Self-Assessment
Biometric Privacy Risk Diagnostic for Multi-State Employers
Score your organization's biometric privacy litigation and regulatory risk across state jurisdictions in 10 questions.
This 10-question diagnostic helps HR leaders, compliance officers and operations directors classify their organization's biometric privacy risk before or during a time clock deployment. Each question probes a specific exposure dimension, from state operating footprint to consent documentation to vendor agreements. Published by EasyClocking by WorkEasy Software, the assessment produces a risk archetype that maps to a prioritized action checklist so you know where to focus counsel and remediation resources first.
4 minutes · 10 questions · 0 to 30 points
Methodology: Questions are weighted across three primary risk signals: state operating footprint, consent infrastructure status and vendor data-processing agreement status. Point values are lowest for states of highest exposure and absent documentation, highest for compliant posture. The four result archetypes reflect the actual litigation landscape, where consent-infrastructure gaps drive the majority of filed class actions.
Download a print-and-fill worksheet version
The Assessment
For each question, pick the answer that best describes your organization today and note its points. Add up your points as you go. Your total maps to a result band below.
- 1
Does your organization operate in any state with an active biometric privacy statute that includes a private right of action or regulatory enforcement mechanism (for example, Illinois, Texas, Washington or New York)?
State footprint is the foundational risk signal; operating in states with biometric statutes creates baseline exposure regardless of other controls.
- Yes, we operate in Illinois plus at least one other state with a biometric privacy statute.0 pts
- Yes, we operate in Illinois only or in two or more non-Illinois biometric-statute states.1 pt
- Yes, but in only one non-Illinois biometric-statute state.2 pts
- No, none of our operating locations are in states with biometric privacy statutes.3 pts
- 2
Does your organization collect written, informed consent from every employee before enrolling their biometric data (fingerprint, facial geometry or other identifier)?
Consent-infrastructure status is the highest-weight compliance input; absent consent documentation is the most common trigger for class-action filings.
- No, we do not have a written consent process in place.0 pts
- We have a general employment agreement that mentions biometric data but no standalone consent form.
Score Yourself
Add up the points from every answer. Your total falls between 0 and 30. Find your band below.
- 0 to 8 points
Critical Exposure
Your organization has material gaps across multiple risk dimensions. Missing consent documentation, absent vendor agreements or unresolved prior incidents place you in the archetype most associated with active class-action filing risk. Deploying or continuing biometric data collection in this state exposes the organization to per-violation statutory damages and regulatory enforcement.
Next step: Pause any biometric deployment and engage qualified legal counsel for a jurisdiction-by-jurisdiction compliance audit before collecting or continuing to collect biometric data.
- 9 to 15 points
Elevated Exposure
Your organization has addressed some compliance fundamentals but carries significant gaps in consent infrastructure, vendor contracting or both. Operating in multiple biometric-statute states without complete documentation elevates your risk beyond what informal controls can manage. Litigation exposure is not theoretical at this level; it is a function of time and complainant awareness.
Next step: Prioritize closing your consent-documentation and vendor-DPA gaps with legal counsel within 60 days, and do not expand biometric enrollment to new locations until both are remediated.
- 16 to 23 points
Moderate Exposure
Your organization has foundational controls in place, such as a consent form and some form of vendor agreement, but specific criteria fall short of what biometric privacy statutes require. Common gaps at this level include consent forms that omit the retention schedule, DPAs that lack destruction-on-termination clauses, or security audits that have lapsed. These gaps are individually remediable but collectively create defensibility risk.
Review each criterion where you scored lowest, update consent forms to include the specific identifier, purpose and retention timeline, and schedule your next security audit within 90 days.
Download a print-and-fill worksheet version
What to Do Next
Biometric privacy compliance is not a one-time checkbox. It is an ongoing obligation that changes as your organization adds locations, employees and jurisdictions. EasyClocking by WorkEasy Software publishes this diagnostic to help HR, compliance and operations leaders identify where their exposure is highest and where to direct remediation resources first. For a deeper look at how EasyClocking by WorkEasy Software supports compliant biometric deployments with encrypted templates, consent-capture workflows and configurable retention controls, visit the biometric compliance resources on easyclocking.com.
- Multi-State Biometric Rollout Readiness Assessment
- Biometric Consent Policy Grader
- Biometric Time Clock ROI Calculator