The Biometric Time and Attendance System Laws You Should Know

Current biometric time and attendance system laws

Several states have specific laws regarding the use of biometric data in the workplace, such as finger or retina scans commonly used by time and attendance software. Even if you don’t operate in a state that has laws on the books, see if there is any pending legislation. [Read related article: How Time and Attendance Software Improves Shift Planning]

“The hottest legal issue right now is that several states have passed laws that regulate how companies may collect, store and disclose biometric information, and similar legislation is pending in many other states,” said Lauren Daming, an associate with the Greensfelder law firm.

Here’s a rundown of states with biometric time and attendance system laws:

• Illinois: Illinois was the first to approve legislation on the issue. Lawmakers there passed the Illinois Biometric Information Privacy Act (BIPA) in 2008. The Illinois law requires businesses to obtain consent before collecting biometric data and governs how the data is disclosed, profited from, protected and retained.
• Texas: Texas followed suit in 2009, passing legislation that requires businesses to gather consent if they are selling, leasing or disclosing biometric information. The law lays out how the biometric information must be stored and protected. It also mandates that the biometric data be destroyed within one year of being collected.
• Washington: In 2017, Washington passed a law spelling out how biometric information can be collected, stored and used. It also defines the content and activity it regulates in more specific terms; unlike in Illinois, the law doesn’t provide for a private right of action.
• California: In 2018, the California Consumer Privacy Act went into effect to regulate biometric data as “physiological, biological or behavioral characteristics … that can be used to establish individual identity.” The California law’s broad definition of biometric data includes iris, retina, fingerprint, face, hand, palm and vein patterns, as well as voice recording.
• New York: In 2021, New York’s biometric privacy legislation went into effect, regulating the collection and use of biometric information by “commercial establishments.” These establishments must post conspicuous signage and may not profit from any biometric information transaction. Philip Gordon, who co-chairs Littler Mendelson’s Privacy and Data Security Practice Group, said that the law’s interpretation bars New York businesses from requiring employees to be fingerprinted. “New York’s Department of Labor has interpreted that law, in an informal opinion letter, to apply to a requirement that employees place their finger on a scanner for a biometric time clock,” Gordon said.
• Arkansas: Arkansas also has a biometric data law on the books, adopting an amendment to the state code that defines biometric data as “fingerprints, faceprint, a retinal or iris scan, hand geometry, voiceprint analysis, deoxyribonucleic acid (DNA), or any other unique biological characteristics.”

Biometric workplace Lawsuits

Illinois has seen the most activity surrounding biometric legislation because, unlike Texas and Washington, it has a private right of action.

“The Illinois Biometric Information Privacy Act has a private right of action that has been attracting a lot of attention from plaintiffs’ attorneys as dozens of class-action lawsuits have been filed in the last few years,” Daming said. “BIPA includes statutory penalties of $1,000 or $5,000 per violation, which can add up to significant potential damages, since plaintiffs’ attorneys argue that each individual scan of an individual’s finger to clock in or out constitutes a separate violation of the act.”

One such lawsuit involves Illinois steelmaker A. Finkl & Sons Co. According to BiometricUpdate.com, the company faced a class-action lawsuit that claimed employees weren’t asked to give consent to using their handprints to clock in and out. In addition, the employees argued that they never received details on how that information would be stored and when it would be destroyed.

Gordon said that since Illinois permits enforcement by private individuals (as opposed to government agencies) and allows for the recovery of statutory damages, hundreds of class-action lawsuits have been filed in the state.

Understanding biometric time and attendance systems

Tracking employee attendance and time is crucial for many businesses. Without accurate records, employers could pay employees for time they haven’t worked.

To ensure accuracy, many employers have turned to digital time and attendance solutions that use biometrics to automate the time tracking process. These systems keep detailed, real-time data of when employees come and go, automatically transferring this information to a payroll service in time for payday.

How do biometric systems help the bottom line?

Biometric time and attendance systems cut down on employee time theft. Since workers have to digitally clock in and out each day, confusion and mistakes are eliminated. Employees won’t get paid for time they aren’t working.

According to time and attendance system provider Intuit QuickBooks, nearly half of U.S. employees admit to time theft. This costs employers more than $11 billion annually.

