What You Need to Know
Employers have very limited authority to collect, capture, purchase or otherwise obtain biometric identifiers and biometric information about employees and applicants. Biometric identifiers include retina or iris scans, fingerprints, voiceprints and hand or facial geometry scans. Biometric information is defined as any information that is used to identify an individual based on a biometric identifier.
An employer may obtain biometric identifiers or information only if it first:
- Develops, and makes available to the public, a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information; and
- Provides written notification to and obtains written consent from any individual who may be the subject of the biometric identifiers or information.
An employer’s written notification must:
- Indicate that a biometric identifier or biometric information is being collected or stored; and
- Set forth the specific purpose and length of time for which the biometric identifier or biometric information is being collected, stored and used.
After obtaining a person’s biometric identifier or biometric information, the employer must store, transmit and protect it in a manner that is the same as or more protective as the manner in which the employer protects other confidential and sensitive information. The employer must also destroy any biometric identifiers or information either as soon as the initial purpose for obtaining them is satisfied or within three years after the individual’s last interaction with the employer, whichever occurs first.