Job Doc

What’s the legality on biometric data at work? Elaine Varelas explores finger-scanning timeclocks during COVID-19

At a time when many are avoiding touching other people, one company wants to make the change to fingerprint scanners. Elaine Varelas, with the advice of Attorney Jody Kahn Mason, explores the legality of biometric data in the workplace.

Ask the Job Doc.

Q: Everyone is worried about touching things during COVID and being too close to people, but I am worried about what my company is doing, supposedly so that we don’t have to touch time cards or who knows what else. They are moving into having us scan our fingers when we come to work. Is this legal?

A: You ask a very interesting and timely question, and so I consulted Attorney Jody Kahn Mason, of Jackson Lewis Chicago IL office. Attorney Mason is an expert on the Illinois Biometric Information Privacy Act (“BIPA,” or the “Act”). These activities are legal, and highly regulated.

Biometrics are body measurements used as identification or to provide access to technology or space. You may be familiar with seeing the use of these tools when futuristic spy shows use eye scans to provide access to private areas instead of keys, codes, or log in entries. These tools are a part of today.

The BIPA, which became effective in 2008, provides “technical mandates to the collection, storage, use, and destruction of biometric data.” The use of biometrics by businesses has increased dramatically as this technology has become less expensive. Businesses use biometrics for time management (e.g., requiring employees to scan a finger or hand to clock in and out each day), security access, and safety. The Act defines “biometric identifiers” and “biometric information” to include retina or iris scans, fingerprints, voiceprints, or scans of the hand, or face geometry, regardless of how it is captured, converted, stored, or shared, so long as the information is used to identify an individual.

Attorney Mason reports that Illinois businesses have been the target of class action lawsuits alleging violations of the Illinois Biometric Information Privacy Act (“BIPA” or the “Act”), which is the most stringent biometric privacy statute in the United States. The BIPA is also the only biometric statute in the United States that allows individuals to file lawsuits directly against companies based on alleged violations of the Act.


Although the BIPA has been the law in Illinois for more than a decade, many businesses began to use biometric systems – most frequently biometric time clocks – without any awareness of the law’s requirements.

Because the Act provides for significant damages, companies should take immediate steps to comply with the Act, and should evaluate any timekeeping, security, point of sale, or other systems that may collect or use biometric information.

Feel free to ask your manager or HR person if they are aware of the complexities of this law, especially about informing employees of the process and storage of this personal information.

Jump To Comments


This discussion has ended. Please join elsewhere on