Protecting Your Gym’s Member Data in a Digital World

Does the term “biometric technologies” sound vaguely familiar? If so, you might envision the dystopian society in the film Blade Runner, in which retina scanners are used to measure a person’s empathy, or the facial recognition system on the USS Enterprise in Star Trek that allows crew members to access the ship’s restricted areas.

But biometric technology is hardly science fiction. Today, facial scanners unlock iPhones, retina scanners access bank accounts, and body scanners are an integral component of airport security.

A survey commissioned by Spiceworks, a network of information technology professionals, revealed that 62% of companies currently use biometric authentication technologies and that another 24% plan to implement them by 2020.

So, it’s not surprising that IHRSA clubs have begun to implement this sort of technology. Fingerprint and facial recognition scanners gather membership data; biometric scanners keep track of employees’ work hours; and body scanners generate 3D images to ascertain a client’s weight loss and help them achieve their muscle building goals.

While this equipment and the functions it facilitates are valuable, it’s important to note that a number of states have enacted laws to regulate the use of the data that’s generated and ensure that it’s protected. Understanding these laws is crucial to developing procedures to protect your club from potential litigation.

Defining Biometric Information

At the moment, state statutes are uniform in defining biometric data as information produced by biometric identifiers—namely, fingerprints; retina, iris, and voice scans; and scans of a person’s face and hand geography. All are unique to each person, making the ability to gather them attractive and, potentially, lucrative to businesses.

While the numerous applications and benefits are obvious, the potential risks and liabilities also need to be considered.

The very specific, personal nature of such data makes it particularly sensitive. For example, if you misplace your Social Security card, the government can issue you a new one. But there’s no equivalent remedy for the loss of biometric information, making its misappropriation a much more serious and, conceivably, dangerous matter. Furthermore, because much of this data is both visible and easily accessed, it makes people susceptible to fraud in ways that traditional identifiers don’t.

“A user’s biometric passwords are on public display every time they leave the house,” says Jane Bambauer, an associate professor of law at the James E. Rogers College of Law at the University of Arizona, in Tucson.

This vulnerability places considerable responsibility on club operators who choose to collect and use employee and client biometric information, compelling them to establish procedures to properly safeguard it.

The Issue Lies with Informed Consent

Currently, only Illinois, Texas, and Washington have statutes regulating the use of such data. The most extensive is the Illinois Biometric Information Privacy Act (BIPA), which went into effect in 2008.

If clubs in Illinois aren’t careful, they could be found in violation of BIPA by simply requiring employees to scan their fingerprints in order to clock in for work. In fact, it’s already happened.

In one situation, a club employee filed a class-action lawsuit against their employer for failing to obtain the employee’s consent before collecting their fingerprint data.

In a similar, but separate, case, a member filed a class-action lawsuit against a club because it didn’t confirm its members’ informed consent before asking them to submit their fingerprint data during personal training sessions; and it didn’t provide members with a policy statement describing the business’s biometric information procedures and retention schedule.

In both instances, the clubs were operating in good faith, but, technically, weren’t in compliance with the law.

However, in a decision addressing this legal loophole, an Illinois appeals court ruled in favor of Six Flags after a customer alleged that it had violated BIPA by not informing her son it was collecting biometric data when he scanned his fingerprints to purchase a season pass. The court ruled that “a plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect isn’t an aggrieved person.”

The statutes in Texas and Washington that regulate commercial use of biometric information aren’t as strict, but do contain similar consent and notification requirements.

More Laws Are in the Works

Eight other states have proposed similar legislation, which hasn’t yet become law. These issues aren’t going away, however, so clubs must be prepared to address them.

Fortunately, there are guidelines available for companies that collect biometric information that accord with current law and also anticipate future legislation. The recommended measures fall into two main categories: proactively developing security procedures that maintain the integrity of sensitive information, and training staff to implement these procedures knowledgeably and explain them to clients effectively.

In conclusion, biometric technologies can allow clubs to improve the fitness experience for employees and clients alike. Staying abreast of current laws—and developing procedures that anticipate future trends—is essential for every IHRSA club that hopes to operate successfully in the 21st century.