Biometric Timeclocks in the United States - FAQs

What are biometrics?

In general, biometrics are physiological and behavior characteristics that can be used to identify individuals (and to verify their identity). Biometrics generally include, among other things, fingerprints, hand prints, retinal scans, iris scans, facial geometry, and voice prints.

What biometric data is collected, stored, and used when employees sign in and out via timeclocks with a biometric clock, or biometric attachment?

ADP’s biometric timeclocks or biometric timeclock attachments do not collect, store, or use actual fingerprints. Instead, during the enrollment process, the timeclock attachment scans the employee’s fingertip, and stores and uses an encrypted mathematical representation of that fingertip.

Are there compliance considerations to be aware of related to biometric timeclocks or biometric timeclock attachments?

Yes. In some states in the U.S., laws exist that regulate the collection, use, and disclosure of certain biometric identifiers and biometric information, which potentially may apply to biometric data used in biometric timeclocks or biometric timeclock attachments. Those state laws are in the process of being interpreted and applied by the courts, and their scope is not yet clear.

Although the legal impact of these laws on ADP’s biometric timeclocks or biometric timeclock attachments has not yet been resolved, ADP is sharing information with its clients that may be helpful to their efforts to ensure that they are complying with applicable laws.

Can a client use biometric clocks in some locations, but not others?

Yes, biometrics can be used at some client locations and not at others. Depending on which model clock a client has, the same clock may be able to be used without the biometric reader, if the reader is disabled. Other clocks may not be able to function properly without the use of biometric scans and may need to be replaced.

What states have laws affecting the use of biometrics?¹

The following is a non-exhaustive list of states that regulate the use of biometric technology in ways that may impact the technology used by employee timeclocks.

Illinois

The Illinois Biometric Information Privacy Act (740 ILCS § 14/1, et seq.) requires that companies make disclosures and obtain a written release before collecting and storing biometric identifiers and information. It also imposes requirements on how biometric identifiers and information may be stored and used, and when they must be destroyed.

Increase in class-action lawsuits filed under Illinois Biometric Information Privacy Act

Employers using timeclocks that use employee finger or hand scanning technology to clock in and out may have heard about a recent surge of class action lawsuits asserting that such technologies are covered by the Illinois Biometric Information Privacy Act (“BIPA” or the “Act”).

Since July 2017, more than 30 such lawsuits have been filed against employers operating in Illinois. These cases generally allege that employers violated BIPA by failing to obtain written releases signed by their employees before collecting, storing and using biometric identifiers and information; as well as failing to make disclosures and have certain policies related to the use and storage of biometric identifiers and information.

While these cases include employers who use finger and hand scan timeclocks, courts have yet to resolve whether the finger and hand scan technology involve the collection, use or storage of “biometric identifiers” or “biometric information,” as those terms are defined in the statute.

At the time of writing of this article, no court has yet held that BIPA applies to the use of such timeclocks. Further, it is not clear whether a plaintiff (e.g. an employee) must have suffered actual injury in order to pursue a claim, or whether a technical violation of the statute, without an injury to the plaintiff, is sufficient.

New York

Under New York law (New York State Labor Law Section 201-a), except as otherwise provided by law, no person, as a condition of securing employment or of continuing employment, shall be required to be fingerprinted.

Texas

Texas law (Tex. Bus. & Com. Code Ann. §503.001) requires that companies obtain consent before collecting biometric identifiers. It also imposes specific requirements on how such biometric identifiers may be stored, used and when it must be destroyed.

Washington

Washington law (R.C.W. §§ 19.001.001 et seq.)² requires notice and consent before biometric information may be collected in certain circumstances, and also imposes requirements related to the storage and maintenance of the information.

Who is responsible for compliance with these laws?

The client is responsible for compliance with all laws applicable to its business and is advised to consult with its internal or external legal advisors to determine if or how these laws apply to the client’s use of ADP’s products, including biometric timeclocks or biometric timeclock attachments, in the client’s interactions with its employees. Among other things, the client potentially may have disclosure and consent requirements relating to one or more biometric privacy laws. ADP maintains its own internal policies to maintain compliance with biometric privacy laws, to the extent that they potentially may apply to biometric data collected by ADP’s clients and transmitted to ADP.

What does ADP do to assist Clients with compliance with biometrics laws?

As a courtesy, ADP is providing a Sample Biometrics Policy and Consent Form to its clients. These documents are intended as a starting point for clients to discuss and adapt to their unique situation, in consultation with their own legal advisors. ADP IS NOT A LAW FIRM AND DOES NOT PROVIDE LEGAL ADVICE. CLIENTS ARE ADVISED TO REVIEW THESE DOCUMENTS WITH THEIR OWN LEGAL ADVISORS BEFORE RELYING ON THESE TEMPLATE DOCUMENTS.

What if the client is threatening legal action or asking questions about how ADP will respond to lawsuits?

For all inquiries of this nature, please contact the ADP Legal Department as soon as possible.

What is ADP's Biometrics Policy?

You can find that and other useful information on the ADP Online Privacy page.

Employer Takeaways & Best Practices

While it is impossible to predict how courts will interpret the law, and whether the BIPA or similar statutes will be found to apply to the use of timeclocks that use finger scan or similar technology, there are some best practices that employers should consider.

• Review where your operations are located to determine whether any facilities potentially may be subject to regulation on the use of biometric technology.

• Discuss how laws potentially apply to your operations with your legal advisor, and determine the best way for your organization to conduct operations in light of such laws.

• Determine whether, in light of the lawsuits asserting that BIPA applies to the use of finger and hand scan timeclock technologies, it would be advisable to obtain written consent from individuals using such technologies, and to implement a publicly available policy related to the collection, storage, use and retention of any biometric data collected.

• In October 2017, ADP shared a template employee consent and policy with clients using hand or finger scan timeclocks. Review these documents with your legal and/or HR advisors to determine whether they are appropriate for your organization.

• Monitor relevant legal developments, as this area of the law is fluid and unsettled.