Legal Tips with Richard Sheinis: Using Employee and Guest Biometric Data
By Richard Sheinis | October 13, 2023
Applications or platforms using guest biometric data have made significant advancements in the hospitality industry during the last several years. Some of these platforms include rapid check-in by facial recognition, room access by fingerprint or facial scanning, quick payments for food or beverage, spa treatments and other hotel purchases, or personalizing the guest experience. Biometrics can also be used for employee management such as tracking when employees clock-in and out.
While biometrics may drive guest satisfaction and increased revenue, they frequently get special treatment under privacy laws, necessitating a cautious approach before using these applications. (In this situation, special treatment is not a good thing!) Illinois, Texas, and Washington have specific biometric privacy laws. California, Colorado, Connecticut, Virginia, and Utah have recently passed comprehensive privacy laws, which require extra security or other obligations for biometrics. Some states have laws regarding the use of biometrics in the employment context. Even though there is not a federal law regulating the use of biometric information, the FTC has issued a formal warning about biometric data collection and the data privacy concerns that are implicated with such use.
One of the reasons biometrics gets special treatment is their immutable character. If a password gets compromised, it can be changed. A fingerprint or retina cannot be changed. Since biometrics are actually part of a person, they are viewed more personal than your typical personal data such as a name, address, or credit card number.
The Illinois Biometric Information Privacy Act (BIPA) was the first of the state biometric privacy laws. It defines biometrics as the measurement and statistical analysis of an individual’s physical or behavioral characteristics. These characteristics include DNA, fingerprints, face, hand, retina, and even our odor, voice, and gait. BIPA requires obtaining the subject’s informed consent prior to collection and has increased security and retention requirements.
Some laws, such as the California Privacy Rights Act (CPRA), require that a business provide an opt-out mechanism for a consumer to limit the use or disclosure of their biometric information. The Virginia Consumer Data Protection Act (VCDPA) does not include facial recognition or voice recordings as biometric data. However, it requires consumer consent prior to processing biometric data. Consent is defined as “a clear affirmative act signifying a consumer has freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.” This level of consent can be a high bar to meet.
The Colorado Privacy Act (CPA) does not define biometric data. However, its requirement for consent is more strict than other privacy laws. Under the CPA, consent means “a clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement, such as by a written statement, including by electronic means, or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data.” The CPA also specifically tells us that acceptance of general or broad terms, hovering over, muting, pausing, on a given piece of content, or an agreement obtained through dark patterns, does not constitute consent.
While these laws are similar in that the collection and processing of biometric data has heightened levels of compliance, the specific treatment of biometric data can differ from state to state. Biometrics can be a useful tool in the hospitality industry and is likely to be more so as more applications leveraging biometric data become available. While biometric privacy laws might present certain hurdles, these hurdles can be overcome by evaluation and consideration of the applicable statutory and regulatory requirements so you can take advantage of the opportunities presented by this technology.
