BIPA, GDPR, and Biometric Data: What Employers Need to Know

Biometric time clocks are one of the most effective tools for eliminating buddy punching and improving payroll accuracy. But they collect sensitive data — fingerprints, facial geometry, palm prints — and a growing patchwork of state and international laws governs how that data must be handled. Getting biometric privacy compliance wrong is expensive. Getting it right is straightforward if you understand the requirements.

This guide covers the major biometric privacy laws that affect U.S. employers, what they require in plain language, and how to implement biometric time clocks compliantly.

Illinois BIPA: The Law That Changed Everything

The Illinois Biometric Information Privacy Act (BIPA), enacted in 2008, is the most consequential biometric privacy law in the United States. It is also the only state law that provides a private right of action — meaning individual employees can sue their employer directly for violations, not just file complaints with a state agency.

BIPA requires employers who collect biometric data to:

• Provide written notice before collecting biometric data, informing the individual of the specific purpose and duration of collection.
• Obtain written consent — a signed release from each employee authorizing collection, storage, and use of their biometric data.
• Publish a retention and destruction policy specifying when biometric data will be permanently destroyed (either when the purpose is fulfilled or within 3 years of the individual's last interaction with the company, whichever is first).
• Prohibit selling, leasing, or profiting from biometric data.
• Protect data using a reasonable standard of care, at least equivalent to how the company protects other confidential information.

The penalties are significant: $1,000 per negligent violation and $5,000 per intentional or reckless violation. In class-action lawsuits, these numbers multiply rapidly. Facebook (now Meta) settled a BIPA class action for $650 million in 2021. BNSF Railway was hit with a $228 million jury verdict in 2022 for scanning truck drivers' fingerprints without consent. These are not theoretical risks.

Other State Biometric Privacy Laws

Illinois is not alone, though it remains the most aggressive. As of early 2026, the following states have enacted biometric privacy legislation:

• Texas — The Capture or Use of Biometric Identifier Act (CUBI) requires consent before collection and restricts sale of biometric data. Enforcement is through the state attorney general, not private lawsuits. Penalties up to $25,000 per violation.
• Washington — RCW 19.375 prohibits enrollment of biometric identifiers in a database for commercial purposes without consent. No private right of action; enforced by the attorney general.
• New York City — Local Law 3 of 2021 requires commercial establishments to post clear signage if biometric technology is in use. Violations carry fines of $500 for the first offense and $5,000 for subsequent offenses.
• Maryland, Arkansas, Colorado, Virginia, Connecticut — These states have broader consumer privacy laws that include biometric data protections, though they are not biometric-specific statutes.

The trend is clear: more states are enacting biometric privacy protections, and the requirements are converging around notice, consent, and data retention limits. Even if your state does not currently have a biometric privacy law, building compliant practices now is good risk management.

GDPR and International Considerations

If you have any employees in the European Union or United Kingdom, the General Data Protection Regulation (GDPR) classifies biometric data as a "special category" of personal data with the highest level of protection. Under GDPR, processing biometric data for time tracking requires:

• A lawful basis for processing (typically explicit consent or necessity for employment obligations)
• A Data Protection Impact Assessment (DPIA) before deploying biometric systems
• Strict data minimization — collect only what is necessary
• Clear retention limits and right-to-erasure compliance

For most EasyClocking customers — U.S.-based manufacturers, contractors, and warehouse operators — GDPR is not directly relevant. But if you have operations in Europe or employ EU nationals, consult a privacy attorney before deploying biometric systems internationally.

How to Deploy Biometric Time Clocks Compliantly

Compliance with biometric privacy laws is not complicated — it just requires intentionality. Here is a practical checklist:

1. Create a Biometric Data Policy

Before you power on a single device, draft a written policy that covers: what biometric data you collect, why you collect it, how it is stored, who has access, when it will be destroyed, and your security measures. This document should be accessible to all employees.

2. Get Written Consent

Create a consent form that clearly describes the biometric data being collected (e.g., "fingerprint template" or "facial geometry map"), the purpose (employee time and attendance), and the retention period. Have every employee sign it before their first biometric enrollment. In Illinois, this is legally required. Everywhere else, it is best practice.

3. Understand What Is Stored vs. What Is Captured

This is a critical distinction that alleviates many employee concerns. Modern biometric time clocks — including the EasyClocking biometric series — do not store actual fingerprint images or photographs. They convert the biometric scan into a mathematical template (a string of numbers) that cannot be reverse-engineered back into a fingerprint or face image. If your database were breached, an attacker could not reconstruct anyone's fingerprint from the stored data.

4. Set Retention and Destruction Timelines

Define when biometric data is deleted. Best practice: destroy biometric templates within 30 days of an employee's separation from the company. Automate this if possible — manual deletion processes are prone to oversight.

5. Secure the Data

Biometric templates should be encrypted at rest and in transit. Access should be limited to system administrators. Your biometric data should receive the same (or greater) security treatment as Social Security numbers, bank account information, and other sensitive employee data.

What Vendors Should Provide

When evaluating biometric time clock vendors, ask specifically about compliance support. A good vendor should provide:

• Template consent forms and biometric data policies (customizable for your state)
• Documentation of their template-based storage approach (not raw biometric images)
• Encryption standards for data at rest and in transit
• Automated data destruction tools for terminated employees
• Clear data processing agreements if biometric data is stored in the cloud

EasyClocking provides all of the above. Larger enterprise vendors like UKG and ADP also have robust compliance frameworks, though they are typically priced for larger organizations. Smaller competitors may lack dedicated compliance documentation — always ask before you buy.

What This Means for Your Business

Biometric privacy law should not scare you away from biometric time clocks — the benefits of eliminating buddy punching, improving payroll accuracy, and streamlining compliance are too significant. But it does mean you need to deploy them deliberately, with proper notice, consent, and data handling practices in place from day one.

If you are in Illinois, take BIPA seriously — the penalties are real and the plaintiff's bar is active. If you are in any other state, adopt Illinois-level compliance practices anyway. The legal landscape is only moving in one direction, and building the right habits now is far cheaper than retrofitting them after a violation.

Not sure where your compliance posture stands? Our time tracking gap assessment includes a compliance dimension that benchmarks your practices against industry standards. And if you want to talk specifics about deploying biometric clocks in a BIPA state, our team can walk you through it.