Biometric Time Clock Laws: Fingerprint and Face Scans at Work
Can your boss require a fingerprint or face scan to clock in? A worker-first guide to BIPA, CUBI, Washington and New York biometric laws, plus your rights.
Disclaimer: This article is general information, not legal advice. Biometric privacy law is moving fast and varies by state. Consult a licensed attorney for advice on your situation.
Quick Answer: Is It Legal to Make You Scan a Fingerprint at Work?
In most states, yes, with strings attached. No federal law directly governs biometric time clocks. Six states (Illinois, Texas, Washington, New York, plus newer privacy regimes in Colorado and Maryland) regulate workplace fingerprint and face scans through dedicated statutes or broader privacy laws.
The strongest worker protections live in Illinois, where the Biometric Information Privacy Act (BIPA) gives employees the right to sue directly and has produced settlements ranging from $1.5 million to $650 million. New York goes further on paper by banning required fingerprinting outright, with narrow exceptions.
Two updates make this worth re-reading even if you saw a guide last year. In August 2024, Illinois amended BIPA (SB 2979) so repeated scans by the same method count as one violation, not one per swipe. In April 2026, the Seventh Circuit ruled that amendment applies retroactively to pending cases. That reshapes the math on every open BIPA matter.
Key Takeaways
- Federal law is silent, but the ADA, Title VII, and the EEOC’s 2024 wearables fact sheet still apply.
- Illinois BIPA is the only U.S. biometric law with a private right of action: $1,000 per negligent violation, $5,000 per intentional.
- Texas CUBI and Washington RCW 19.375 require notice and consent, but only the state attorney general can sue.
- New York Labor Law section 201-a generally bans required fingerprinting, with narrow exceptions for certain regulated roles.
- Religious and disability accommodations under Title VII and the ADA apply in every state, regardless of biometric statute.
- Workplace settlements have hit Six Flags ($36M), Speedway ($12.1M), White Castle ($9.4M), Epay Systems ($1.53M), and Accu-Time ($1.5M).
Are Biometric Time Clocks Legal? The Short Answer
No comprehensive federal law covers workplace biometrics. The closest you get federally is the Americans with Disabilities Act, Title VII of the Civil Rights Act, and the EEOC’s December 2024 fact sheet on wearable technology, which warns that biometric collection can trigger ADA “medical examination” rules in some setups.
State by state, the floor varies a lot. Five or six states have a dedicated biometric privacy statute that mentions employment. The rest fall back on contract law, general data-privacy statutes (California CPRA, Colorado CPA), and common-law privacy claims.
In about 44 states, a fingerprint or face-scan time clock is legal so long as the employer follows basic notice and consent practices. In Illinois, Texas, Washington, and New York, specific rules carry real consequences for skipping them.
Where the legal floor sits today
The active statutes worth knowing by name:
- Illinois: Biometric Information Privacy Act, 740 ILCS 14 (BIPA)
- Texas: Capture or Use of Biometric Identifier, Tex. Bus. & Com. Code section 503.001 (CUBI)
- Washington: RCW 19.375 (HB 1493)
- New York: Labor Law section 201-a, plus the SHIELD Act’s data-security duties
- California: CCPA/CPRA treats biometric info as “sensitive personal information”
- Newer comprehensive privacy laws in Colorado, Connecticut, Maryland, Tennessee, Oregon, and Delaware
Most of those newer laws focus on consumer rights and may or may not extend to employee data. The four older statutes (BIPA, CUBI, RCW 19.375, NY Labor Law section 201-a) are the ones that consistently apply to time clocks at work.
Illinois BIPA: The Strictest Law in the Country
The Illinois Biometric Information Privacy Act, enacted in 2008, is the standard the rest of the country measures itself against. It is also the only state biometric statute that lets employees sue directly without going through the attorney general.
What BIPA actually requires
Section 15(b) of BIPA sets four pre-collection requirements. Before an employer can scan a fingerprint, face, voice, iris, or retina, it must:
- Inform the employee in writing that biometric data is being collected.
- State the specific purpose for collection.
- State how long the data will be kept.
- Obtain a written release signed by the employee.
Section 15(a) adds a public retention and destruction policy, with a hard ceiling: biometric data has to be destroyed within three years of the last interaction with the employee, or when the purpose for collection is satisfied, whichever comes first.
What the damages look like
BIPA’s teeth come from its statutory damages: $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus attorneys’ fees. The Illinois Supreme Court ruled in Rosenbach v. Six Flags (2019) that an employee does not need to show actual injury to sue. A missing release is enough.
That ruling, combined with the Cothron v. White Castle holding that every scan was its own violation, drove settlements into the hundreds of millions across multiple industries.
