Insights

Biometrics & Privacy; Understanding The Law

The US has some of the strictest privacy laws. Organisations who breach them do so at their peril – often at great cost.

Paul Smith


Head of Quality & Compliance

When it comes to privacy laws, the US is known for its stringent regulations. Data and privacy laws differ on both sides of the Atlantic, but that’s not to say businesses in the UK can’t learn a thing or two from their American neighbours.

Recently, two US-based companies fell foul of the strict laws that govern the states they occupy (laws vary from state to state, with California having the toughest). While these breaches and the resultant penalties won’t directly relate to organisations based here in the UK, it’s helpful to see just how data breaches arise, what tolerance there is and just how painful the outcome can be.

Our company, GT Clocks, predominantly operates within the US, so understanding the laws – and the stakes that are at risk if they’re broken – is very much our wheelhouse.

A bad taste for US food chain White Castle

When personal data is collected by a business, the general consensus is that it needs to be for reasonable and legitimate reasons. But it’s not always as straightforward as that, as one Illinois food outlet chain discovered. Illinois has some of the strongest privacy laws in the country and is the only state which allows people to sue organisations for the improper collection of biometric data. Only Texas, Washington State and New York City also have biometric-specific laws – but not with the same reach.

White Castle, a burger chain, had been using finger scans to track employee clock-in and clock-out times. Biometric measures, like finger scans or facial recognition software, provide incontrovertible evidence when monitoring all aspects of access control.

Overreach?

However, White Castle fell foul of the Illinois Supreme Court in February 2023. The court ruled that every time an individual’s biometric data was collected, the Biometric Information Privacy Act (BIPA) was violated. The burger chain is looking at a penalty of up to $17bn in potential damages.

The implications for other businesses are worrying. So, what happens from here? The high court indicated that the Illinois General Assembly consider the issue and explore changes to the system.

White Castle follows several high-profile cases relating to facial recognition in Illinois in 2022. These include Samsara Inc, which developed a dashboard camera to extract biometric images of drivers’ faces to monitor them for potential fatigue and distractions. The Illinois courts also had to consider class actions against several higher education institutions and a software company, Respondus, which used webcams to capture students’ biometric data.

Response

The White Castle case will impact other organisations using biometrics in Illinois. Mindful of potential far-reaching repercussions, several business groups filed ‘friends of the court’ briefs supporting White Castle – who maintain that employees need only be asked once for permission to collect biometric data, rather than every time. Business groups, in conjunction with other professional bodies, want to see changes to BIPA, including:

  • Proof that genuine harm has been caused by the data collection before a fine is imposed
  • Reversing a recent court decision that determined every instance in one organisation or relating to one complainant be treated as a separate violation
  • The ability for businesses to address issues where there had been no harm under the premise of ‘notice and cure’

The group also argues that businesses be allowed to use biometrics for a range of human resources-related functions.

Implications

It is highly unlikely that White Castle’s experience will be a one-off. Other businesses in Illinois will need to prepare themselves for possible litigation.

But the effect reaches further afield. Businesses outside Illinois that use biometric data may not have to face legal proceedings and potentially crippling fines, but they may face other problematic issues around trust – with employees, customers and visitors.

The collection of biometric data divides opinion. There’s a ‘can’t see what harm it does if you’ve done nothing wrong’ perspective and those who feel it violates individuals’ privacy.

Businesses must convince employees and others (customers, site visitors, etc) that they are collecting biometric data:

  • For appropriate and justified reasons
  • Responsibly and storing it securely
  • And retaining it only for an appropriate length of time
  • Complying with all state and federal regulations in the process

Getting it right – with expert advice and support

Thankfully, Grosvenor Technology and GT Clocks are industry leaders in human capital management (HCM) solutions in the UK, Europe and the US. It’s our dedication to continuous development that sees us stay ahead of the curve with advances that not only streamline processes but maintain stringent compliance.

In the US, when Personally Identifiable Information (PII) is collected by a business, it needs to be subject to robust encryption right from the get-go. Through GTConnect, we ensure that all ‘people data’ is secure from the moment it is collected right through to the time it is erased.

Every anticipation has been accounted for to provide complete compliance with legislation so C-Suites can put total trust in their systems.

And for those who are concerned about the use of facial recognition or other biometric measures, it’s important to highlight the benefits of such measures. With security so highly prized, tightly controlled access provides everyone with a greater sense of safety.

What people need to know is that only essential data is collected, that it remains secure and that it can be erased when requested. These steps, while sounding simple, require systems that can ensure the required level of compliance without adding significantly to the workload of administrators. That’s where Grosvenor Technology and GT Clocks, alongside GTConnect, offer seamless peace of mind.

Sharing Your Duty

Grosvenor Technology can alleviate some of the burdens of data management and security by providing solutions that strictly adhere to the relevant legislation in your locality. Our teams are well-versed in compliance and will recommend systems that ensure you don’t fall foul of eye-watering fines and lawsuits.

You can read more about how both Grosvenor Technology and our US counterpart GT Clocks handle data and global compliance regulations in this blog here.