From Fingerprints to Facial Recognition: Employer Responsibilities for Biometric Data Management

Companies’ use of their customers’ biometric data has been increasing for a couple of decades. Numerous state and federal laws regulate how consumer biometric data can be stored and used and require notices to consumers about these actions.

“Biometric data” may be defined differently by state, but generally includes employee fingerprints, voice prints, retinal scans, facial recognition, and other “data generated by the technological processing, measurement, or analysis of a consumer’s biological, physical, or behavioral characteristics, which data can be processed for the purpose of uniquely identifying an individual.” Biometric data may also include employee tracking software, or employee vehicle tracking, as well as timeclock systems that use any biometric data such as facial recognition or fingerprints to clock in and out for workers. Essentially, if employers are collecting information or data on employees in order to identify them or verify their identification, it may be considered “biometric data.”

Additionally, some states use a broad definition of “employer” that includes all types of public, private, and not-for-profit employers, even with just one part-time or remote worker in that state. “Employees” may also be broadly defined, to include not just full- and part-time employees, but also interns, on-call workers, and job applicants.

Given these complex and varying definitions, navigating the application of biometric privacy laws for employers can be complicated. While Illinois is famous (or infamous) for the vast numbers of biometric privacy lawsuits, class actions, and large verdicts, most other states have remained relatively quiet in the realm of consumer and employee biometric data and privacy. This relative quiet is slowly ending, and employers that do not already have employee biometric data privacy policies and procedures should begin adopting them. There is a growing patchwork of state laws addressing employee biometric data privacy and requiring employers to take action immediately to notify employees and protect their information.

For example, Colorado recently amended the Colorado Privacy Act to include laws regulating employer use of employee biometric data. Beginning July 1, 2025, employers of any Colorado-based employees must obtain consent before collecting and using biometric information and adopt biometric policies. Colorado employers can only require employees to agree to certain uses of a biometric identifier as a condition of employment. These uses are limited to specific safety and security purposes and timeclock records. While there is no private right of action associated with these amendments to the Colorado Privacy Act, it may be added in future years.

Overall, most states adopting biometric privacy laws for employers require several actions:

1. Employers must provide notice to employees of the collection of biometric data, such as for facial recognition, fingerprint scans, and voice recognition. Typical notices involve actual notice to the employee of exactly what biometric data is being collected or may be collected, the purpose for the collection, how long the biometric data is retained by the employer, and the terms by which any such biometric data may be shared with third parties (e.g., payroll service providers). Even if employers are not collecting this data for employee monitoring purposes (for example, a store using video surveillance to combat shoplifting), some state or local jurisdictions may regulate video surveillance and security camera footage, and employers are advised to post notices and inform employees that video surveillance and security cameras are in use on site.
2. Employers may be required to not only notify employees but also obtain employee individual consent prior to collecting biometric data. Employers should keep signed employee consents in employee personnel files in accordance with applicable state laws and the employer’s practices.
3. Employers may be required to adopt policies and practices that effectively protect collected and stored employee biometric data to ensure it is never stolen, sold, or traded. Policies may be required to store employee biometric data for limited periods of time, or in a specific manner to protect the biometric data from being stolen or misused by intra-company or outside bad actors.
4. Employer biometric privacy plans often must include plans for data breaches, including by theft or misuse. Biometric data retention policies may be part of this plan, involving deletion of employee biometric data after a certain short period of time. Some employee biometric data is used for worksite access or timeclock systems, however, and cannot be deleted without loss of accessibility for the employee, in which case retention may involve deletion of the data within 30 days after the employee’s employment is terminated for any reason.
5. Employers are often required to post notices regarding collection and use of employee biometric data. For example, if employers record video surveillance inside a worksite or in employee areas, employers may be required to post notices in all those areas where video surveillance is in use. Employers also must refrain from using video surveillance in certain areas, such as in restrooms. Even without state or local laws, notice to employees and guests/customers that video surveillance is in use is a best practice.

Employers should also take heed that some biometric laws apply to job applicants. For example, Maryland prohibits prospective employers from using facial recognition during a job interview without a signed waiver and New York prohibits a prospective employer from fingerprinting job applicants, unless an exception applies.

Additionally, some cities have passed biometric ordinances. While some of these ordinances have broader applicability to consumers, they will impact employers. For example, the City of Portland’s ban of facial recognition technologies in places of public accommodation will necessarily impact some Portland employers and their employees.

Key Employer Takeaways

1. Employers should consider whether and how any employee biometric data is being collected and stored. Simple activities such as worksite video surveillance and retention of such surveillance may be considered “employee biometric data.”
2. Employers with employees in multiple states (or countries), including part-time remote workers, should consider the biometric privacy laws in each jurisdiction where an employee is even partially or occasionally located to determine whether any biometric privacy laws apply to the employee and employer.
3. Regardless of whether state or local laws apply, employers may adopt a “best practice” of notifying employees of any biometric data that is collected or stored and obtaining the employee’s signed written consent for such collection and storage. Employers should be cautious of requiring employees to consent to such collection and storage.
4. Employers should review their general data privacy and retention policies to ensure all applicable federal, state, and local laws are followed, whether they apply only to consumers or also to employees. Consult counsel to ensure privacy and data protection laws are complied with in all applicable jurisdictions.

The legal issues impacting this topic are and will continue to be ever-changing (Employment Law in Motion!), and since publication of this blog post, new or additional information not referenced in this blog post may be available.

This article is provided for informational purposes only—it does not constitute legal advice and does not create an attorney-client relationship between the firm and the reader. Readers should consult legal counsel before taking action relating to the subject matter of this article.