The 2024 amendment and the 2026 retroactivity ruling
In August 2024, Illinois enacted SB 2979. The amendment collapses repeated biometric collections from the same person by the same method into a single violation, rather than counting every fingerprint touch as its own claim. That cuts exposure dramatically.
The April 2026 Seventh Circuit decision (analyzed by Paul Hastings) confirmed the amendment applies retroactively to pending cases. Lawsuits filed under the old per-scan rule have to be recalculated. The change is the freshest legal development in this area, and it explains why older BIPA guides on the internet now misstate the damages math.
Texas CUBI and Washington HB 1493: Public-Enforcement States
Texas and Washington passed biometric statutes that look like BIPA on the surface but differ in one important place: only the state attorney general can sue. Employees cannot bring a private claim under either law.
Texas CUBI in plain English
The Texas Capture or Use of Biometric Identifier law, codified at Tex. Bus. & Com. Code section 503.001, requires informed consent before capturing a biometric identifier, bars selling the data, and requires reasonable security and destruction. Civil penalties run up to $25,000 per violation, enforced by the Texas Attorney General.
CUBI has a notable wrinkle for employment. The statute presumes that an employer’s legitimate purpose for holding biometric data ends when the employee leaves. After termination, the clock starts on destruction.
Washington RCW 19.375
Washington’s biometric statute, RCW 19.375 (originally HB 1493), regulates “enrollment” of biometric identifiers, which the law defines as capturing the biometric plus storing a template in a database. Employers must give notice and obtain consent for any commercial use. Enforcement is again limited to the state attorney general, with no private right of action.
In Texas and Washington, an employer that skips consent is still breaking the law, but employees cannot file a class action. They have to convince the AG’s office to take the case.
New York and Other State Rules Worth Knowing
New York is the most worker-friendly state on biometric clocks because it does not just regulate the practice. It largely prohibits it.
New York Labor Law section 201-a
Section 201-a of the New York Labor Law makes it unlawful, with narrow exceptions, for an employer to require an employee to be fingerprinted as a condition of employment. The exceptions cover state and city government workers, some financial services positions, certain medical and education roles, and jobs that require state-mandated background checks.
For most private-sector workers in New York, an employer cannot simply install a fingerprint clock and require everyone to enroll. The SHIELD Act layers on data-security obligations for any biometric records the employer does hold.
California, Colorado, and the newer privacy laws
California’s CPRA classifies biometric information as “sensitive personal information,” giving employees disclosure and limit-use rights but not a specific workplace clock-in ban. Colorado, Connecticut, Maryland, Tennessee, and Oregon have passed comprehensive privacy laws since 2021 that touch biometrics. Coverage of employee data under those laws is uneven and worth checking before relying on it.
The Lawsuits That Made Employers Pay Attention
Statutes only matter if they get enforced. The dollar figures below show what enforcement has actually produced.
- Patel v. Facebook ($650 million, 2021): Not a time clock case, but the largest BIPA settlement on record. Meta’s tag-suggestion facial recognition feature was found to violate BIPA’s notice and consent rules. (See the ABA’s writeup.)
- Six Flags ($36 million): Season-pass fingerprinting at the entrance gate, settled after the Rosenbach ruling cleared the path.
- Speedway ($12.1 million, final approval October 2025): Fingerprint clock-in for retail and gas station employees.
- Cothron v. White Castle ($9.4 million): Fingerprint clock-in case that produced the per-scan ruling later softened by SB 2979.
- Epay Systems ($1.53 million): Biometric timekeeping vendor sued alongside its employer clients.
- Accu-Time Systems ($1.5 million): Finger-scan time clock vendor; payout went to affected Illinois workers.
- Consol Energy (about $586,000): Not a BIPA case at all. The Fourth Circuit upheld a Title VII verdict for an evangelical Christian coal miner who refused a biometric hand scanner on religious grounds. The EEOC’s press release walks through the facts.
That last case is worth re-reading. It says nothing about Illinois, fingerprints, or BIPA. It says an employer that refuses to provide an alternative timekeeping method when an employee has a sincerely held religious objection can lose a six-figure verdict under federal anti-discrimination law in any state.
Your Rights as an Employee
If you are reading this because your employer just rolled out a biometric clock, here is the practical checklist.
You are entitled to written notice
In Illinois, Texas, and Washington, the law requires the employer to tell you in writing what is being collected, why, and how long they will keep it. In Illinois, you also have to sign a release before any scan happens. If you have not signed anything and the clock is collecting your fingerprint or face geometry, the employer is likely out of compliance.
