. The Texas Biometric Privacy Act only applies to biometric identifiers that are defined as a retina or iris scan, fingerprint, voiceprint, the record of a hand or face geometry. Similar to the Illinois BIPA, the Texas Act defines how biometric data is collected, stored, used, and retained. It also outlines the usage of biometric data for commercial purposes, but fails to define what is classified as commercial purposes, leaving it up for negotiation and in the hands of a judge.

The Texas Biometric Privacy Act does not provide a private right of action and only the state attorney general may file suit.


Washington’s Biometric Privacy Law (H.B. 1493) took effect on July 23, 2017. Like other state biometric privacy laws, the Washington Biometric Privacy Law outlines the protocol for the collection, storage, usage, and retention of biometric data.

The Washington Law does not create a private right of action and only the state attorney general may file suit. Differing from Illinois and Texas, this Washington law exempts individuals that collect, capture, enroll, or store biometric identifiers in the case of security purposes.

In 2019, Arizona, Florida, Massachusetts, and New York proposed legislation surrounding the privacy of biometric data, but all failed to pass.


Although biometric data offers a more secure and convenient way to validate employees, it’s important to remain cautious when adopting any new technology. Here are a few tips for what HR can do to mitigate the risks surrounding the use of biometrics:

Educate yourself and employees on biometric data laws.
There is no federal law that regulates the collection, usage, storage, and retention of biometric data. However, there are currently three states (Illinois, Texas, and Washington) with effective biometric privacy laws.

With today’s agile and remote workforce, the likelihood of your organization having an employee that resides in a state with biometric privacy laws is high. HR departments will have to remain educated and up-to-date with effective state laws and proposed state laws to ensure an organization is in compliance.

Maintain and set up company specific data collection, disclosure, retention, and storage policies
If you’re organization is capturing biometric data, chances are it’s through third party technology. This third party technology provider most likely has its own biometric privacy policies, but it’s important that organizations have in place its own specific data collection, disclosure, retention, and storage policies in place. 

Receive employee consent
Even if you do not have locations or employees that reside in a state with biometric privacy laws, it never hurts to err on the side of caution and require employees to submit consent forms prior to collecting any biometric data.

These forms can be saved under an employee record to be referenced in the case of any legal dispute or new legislation. Another good tip is to make biometric privacy laws easily accessible and public for all employees to review at any time.

Software updates
Hackers are out there and they want your data. In addition to following your organization’s standard security procedures, pay close attention to updates for software that contains any sensitive personal data such as biometrics.

Software updates are a great way to keep your organization from falling vulnerable to security flaws, as well as take advantage of new features. HR may want to work closely with the IT department to stay aligned on best practices to ensure data security.  

Biometric technology will continue to deliver significant value to many workforce operations. Consult with your legal team, review third party technology provider policies, and work closely with your IT department to protect your people and organization.