Under biometric regulations, companies must advise individuals that they are collecting the information, indicate the length of time the information will be kept and its purpose, and obtain individuals’ written consent to collect the information. The latter is “what has tripped up many companies” that have been found liable, Mr. Chesler said.
“It’s really important, especially from a risk management perspective,” for companies to obtain customers’ and employees’ informed consent, said MaryRose Cusimano-Reaston, president and CEO of Carlsbad, California-based Emerge Diagnostics Inc.
She recommended companies involve both information security and privacy personnel in this issue.
Mr. Chesler pointed to the 2019 ruling by the Illinois Supreme Court in Rosenbach v. Six Flags. He said the key holding in that biometric case was that individuals need not allege injury or an adverse effect to successfully assert a violation of the act, which provides for statutory damages of $1,000 per violation, or $5,000 if the violation is intentional or reckless.
Biometric issues can involve general liability, cyber, employment practices liability, and directors and officers policies’ coverage, he said.
Ms. Cusimano-Reaston discussed how collecting employee biometric data as part of health and safety programs can raise privacy issues, as well as create potential issues under the Americans with Disabilities Act.
She warned also that companies be sure they are compliant with regulations not only with respect to their own employees but for their customers and vendors, too.
There is a “constant back and forth” between companies that want information and customers guarding their privacy, Mr. Chesler said. “We’re going to live with this (issue) for a long time.”