You may have the right to refuse
In New York, the answer is usually yes, unless your role falls into one of the narrow statutory exceptions. In Illinois, you can refuse to sign the BIPA release. Your employer may then assign you a non-biometric clock-in method, or in some roles, take adverse action. Whether that adverse action is lawful depends on the role and the contract.
Religious and disability accommodations apply everywhere
Title VII requires employers to reasonably accommodate sincerely held religious beliefs. The ADA requires accommodation of disabilities, including conditions that prevent reliable biometric capture (missing fingers, scarring, certain skin conditions). The Consol Energy verdict shows what happens when an employer refuses a religious accommodation on a hand scanner.
If a fingerprint or face scan conflicts with your religion or your medical situation, you can ask for an alternative timekeeping method in any state.
What to do if your employer is not following the rules
The path depends on your state:
- Illinois: Consult a plaintiff-side employment attorney about a private BIPA claim.
- Texas: File a consumer complaint with the Texas Attorney General.
- Washington: File with the Washington Attorney General’s consumer protection division.
- New York: Contact the New York Department of Labor, and a private attorney for section 201-a issues.
- Anywhere: A Title VII or ADA accommodation issue goes to the EEOC.
Before doing any of that, request a copy of every biometric notice, consent form, and retention policy the employer has on file for you. If those documents do not exist, that is itself the story.
Alternatives: Keep Your Own Hours Without Giving Up Your Biometrics
Biometric clocks are rarely the only option, and they are rarely the cheapest. Standard alternatives include:
- PIN-based clocks: Each employee gets a numeric code. No biometric capture.
- Badge swipe: Magnetic stripe or RFID card; the card identifies the employee, no body data leaves the floor.
- Mobile clock-in apps: Employee opens an app on their phone, taps in and out. Some include geofenced GPS to confirm location without storing a face or fingerprint.
- Paper timesheets: Still legal, still works, still the default in many small businesses.
Workers can also keep an independent personal log. Even if your employer uses a biometric clock you cannot refuse, having your own record protects you if the employer’s data is lost, the vendor changes, or your hours are disputed.
A worker-controlled time tracker like Timeclock44 fills that gap. It lives on your phone, requires no account, captures no biometrics, and exports the log to PDF or CSV if you ever need to show payroll, the DOL, or your attorney exactly when you clocked in and out. For people who refuse to enroll in the employer’s biometric system (in New York or anywhere with a religious or medical accommodation), a personal record is the simplest backup. Browse the Timeclock44 tools hub for related calculators like overtime and paycheck math, or check the blog for related labor-law explainers.
How Biometric Time Clock Rules Compare Across States
| State | Statute | Private right of action? | Key requirement | Penalty cap |
|---|---|---|---|---|
| Illinois | BIPA (740 ILCS 14) | Yes | Written notice + signed release before capture | $1,000 negligent / $5,000 intentional, per violation |
| Texas | CUBI (sec. 503.001) | No, AG only | Informed consent before capture | Up to $25,000 per violation |
| Washington | RCW 19.375 | No, AG only | Notice and consent for commercial enrollment | AG-set civil penalty |
| New York | Labor Law sec. 201-a | Limited | Cannot require fingerprinting (narrow exceptions) | Labor-law civil penalties |
| California | CPRA | Limited (data-breach only) | Treat biometric data as sensitive PI | Up to $7,500 per intentional violation (CPPA) |
| Most other states | None specific | No | General privacy and contract law | Varies |
State law changes constantly. Verify the current text of the statute before relying on this summary for a real dispute.
Frequently Asked Questions
Can my employer require me to use a fingerprint or face scan to clock in?
In most U.S. states, yes, provided they meet state notice and consent requirements. New York is the major exception: NY Labor Law section 201-a generally prohibits employers from requiring fingerprinting as a condition of employment. Illinois allows it but only with written notice and a signed release.
What is BIPA and why does it matter for time clocks?
The Illinois Biometric Information Privacy Act (740 ILCS 14) requires employers to give written notice, explain purpose, and obtain written consent before collecting fingerprints, face geometry, voiceprints, or iris and retina scans. It is the only U.S. state biometric law with a private right of action, meaning employees can sue directly.
How much can an employer be fined for a BIPA violation?
Statutory damages are $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus attorneys’ fees. After the August 2024 amendment (SB 2979), repeated collections from the same person by the same method count as one violation rather than per-scan.
Can I refuse to use a biometric time clock at work?
It depends on the state and the reason. In New York, you generally can. In Illinois, you can refuse to sign the BIPA release, but the employer may then assign you a different timekeeping method or take adverse action depending on the role. Religious-belief and disability-based refusals are protected under Title VII and the ADA in every state.
Are facial recognition time clocks treated differently from fingerprints?
