- Biometric time and attendance systems use fingerprint, facial, palm or iris scans to record work time.
- Illinois, Texas and Washington all have laws in place governing how the biometrics are recorded, stored and used.
- Businesses in those states need to understand the laws and make sure they have policies for how consent is gathered, how the data is stored, and how and when it is destroyed.
- Employees can refuse to provide biometric scans, but employers can terminate them for it.
- All businesses should be aware of these laws because other states have similar pending legislation.
There was a time when using a fingerprint or facial scan in the workplace was reserved for highly sensitive jobs or top-secret government positions. Today, however, biometrics are increasingly common in all types of businesses.
Biometrics' tie-in to time and attendance systems is contributing to the increase in biometric data collection in the workplace. Many of today's time and attendance systems offer options to record employee time by fingerprint, palm, iris or facial scan.
However, as these systems become more prominent, numerous legal issues around their use are arising. While only several states currently have laws on the books regulating how biometrics can be used in the workplace, that doesn't mean more states won't follow suit. With that in mind, Kevin Kelly, a partner in Locke Lord's Labor & Employment group, said all businesses should be aware of these issues.
"Businesses need to be aware of the significant compliance requirements associated with implementing biometric time and attendance systems," Kelly said. "An employer's failure to have a proper compliance program in place can result in significant liability."
Which types of companies use biometric time clocks?
In theory, any company that has the budget and need for biometric time clocks can use them. According to one leading manufacturer of fingerprint-based biometric time clocks, companies in industries such as restaurants, oil and hospitality comprise the majority of biometric time clock clientele.
What does a biometric time clock usually cost?
A biometric time clock system usually costs just over $100 to purchase, though some high-end models that don't require computer connectivity can cost up to $600. These costs tend not to include any expert installation help you might hire.
Biometric time and attendance systems
Tracking employee attendance and time is a critical task for many businesses. Without accurate records, employers could be paying employees for time they haven't worked.
Knowing the huge impact it can have on their bottom lines, many employers have ditched paper timesheets or old punch clocks in favor of digital time and attendance solutions. A digital system automates the entire time-tracking process. It keeps detailed real-time data of when employees come and go, which it automatically transfers into a payroll solution in time for payday.
Editor's note: Looking for the right time and attendance system for your business? Fill out the below questionnaire to have our vendor partners contact you about your needs.
These systems cut down on employee time theft. Since workers have to digitally clock in and out each day, they're not simply writing down when they start and end their day. This reduces the possibility of employees getting paid for time they aren't actually at work.
Research from time and attendance system provider TSheets found that nearly half of U.S. employees admit to time theft. This costs employers more than $11 billion a year.
Today's time and attendance systems allow employees to manage their time in various ways, including via computers, mobile devices, PINs, and swipe and badge cards. However, all of those options open up the possibility of buddy punching. Buddy punching is when an employee clocks in or out for one of their co-workers. The TSheets study found that 16% of U.S. employees admit to buddy punching, which costs U.S. businesses $372 million a year.
The best way to combat buddy punching is through the use of biometric clocks. Growing numbers of time and attendance systems now offer some form of biometrics. Biometric clocks require employees to punch in and out using a fingerprint, palm, facial or iris scan. This removes the option for an employee to clock one of their co-workers in or out and ensures that employers aren't paying for time an employee didn't work. [Looking for a time and attendance system? Check out our best picks and reviews.]
However, how these scans are stored and how employees are notified of biometric scan requirements and storage have opened up a number of legal issues.
Benefits of using a biometric time clock
Close to 50% of workers in the U.S. admit to committing time theft, which costs businesses a nationwide total of $11 billion per year. Using a biometric time clock to accurately track when your employees are working versus when they're out of the office may save you money that you're spending on labor not actually performed. Biometric clocks also avoid the potential for one worker to forge timesheets for another, as biometric clocks only respond to biological features unique to one worker.
Current biometric time and attendance system laws
Currently, three states – Illinois, Texas and Washington – have specific laws regarding biometric uses in the workplace.
"The hottest legal issue right now is that several states (Illinois, Washington, Texas) have passed laws that regulate how companies may collect, store, and disclose biometric information (such as finger or retina scans commonly used by timekeeping systems), and similar legislation is pending in many other states," said Lauren Daming, an associate with the Greensfelder law firm.
Illinois was the first to approve legislation on the issue. Lawmakers there passed the Illinois Biometric Privacy Information Act in 2008. The Illinois law requires businesses to obtain consent before collecting biometric data and governs how the data is disclosed, profited from, protected and retained.
Texas followed suit in 2009, passing legislation that requires businesses to gather consent if they are selling, leasing, or disclosing biometric information and lays how out the biometric information must be stored and protected. It also mandates that the biometric data be destroyed within one year of being collected.
In 2017, Washington also passed a law that spells out how biometric information can be collected, stored and used.
Philip Gordon, who co-chairs Littler Mendelson's privacy and background checks practice group, said New York employers are barred from requiring employees to be fingerprinted.
