Publications
Article

Tips for Using Fingerprint Biometrics Effectively and Safely

Bloomberg Law

Companies using fingerprint biometrics in the workplace need to take several actionable steps to effectively leverage the technology in a manner that minimizes security risks and complies with the law. Blank Rome LLP attorneys walk through five steps to address privacy, notice, consent, security, and vendor management.

Fingerprint biometrics have generated a myriad of benefits for businesses across all sectors, but this popular form of biometrics carries sizeable security risks/challenges, which has prompted legislators to respond by attempting to impose stringent requirements and limitations on its use.

Consequently, companies utilizing fingerprint biometrics must ensure they minimize the risks posed by this technology. Fortunately, there are several actionable steps companies can take to effectively leverage biometric fingerprint technology in a manner that both minimizes security risks and complies with the law.

Privacy Policy

As a starting point, companies should ensure they are being transparent with their fingerprint biometric data activities by implementing a detailed fingerprint biometrics-specific privacy policy.

Privacy policies should encompass the following issues:

  1. ensure notice is provided that fingerprint template data is being collected and/or stored;
  2. the current and reasonably foreseeable purposes for which the company utilizes fingerprint template data;
  3. how fingerprint template data will be used;
  4. a description of the protective measures used to safeguard fingerprint template data; and
  5. the company’s fingerprint template data retention and destruction policies and practices.

These policies should also strictly prohibit the disclosure of any individual’s fingerprint template data without their consent and should ban the company and its employees from selling or otherwise profiting from any such data.

This privacy policy should be made publicly-available, which, at a minimum, should entail inclusion in the entity’s broader online privacy policy. Companies should also update their policies whenever any material modifications are made to their fingerprint template data management practices.

Notice

Second, to further support transparency, companies should provide conspicuous, advance notice of the use of biometric fingerprint technology before any fingerprint template data is captured, used, or stored.

In so doing, companies should offer consumers meaningful notice regarding how fingerprint digital templates are created, and how such data will be used, shared, and stored by the company. Where appropriate, or required by law, contextual and just-in-time notices may be necessary.

Written Consent/Release

Third, where feasible, companies should obtain signed, written consent—in the form of a written release—from consumers or employees authorizing the company to collect, use, and store their fingerprint template data prior to the time any such data is captured or used for any purpose.

In signing the written consent, the individual should acknowledge he/she has read the company’s fingerprint biometrics privacy policy, as well as the more specific, written notice provided regarding the company’s capture and use of fingerprint template data.

This consent should also make clear the individual consents to those policies and guidelines, as well as to the capture and use of their fingerprint template data, including the company’s ability to share such data with any service providers or third-party vendors.

For employers using biometric timeclocks, if permitted by state law consideration should be made as to whether the employer should require new employees to sign a written consent as a condition of employment. If so, obtaining new employees’ written consent can be done during the onboarding process. Similarly, employers should also consider whether to require current workers to sign a written consent as a condition of continuing employment.

Also, companies should ensure they maintain a detailed written record of how and when consent was acquired so it can affirmatively demonstrate compliance with applicable laws in the event its fingerprint biometrics practices are tested in court.

Data Security Measures

Fourth, companies must ensure they implement effective data security safeguards to protect all data captured, used, and stored through fingerprint biometric technology from improper disclosure, access, or acquisition.

Companies should ensure they safeguard fingerprint template data:

  1. using the reasonable standard of care applicable to their given industry; and
  2. in a manner that is the same or more protective than that in which the company stores, transmits, and protects other forms of sensitive personal information.

In terms of data security measures themselves, all fingerprint templates should be stored separately from other personal information such as names, birth dates, and account numbers. All stored fingerprint template data should also be encrypted, both in transit and while at rest. And companies should establish and implement appropriate retention and disposal practices.

Finally, companies should also complete any updates/modifications to their security programs to ensure their data protection measures remain effective against new or evolving threats and vulnerabilities.

Vendor Management

Finally, as most fingerprint biometric systems require the use of third-party vendors to supply the technology to process fingerprint biometrics, companies must also effectively manage risk and minimize liability in connection with vendors and other service providers.

First, prior to entering into an agreement with any vendor that will have access to biometric fingerprint data, companies must complete the necessary due diligence and vetting of all potential vendors to ensure their security measures are sufficiently robust.

In addition, companies should review and update their contracts with current vendors to take into consideration the principal issues raised by biometric data laws, including the addition of provisions mandating that vendors employ reasonable safety controls to properly protect fingerprint template data, delete such data when required (or requested by the company), and provide prompt notice in the event of a data breach event.

The Final Word

Fingerprint biometrics is having an increasingly significant impact on many facets of our daily lives. But this technology is not without its limitations and drawbacks. At the same time, several states are currently in the process of enacting new biometric laws, many of which are modeled heavily after Illinois’s stringent biometric statute.

As such, companies using fingerprint biometric technology should consider taking proactive steps to strategically enhance their biometric privacy compliance programs while building in the necessary degree of flexibility to allow for adaptability to the foreseeable challenges associated with biometric privacy.

“Tips for Using Fingerprint Biometrics Effectively and Safely,” by Jeffrey N. Rosenthal and David J. Oberly was published in Bloomberg Law on June 5, 2020.