Today’s time and attendance systems let employees manage their time in various ways, including via computers, mobile devices, personal identification numbers (PINs), and swipe and badge cards. However, these options open up the possibility of “buddy punching,” which is when an employee clocks in or out for a co-worker. Intuit reported that 16 percent of U.S. employees admit to buddy punching, costing U.S. businesses $372 million per year.

The best way to combat buddy punching is to use biometric clocks. Many time and attendance systems now offer some form of biometrics. Biometric clocks require employees to punch in and out using a fingerprint, palm, facial or iris scan, so buddy punching is no longer an option. 

However, how employers store these scans and how they notify employees of biometric scan requirements and storage have opened up several legal issues.

How much does a biometric time clock cost?

Biometric time clock prices range from inexpensive models that cost only $100 to $200 to more expensive, high-end systems that are $800 or more. Remember that costs likely won’t include expert installation and support. 

If you go with one of the best time and attendance systems with biometric features, you’ll likely pay a certain price per user per month in addition to support costs. 

Which types of companies use biometric time clocks?

In theory, any company with the budget and need for biometric time clocks can use them. According to one leading manufacturer of fingerprint-based biometric time clocks, companies in industries such as food service, oil and hospitality comprise the majority of biometric time clock clientele.

How to comply with biometric workplace laws

To ensure you comply with biometric laws, determine which laws apply to your business and what those laws require, according to Daming. 

“Then, they need to take an inventory of the data that they’re collecting, storing or using, and consider whether it constitutes ‘biometric information’ under any applicable law,” Daming said. “This inventory should also examine how the information is being collected, how it is being stored and for how long, how it is being shared or disclosed, and what purpose it is used for.”

What about consent?

Kevin Kelly, a partner in Locke Lord’s labor and employment group, said that gathering consent is a big issue employers must be aware of, especially in Illinois.

“Businesses using biometric time clocks need to be certain that they have a comprehensive compliance program in place that meets all of the requirements of applicable law,” he said. “In Illinois, for instance, such a compliance program would require, among other things, that the employer obtain each employee’s written consent before using the employee’s biometric information.”

Biometric information policies

Employers should develop a comprehensive policy describing how the information is collected, what it is used for, how it is stored and for how long, and when it is destroyed, Daming said.

“Companies that use biometric timekeeping systems should also ensure that their insurance policies provide coverage for claims that could be brought under biometric privacy laws” she said. “Companies should also make sure that any third parties that they interact and share data with – such as payroll companies – are in compliance with applicable laws.”

Businesses that operate in multiple states or have employees represented by a union should consider a few other factors. Daming said that those with locations in more than one state should develop policies that harmonize requirements across jurisdictions, while those with union employees should consider whether a proposed policy or changed procedure related to the time clocks may trigger bargaining obligations or necessitate other communication with a union representative.

Employee options for biometric data privacy

The one option employees have when it comes to biometrics is refusing to provide a fingerprint or facial scan. However, that could very well result in an employee losing their job. 

“Under the Illinois law applicable to biometric time clocks, employees must consent in writing before an employer can use the employee’s biometric information, and therefore, an employee can refuse to provide such consent,” Kelly said. “However, employers can potentially make such consent a condition of employment, meaning that the employee won’t be able to continue employment unless such consent is provided.”

Gordon said that even in situations that don’t require consent, employees could be fired for refusing to provide a biometric scan.

When can you refuse a biometric scan?

“In jurisdictions where employers are not required to obtain employees’ consent, employers also can condition employment, or continued employment, on use of a fingerprint or facial scans, subject to objections on religious grounds,” Gordon said.

Daming said that in cases where an employee refuses on religious grounds or has a physical condition that prevents them from providing a scan, employers would likely need to provide an alternative method for clocking in and out.

The future of biometric laws 

Although biometric laws currently apply to employers in certain states only, Gordon believes that privacy laws will continue to proliferate throughout the country. He said that several states have pending legislation modeled after the Illinois and Texas laws.

“San Francisco [in 2019] enacted a ban on law enforcement’s use of facial recognition,” Gordon said. “While that ordinance does not apply to private employers, other city or state governments could enact expanded prohibitions in the future.”

Daming agrees that biometric privacy laws will become more prevalent moving forward.

“I think everyone – consumers, employees, et cetera – is becoming more aware of and concerned with privacy rights,” Daming said. “We can see that with California’s [passage] of the California Consumer Privacy Act. And this will probably lead employees and consumers to think more critically about where their biometric data is going and how it’s being used.”

Max Freedman contributed to this article.