"New York's Department of Labor has interpreted that law, in an informal opinion letter, to apply to a requirement that employees place their finger on a scanner for a biometric time clock," Gordon said.
Most recently, the California Consumer Privacy Act (CCPA), which went into effect in 2018, regulates biometric data as "physiological, biological or behavioral characteristics … that can be used to establish individual identity." This includes "imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information." This broad definition of biometric data places all kinds of data squarely under the requirements prescribed by the CCPA.
Arkansas also has biometric data laws on the books, adopting an amendment to state code that defines biometric data as "fingerprints, faceprint, a retinal or iris scan, hand geometry, voiceprint analysis, deoxyribonucleic acid (DNA), or any other unique biological characteristics."
Biometric workplace lawsuits
Illinois is the state that has seen the most activity surrounding this legislation because, unlike Texas and Washington, it has a private right of action.
"The Illinois Biometric Privacy Act has a private right of action that has been attracting a lot of attention from plaintiffs' attorneys as dozens of class-action lawsuits have been filed in the last few years," Daming said. "BIPA includes statutory penalties of $1,000 or $5,000 per violation, which can add up to significant potential damages, since plaintiffs' attorneys argue that each individual scan of an individual's finger to clock in or out constitutes a separate violation of the act."
One such lawsuit involves Illinois steelmaker A. Finkl & Sons Co. According to Biometric Update, the company faced a class-action lawsuit that claimed employees weren't asked to give consent to using their handprints to clock in and out. In addition, the employees argued that they never received details on how that information would be stored and when it would be destroyed.
Gordon said that since Illinois permits enforcement by private individuals (as opposed to government agencies) and allows recovery of statutory damages, class-action lawsuits have been filed against more than 200 employers in Illinois.
Compliance with biometric workplace laws
To ensure you are complying with biometric laws, you first need to figure out which laws apply to your business and what those laws require, according to Daming.
"Then, they need to take an inventory of the data that they're collecting, storing, or using and consider whether it constitutes 'biometric information' under any applicable law," Daming said. "This inventory should also examine how the information is being collected, how it is being stored and for how long, how it is being shared or disclosed, and what purpose it is used for."
Kelly said gathering consent is a big issue employers need to be aware of, especially in Illinois.
"Businesses using biometric time clocks need to be certain that they have a comprehensive compliance program in place that meets all of the requirements of applicable law," he said. "In Illinois, for instance, such a compliance program would require, among other things, that the employer obtain each employee's written consent before using the employee's biometric information."
Employers should develop a complete policy that describes how the information is collected, what it is used for, how it is stored and for how long, and when it is destroyed, Daming said.
"Companies that use biometric timekeeping systems should also ensure that their insurance policies provide coverage for claims that could be brought under biometric privacy laws," she said. "Companies should also make sure that any third parties that they interact and share data with – such as payroll companies – are in compliance with applicable laws."
Businesses that operate in multiple states or have employees who are represented by a union should take a few other factors into account. Daming said those that have locations in more than one state should develop policies that harmonize requirements across jurisdictions, while those that have union employees should consider whether a proposed policy or changed procedure related to the time clocks may trigger bargaining obligations or necessitate other communication with a representative union.
Employee options for biometric data privacy
The one option employees have when it comes to biometrics is refusing to provide a fingerprint or facial scan. However, that could very well result in an employee losing their job.
"Under the Illinois law applicable to biometric time clocks, employees must consent in writing before an employer can use the employee's biometric information, and therefore an employee can refuse to provide such consent," Kelly said. "However, employers can potentially make such consent a condition of employment, meaning that the employee won't be able to continue employment unless such consent is provided."
Gordon said that even in situations that don't require consent, employers can let an employee go if they refuse to provide their biometric scan.
"In jurisdictions where employers are not required to obtain employees' consent, employers also can condition employment, or continued employment, on use of a fingerprint or facial scans subject to objections on religious grounds," Gordon said.
Daming said that in cases where an employee refuses on religious grounds or has a physical condition that prevents them from providing a scan, employers would likely need to provide an alternative method for clocking in and out.
The future of biometric laws Although biometric laws currently only apply to employers in a few states, Gordon believes privacy laws will continue to grow throughout the country. He said several states already have pending legislation modeled after the Illinois and Texas laws.
"San Francisco recently enacted a ban on law enforcement's use of facial recognition," Gordon said. "While that ordinance does not apply to private employers, other city or state governments could enact expanded prohibitions in the future."
Daming agrees that biometric privacy laws will become more prevalent moving forward.
"We're already seeing that with the proposed legislation around the country," she said. "I think everyone (consumers, employees, etc.) is becoming more aware of and concerned with privacy rights – we can see that with California's recent passage of the California Consumer Privacy Act – and this will probably lead employees and consumers to think more critically about where their biometric data is going and how it's being used."
Max Freedman contributed to the reporting and writing in this article. Some source interviews were conducted for a previous version of this article.