Employers testing their workers for COVID-19 should be wary of inadvertently also collecting biometric information in violation of state privacy laws.

Illinois’ Biometric Information Privacy Act, which was passed in 2008, is the most restrictive law on biometric privacy, but other states have passed similar laws and others are considering legislation or regulations, sources say.

While the laws create potential liabilities, the use of consent forms could mitigate the risk, they say.

Many experts point to a lawsuit against Amazon.com Inc., filed in state court in September, in which the online retailer was charged with violating BIPA by requiring workers at its Mundelein, Illinois, warehouse to have their facial geometry scanned by a facial recognition camera and their temperature taken before entering the facility. The case, Michael Jerinic v. Amazon.Com Inc. and Amazon Com LLC., was transferred to U.S. District Court in Chicago on Oct. 30.

The lawsuit, which seeks class-action status, charges that Amazon failed to inform workers that their biometric information was being collected and to obtain their consent, as required by the law.

“The key allegation there is that the employees are alleging they lost control or the right to control” their biometric information, said Ted Stefas, vice president and chief underwriting counsel at Argo Pro, a unit of Argo Group International Holdings Ltd.

Other states, including Texas, Washington, California and New York, have similar laws although the Illinois law, which gives individuals the private right of action to file litigation on the issue, may have the greatest breadth with respect to biometric information. Observers say the issue is on many other states’ agendas, too.

“All states are starting to think about the ramifications of employers collecting personal information on their employees,” and now that they are returning to work and employers are conducting health screening “it’s going to naturally butt up against these privacy concerns,” said Lauren Kim, Chicago-based senior vice president and technical leader of NFP Corp.’s financial institutions group.

“I absolutely believe this can be a potential risk for employers,” said Ruth Kochenderfer, Washington-based managing director and co-leader of Marsh LLC’s health care financial and professional lines practice.

The issue will likely lead to increased claims, Mr. Stefas said.

However, “to what extent these claims will have any credence is still unknown,” said Priya Gandhi-Abriano, New York-based senior claims technical specialist for QBE Insurance Group Ltd. “We have to wait and see what the courts will say,” she said.

Employers are installing scanners, but they may not be thinking about the potential privacy issues they may face, said Sonya Rosenberg, a partner with Neal Gerber Eisenberg LLP in Chicago.

“The critical issue for employers is to make sure that, when they’re doing COVID-19 screening, they are not getting into the collection or storage of biometric information,” said Carlos Arévalo, a partner with Smith Amundsen LLC in Crystal Lake, Illinois. 

The problem could be compounded with more sophisticated machines that potentially record more than temperature, such as face geometry, he said.  

Jenny W. Colgate, a member of the law firm Rothwell, Figg, Ernst & Mambeck P.C. in Washington, said businesses should log the information they are collecting and review privacy laws to make sure they are not breaching them.

Another challenge is employers that operate in multiple states may have to comply with several different laws with respect to the collection, use and storage of information, said Kelly Geary, New York-based national practice leader for executive risk and cyber with EPIC Insurance Brokers & Consultants. 

Jason C. Gavejian, a principal with Jackson Lewis P.C. in Morristown, New Jersey, said, COVID-19 testing “is ever evolving, and as (employers) look to take steps to streamline the process they should be carefully considering any impact that could have on their business,” including assessing the functionality of the devices they use.

Experts say that communicating information about the use of data and obtaining employees’ consent is not necessarily complicated. “I suspect you could probably get a pretty simple consent form” as long as it is informative, Ms. Kochenderfer said. “That would probably be enough.” 

Observers note there are additional privacy-related concerns with respect to COVID-19 under other laws. These include the federal Americans with Disabilities Act, the Family Medical Leave Act and the Genetic Information Nondiscrimination Act of 2008, which prohibits genetic information discrimination in employment, as well as other state and local laws. There are also the Centers for Disease Control and Prevention’s recommendations.

Employers should make sure “they are following all the administrative protocols that are set forth in the laws,” said Nancy Farnam, Bloomfield Hills, Michigan-based Great Lakes area vice president, compliance, with Arthur J. Gallagher & Co.’s employee benefit consulting operations.