Could Wellness Programs Be Making Your Company “Sick?” The Potential Perils of Collecting Biometric Data About Employees

Wearable devices that track and record personal biometric data are hardly new to the technology scene. In addition to the now-commonplace electronic pedometers and heart rate monitors, there are portable and wearable devices that, quite literally, do everything – from administering medical tests, like electrocardiograms, to analyzing the quality of one’s sleep based on user input. Never before, however, have employers had such ready access to this personal information about employees. It is this access – and the employer’s use of the gathered data – that can pose a legal trap for the unwary employer.

Collection of biometric data in the workplace through wearable devices or screenings can occur for a variety of proper reasons. For example, employers may require such data for security verification purposes or as a means of authenticating employee accounts or files. One increasingly prevalent practice is for employers to offer insurance premium discounts, bonuses, or other incentives to employees who undergo a biometric screening to raise health consciousness or to employees who achieve a certain activity level, as measured by a wearable electronic pedometer or fitness tracker. Such programs give employers unprecedented access to a wealth of biometric data about employees (like activity levels, nutritional habits, and certain physical characteristics).

On its face, there is nothing improper about an employee consenting to participate in these types of incentive programs. However, if an employer considers or uses the collected data in any way when making employment decisions, it may unwittingly open itself up to claims of disability or other discrimination. Further, the company’s possession of such information certainly increases its privacy and data security challenges.

Adding to the potential hazards of these initiatives is the dearth of legal authority on the issue of how to collect and manage biometric data. There is no federal law or guidance on the issue; only two states, Illinois and Texas, have enacted statutes that even define specifically what constitutes biometric data; and only a few additional states, Alaska, California, New York and Washington, have proposed legislation on the issue.

So, what’s an employer to do?

Here are some rules of thumb – based in part on the key provisions of the Illinois and Texas laws – that an employer in possession of its employees’ biometric data would be well advised to apply:

Always provide employees with written notice of biometric data collection and storage, and explain the reason for the collection and the length of time the data will be stored;
Require employees to give written consent to the data collection;
Protect the collected biometric information from disclosure unless the employee gives prior written consent to disclosure or the disclosure is required or permitted under state or federal statute, or in response to a warrant from law enforcement or a valid subpoena, or to complete a financial transaction requested by the employee;
Protect stored biometric data in a manner that is at least as protective as the means used to protect other confidential information;
As with health information in general, separate biometric data from other employee records, and ensure that company access to such data is limited to those with a legitimate need-to-know;
Never sell, lease, trade, or otherwise profit from the collected data;
Maintain and make publically available a written retention policy that requires permanent destruction of the data by the earlier of the date when “the initial purpose for collecting or obtaining” the data has been “satisfied” or three years after the employee’s last contact with the organization; and
Keep abreast of cases that address the appropriate use of biometric data and its collection and handling. For example, this relatively recent case addressed whether requiring biometric screenings as part of a wellness plan violated the Americans with Disabilities Act.

Disclaimer

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Partner

[email protected]

New York 212.338.3417

Related Insights

View All Posts

24 April 2024 Health Care Law Today

FDA Continues to Take Stance That it Will Not Issue CBD Rules

The FDA recently doubled down on its January 26, 2023 position that existing regulatory pathways for foods and dietary supplements are not appropriate to manage the risks of CBD and a new regulatory pathway is needed.

24 April 2024 Energy Current

U.S. EPA Finalizes Designation of Two PFAS Chemicals as Hazardous Substances Under CERCLA

On April 19, the U.S. Environmental Protection Agency released its long-awaited final rule designating perfluorooctanoic acid and perfluorooctanesulfonic acid, including their salts and structural isomers, as “hazardous substances” under Section 102(a) of the Comprehensive Environmental Response, Compensation, and Liability Act.

24 April 2024 Foley Career Perspectives

Washington, D.C. Office Managing Partner David Sanders Offers Insights for Aspiring General Counsel

Foley’s clients entrust our firm to look beyond the law to deliver holistic business solutions for their most challenging problems.

Could Wellness Programs Be Making Your Company “Sick?” The Potential Perils of Collecting Biometric Data About Employees

Author(s)

Anne B. Sekel

Related Insights

FDA Continues to Take Stance That it Will Not Issue CBD Rules

U.S. EPA Finalizes Designation of Two PFAS Chemicals as Hazardous Substances Under CERCLA

Washington, D.C. Office Managing Partner David Sanders Offers Insights for Aspiring General Counsel