Privacy & Consent Compliance Guide
Understand employee privacy rights, biometric data laws, medical records confidentiality, and consent requirements.
Overview
Employee privacy and consent compliance is one of the fastest-moving areas of employment law. Biometric data privacy statutes (led by Illinois BIPA) are expanding to more states, workplace monitoring and surveillance laws are evolving with remote work, and medical records confidentiality under the ADA and state laws remains a persistent audit risk. Employers collecting biometric data (fingerprints, facial recognition, retinal scans) for timekeeping or access control face substantial litigation exposure in states with private rights of action.
Regulatory Landscape
Illinois BIPA remains the most litigious biometric privacy statute, with per-violation damages of $1,000 (negligent) to $5,000 (intentional). Texas, Washington, Colorado, and several other states have enacted or proposed biometric data privacy laws with varying enforcement mechanisms. On the medical privacy front, the ADA requires that all employee medical information be stored in separate confidential files with restricted access — this includes drug test results, physical exam records, immunization documentation, and disability accommodation records. State laws may impose additional requirements, such as encryption mandates, data retention limits, and breach notification obligations. Employers using occupational health platforms must ensure their vendors meet these standards through proper Business Associate Agreements and data processing contracts.
Key Considerations
- 1Audit biometric data collection practices (fingerprint scanners, facial recognition) against applicable state laws
- 2Obtain written consent before collecting biometric data in states requiring it (Illinois, Texas, Washington)
- 3Ensure all employee medical records are stored separately from personnel files with restricted access
- 4Review vendor contracts for occupational health platforms to ensure HIPAA/state privacy compliance
- 5Implement data retention and destruction policies aligned with state-specific requirements
- 6Train managers on what medical information they can and cannot access or share
Recent Privacy & Consent Updates
Recent Regulatory Updates
Latest compliance changes affecting workplace health programs
BIPA Damages Clarification (Cothron v. White Castle)
Illinois Supreme Court ruled in Cothron v. White Castle that each biometric scan (fingerprint, facial recognition) can constitute a separate BIPA violation, significantly increasing potential employer liability. Employers must obtain written consent before collecting any biometric data.
Employee Medical Records Retention (29 CFR 1910.1020)
Federal OSHA requires employers to preserve employee medical records for the duration of employment plus 30 years. This includes exposure records, medical opinions, and any analyses related to workplace health hazards.
Capture or Use of Biometric Identifier Act (CUBI) — Employer Compliance
Texas Business & Commerce Code § 503.001 requires employers to obtain informed consent before capturing, collecting, or otherwise obtaining biometric identifiers including fingerprints, voiceprints, and retina or iris scans. Employers may not sell, lease, or disclose biometric data and must destroy it within a reasonable time. Increasing litigation activity underscores the importance of CUBI compliance for employers using biometric timekeeping or access systems.
States Tracking Privacy & Consent
18 states currently monitor privacy & consent regulations
Frequently Asked Questions
Common questions about privacy & consent compliance
Related BlueHive Services
Services that help you stay compliant with privacy & consent requirements
Need Help With Privacy & Consent Compliance?
BlueHive connects you to qualified providers who understand the regulatory requirements in your state.