If you’re considering a biometric time clock for your workplace you might also be wondering just what the legal implications of such systems are. 

As all sectors continue to expand their use of digital services, data handling is an increasingly hot topic. What’s more, following years of high-profile data breaches, the general public is more cautious with their data. As a result, new data protection regulations are being issued year on year, and this is likely to continue alongside the growth in digital services. Moreover, as technology continues to change so too will the privacy regulations around data. 

If you’re just about to implement biometric time and attendance, don’t panic just yet. The systems are completely legal. That being said, you need to understand any laws that relate to biometric data collection and employee consent. 

Let’s take a closer look at biometric time clock law, why it’s in place, and what actions employers need to take. 

Why is Biometric Time Clock Law Needed? 

Biometric time clocks offer a streamlined way to manage employee attendance, automate payroll processing, and much more. To function, these systems require some form of personal biometric information so that employees can be authorized. 

Whether the time clock uses fingerprints, irises, or facial recognition as a form of ID, biometric information is a highly sensitive form of personal information. Much like you wouldn’t leave employee contracts lying all over the office in open view, biometric data needs to be stored carefully. 

Biometric time clock laws help to protect the personal data of employees and give companies clear guidance on how to fairly process and secure the information. It also helps to ensure that companies and third parties can’t sell or profit from personal data. 

The Biometric Privacy Laws You Need To Know

At present, there is no single, comprehensive law in place at the federal level regarding the use of biometric law.

However, several states have passed laws that govern the use of biometric data in the workplace. What’s more, companies also need to be aware of international privacy laws, especially if operations are multinational.

Let’s take a look at the states who have implemented biometric privacy laws:

  • Illinois – The Illinois Biometric Information Privacy Act (BIPA) was passed in 2008. In the Land of Lincoln, businesses must obtain consent from every employee before biometric data can be collected. The act also regulates how data is disclosed, protected, retained, and profited from. 
  • Texas – Texas passed similar legislation in 2009. Here, businesses must get consent if they plan to sell, lease or disclose biometric info. Also, data can only be stored for one year. 
  • Washington – In 2017, Washington passed its own law to regulate how biometric information be used by employers.
  • California – The Golden State followed suit in 2018 by passing the California Consumer Privacy Act (CCPA).
  • New York – A new biometric privacy act is also under discussion in New York. The state already controls the use of fingerprint scanners and the right to refuse biometrics, but these regulations fall under wider privacy laws at the moment. 

As the use of biometric data becomes even more commonplace it’s very probably that further privacy laws will come into effect. Therefore, it’s good practice to make sure you’re aware of the most current local and federal regulations before you begin biometric workforce management.

The Litigation Question

The need for biometric data legislation to protect individual privacy is pretty clear. That being said, many of the acts passed in recent years also incorporate steep fines if employers are found to be in breach of the law. 

BIPA, in particular, is coming under fire for being overly litigious. For example, in 2019, the Illinois Supreme Court allowed persons to seek damages even if no actual harm had been caused through the improper collection of their biometric data.

This caused the number of lawsuits to skyrocket. Businesses faced astronomical fines for minor technical infractions. As a result, the bill faces fresh calls for reform to help protect companies from unfair lawsuits. 

Although the risk of litigation is a valid concern, companies with comprehensive privacy policies in place have no need to worry about the use of biometric time clocks in the workplace. 

What Actions Should Employers Take? 

Before getting started with a biometric time and attendance system, employers should review all relevant biometric laws that apply to their geographic location.

Be sure you’re clear on how these laws relate to the type of biometric data you need to collect, as the rules for fingerprints vs facial ID may not be consistent. Once the legal requirements are clear, you can set up processes that adhere to the rules and help you obtain proper consent. 

Next, consider how you are going to store and protect employee data. Where are the servers located? Who has access to the database? How long are you going to keep employee data on file? Do any third parties have access?

Once all of these questions have been answered. To do so, you can write up a comprehensive policy. This ensures that everyone in the company is clear on how their biometric data will be used and protected. What’s more, if you don’t have a legal team in-house, it’s advisable to seek external expertise to ensure that your privacy policy ticks all the right boxes and covers any operational nuances.

The Bottom Line 

Any company using biometrics at work needs to be aware of any biometric laws. Moreover, as biometric becomes more commonplace in our lives, the more likely it is that there will be local and federal laws being passed in not-so-distant future. Therefore, it’s better to be proactive than reactive. 

Furthermore, by taking a proactive approach, you can protect your business from litigation and show your employees you take their privacy seriously. 


To find out more about how Timerack’s biometric time and attendance solutions can keep you compliant with biometric time clock law, schedule a free demo today.