No. BIPA, CUBI, and Washington’s RCW 19.375 all cover scan of face geometry alongside fingerprints. Face scans are treated as biometric identifiers under each statute.
What were the biggest biometric time clock lawsuits?
Facebook’s facial-recognition tag-suggestion settlement was $650 million (the largest BIPA case to date, not a time clock). Among workplace clock-in cases: Speedway $12.1M, White Castle $9.4M, Six Flags $36M, Epay Systems $1.53M, Accu-Time $1.5M.
What should an employer’s biometric consent form include?
At minimum: a clear description of what biometric data is being collected (fingerprint, face geometry, etc.), the specific purpose (time and attendance), the retention period, the destruction schedule, the employee’s signature, and (in Illinois) a written disclosure that the data may be shared with vendors who run the clock.
Are there time clock alternatives that don’t use biometrics?
Yes. PIN and badge clocks, mobile clock-in apps, geofenced GPS punches, and paper timesheets are all standard. Workers can also keep an independent personal log on their phone (such as Timeclock44) so they always have their own record of hours, regardless of the employer’s system.
Related Reading
- FLSA Overtime Rules: A Plain-English Guide for Hourly Workers - Federal overtime law explained, including how to file a wage complaint.
- Regular Rate of Pay: What Counts for Overtime - Why your hourly wage rarely equals your overtime base.
- Pay Stub Every Line Explained - Read your stub line by line, including any biometric or attendance entries.
References
- Illinois BIPA full text (740 ILCS 14) - Statute text from the Illinois General Assembly.
- Texas CUBI, Tex. Bus. & Com. Code section 503.001 - Codified Texas biometric statute.
- Texas Attorney General: Biometric Identifier Act - State enforcement page and complaint form.
- EEOC: Consol Energy religious-accommodation verdict - Federal verdict on Title VII and biometric hand scanners.
- Paul Hastings: Seventh Circuit confirms BIPA amendment retroactive - 2026 appellate analysis of SB 2979.
- Davis Wright Tremaine: Illinois BIPA amended (SB 2979) - Plain-English breakdown of the 2024 amendment.
- Duane Morris: Speedway $12.1M BIPA settlement - Court approval of the Speedway fingerprint clock settlement.
- Epstein Becker Green: NY and other state biometrics in the workplace - Survey of state workplace biometric rules.
- Littler: EEOC wearable-tech fact sheet (2024) - Federal agency view on biometric collection at work.
Frequently Asked Questions
Can my employer require me to use a fingerprint or face scan to clock in?
In most U.S. states, yes, provided they meet state notice and consent requirements. New York is the major exception: NY Labor Law section 201-a generally prohibits employers from requiring fingerprinting as a condition of employment. Illinois allows it but only with written notice and a signed release.
What is BIPA and why does it matter for time clocks?
The Illinois Biometric Information Privacy Act (740 ILCS 14) requires employers to give written notice, explain purpose, and obtain written consent before collecting fingerprints, face geometry, voiceprints, or iris and retina scans. It is the only U.S. state biometric law with a private right of action, meaning employees can sue directly.
How much can an employer be fined for a BIPA violation?
Statutory damages are $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus attorneys' fees. After the August 2024 amendment (SB 2979), repeated collections from the same person by the same method count as one violation rather than per-scan.
Can I refuse to use a biometric time clock at work?
It depends on the state and the reason. In New York, you generally can. In Illinois, you can refuse to sign the BIPA release, but the employer may then assign you a different timekeeping method or take adverse action depending on the role. Religious-belief and disability-based refusals are protected under Title VII and the ADA in every state.
Are facial recognition time clocks treated differently from fingerprints?
No. BIPA, CUBI, and Washington's RCW 19.375 all cover scan of face geometry alongside fingerprints. Face scans are treated as biometric identifiers under each statute.
What were the biggest biometric time clock lawsuits?
Facebook's facial-recognition tag-suggestion settlement was $650 million (the largest BIPA case to date, not a time clock). Among workplace clock-in cases: Speedway $12.1M, White Castle $9.4M, Six Flags $36M, Epay Systems $1.53M, Accu-Time $1.5M.
What should an employer's biometric consent form include?
At minimum: a clear description of what biometric data is being collected (fingerprint, face geometry, etc.), the specific purpose (time and attendance), the retention period, the destruction schedule, the employee's signature, and (in Illinois) a written disclosure that the data may be shared with vendors who run the clock.
Are there time clock alternatives that don't use biometrics?
Yes. PIN and badge clocks, mobile clock-in apps, geofenced GPS punches, and paper timesheets are all standard. Workers can also keep an independent personal log on their phone (such as Timeclock44) so they always have their own record of hours, regardless of the employer's system.