Biometric time and attendance systems use fingerprint, facial, palm or iris scans to record work time.
Illinois, Texas and Washington all have laws in place governing how the biometrics are recorded, stored and used.
Businesses in those states need to understand the laws and make sure they have policies for how consent is gathered, how the data is stored, and how and when it is destroyed.
Employees can refuse to provide biometric scans, but employers can terminate them for it.
All businesses should be aware of these laws, because other states have similar pending legislation.

There was a time when using a fingerprint or facial scan in the workplace was reserved for highly sensitive jobs or top-secret government positions. Today, however, biometrics are increasingly common in all types of businesses.

Its tie-in to time and attendance systems is contributing to the increase in biometric data collection in the workplace. Many of today’s time and attendance systems offer the options of recording employee time by fingerprint, palm, iris or facial scan.

However, as these types of systems become more prominent, numerous legal issues around their use are arising. While currently only several states have laws on the books regulating how biometrics can be used in the workplace, that doesn’t mean more states won’t follow suit. With that in mind, Kevin Kelly, a partner in Locke Lord’s Labor & Employment group, said all businesses should be aware of these issues.

“Businesses need to be aware of the significant compliance requirements associated with implementing biometric time and attendance systems,” Kelly said. “An employer’s failure to have a proper compliance program in place can result in significant liability.”

Biometric time and attendance systems

Tracking employee attendance and time is a critical task for many businesses. Without accurate records, employers could be paying employees for time they haven’t worked.

Knowing the huge impact it can have on their bottom line, many employers have ditched paper timesheets or old punch timeclocks in favor of digital time and attendance solutions. These systems automate the entire time-tracking process. It keeps detailed real-time data of when employees come and go, which it automatically transfers into a payroll solution in time for payday.

Editor’s note: If you’re looking for information to help you choose the time and attendance system that’s right for you, use the questionnaire below to have our vendor partners contact you with free information.

These types of systems cut down on employee time theft. Since workers have to digitally clock in and out each day, they’re not simply writing down when they start and end their day. This eliminates the possibility of employees getting paid for time they aren’t actually on the clock.

Research from time and attendance system provider TSheets found that nearly half of U.S. employees admit to time theft. This costs employers more than $11 billion a year.

Today’s time and attendance systems allow employees to manage their time in various ways, including via computers, mobile devices, PINs, and swipe and badge cards. However, all of those options open up the possibility of buddy punching. Buddy punching is when an employee clocks in or out for one of their co-workers. The TSheets study found that 16% of U.S. employees admit to buddy punching, which costs U.S. businesses $372 million a year.

The best way to combat buddy punching is through the use of biometric clocks. A growing number of time and attendance systems now offer some form of biometrics. Biometric clocks force employees to punch in and out using a fingerprint, palm, facial or iris scan. Requiring such a scan removes the option for an employee to clock one of their co-workers in or out and ensures that employers aren’t paying for time an employee didn’t work. [Looking for a time and attendance system? Check out our best picks and reviews.]

However, how these scans are stored and how employees are notified of biometric scan requirements and storage have opened up a number of legal issues.

Current biometric time and attendance system laws

Currently, three states – Illinois, Texas and Washington – have specific laws regarding biometric uses in the workplace.

“The hottest legal issue right now is that several states (Illinois, Washington, Texas) have passed laws that regulate how companies may collect, store, and disclose biometric information (such as finger or retina scans commonly used by timekeeping systems), and similar legislation is pending in many other states,” said Lauren Daming, an associate with the Greensfelder law firm.

Illinois was the first to approve legislation on the issue. Lawmakers there passed the Illinois Biometric Privacy Information Act in 2008. The Illinois law requires consent be obtained before collecting biometric data and governs how the data is disclosed, profited from, protected and retained.

Texas followed suit in 2009, passing legislation that requires businesses to gather consent if they are selling, leasing, or disclosing biometric information and lays how out the biometric information is stored and protected. It also mandates that the biometric data must be destroyed within one year of it being collected.

In 2017, Washington passed a law that spells out how biometric information is collected, stored and used.

Philip Gordon, who co-chairs Littler’s privacy and background checks practice group, said New York employers are barred from requiring employees to be fingerprinted.

“New York’s Department of Labor has interpreted that law, in an informal opinion letter, to apply to a requirement that employees place their finger on a scanner for a biometric time clock,” Gordon said.

Biometric workplace lawsuits

Illinois is the state that has seen the most activity surrounding this legislation because, unlike Texas and Washington, it has a private right of action.

“The Illinois Biometric Privacy Act has a private right of action that has been attracting a lot of attention from plaintiffs’ attorneys as dozens of class-action lawsuits have been filed in the last few years,” Daming said. “BIPA includes statutory penalties of $1,000 or $5,000 per violation, which can add up to significant potential damages, since plaintiffs’ attorneys argue that each individual scan of an individual’s finger to clock in or out constitutes a separate violation of the act.”

One such lawsuit involves Illinois steelmaker A. Finkl & Sons Co. According to BiometricUpdate.com, the company is facing a class-action lawsuit that alleges employees weren’t asked to give consent to using their handprints to clock in and out. In addition, they argue that they never received details on how that information is stored and when it would be destroyed.

Gordon said that since Illinois permits enforcement by private individuals, as opposed to government agencies, and allows recovery of statutory damages, class-action lawsuits have been filed against more than 200 employers with employees in Illinois.

Complying with biometric workplace laws

To ensure you are complying with biometric laws, you first need to figure out which laws apply to your business and what those laws require, according to Daming.

“Then, they need to take an inventory of the data that they’re collecting, storing, or using and consider whether it constitutes ‘biometric information’ under any applicable law,” Daming said. “This inventory should also examine how the information is being collected, how it is being stored and for how long, how it is being shared or disclosed, and what purpose it is used for.”

Kelly said gathering consent is a big issue employers need to be aware of, especially in Illinois.

“Businesses using biometric timeclocks need to be certain that they have a comprehensive compliance program in place that meets all of the requirements of applicable law,” he said. “In Illinois, for instance, such a compliance program would require, among other things, that the employer obtain each employee’s written consent before using the employee’s biometric information.”

Employers should develop a complete policy that describes how the information is collected, what it is used for, how it is stored and for how long, and when it is destroyed, Daming said.

“Companies that use biometric timekeeping systems should also ensure that their insurance policies provide coverage for claims that could be brought under biometric privacy laws,” she said. “Companies should also make sure that any third parties that they interact and share data with – such as payroll companies – are in compliance with applicable laws.”

Businesses that operate in multiple states or have employees who are represented by a union have a few other factors to take into account. Daming said those that have locations in more than one state should develop policies that harmonize requirements across jurisdictions, while those that have union employees should consider whether a proposed policy or changed procedure related to the timeclocks may trigger bargaining obligations or necessitate other communication with a representative union.

Employee options

The one option employees have when it comes to biometrics is refusing to provide a fingerprint or facial scan. However, that could very well result in an employee losing their job.

“Under the Illinois law applicable to biometric timeclocks, employees must consent in writing before an employer can use the employee’s biometric information, and therefore an employee can refuse to provide such consent,” Kelly said. “However, employers can potentially make such consent a condition of employment, meaning that the employee won’t be able to continue employment unless such consent is provided.”

Gordon said that even in situations where consent isn’t required, employers can let an employee go if they refuse to provide their biometric scan.

“In jurisdictions where employers are not required to obtain employees’ consent, employers also can condition employment, or continued employment, on use of a fingerprint or facial scans subject to objections on religious grounds,” Gordon said.

Daming said in cases where an employee refuses on religious grounds, or has a physical condition that prevents them from providing a scan, employers would likely need to provide an alternative method for clocking in and out.

The future of biometric laws

Although biometric laws currently only apply to employers in a few states, Gordon believes privacy laws will continue to grow throughout the country. He said several states already have pending legislation modeled after the Illinois and Texas laws.

“San Francisco recently enacted a ban on law enforcement’s use of facial recognition,” Gordon said. “While that ordinance does not apply to private employers, other city or state governments could enact expanded prohibitions in the future.”

Daming agrees that biometric privacy laws will become more prevalent moving forward.

“We’re already seeing that with the proposed legislation around the country,” she said. “I think everyone (consumers, employees, etc.) is becoming more aware of and concerned with privacy rights – we can see that with California’s recent passage of the California Consumer Privacy Act – and this will probably lead employees and consumers to think more critically about where their biometric data is going and how it’s being used.”