Nowadays, practically every big-box store has a small black scanner bolted next to the time clock if you walk into the break room. Workers touch it with their thumbs, wait for a beep, and then go to the ground. Perhaps two seconds pass. Nowadays, nobody gives it a second thought. That’s precisely the issue.
For many years, biometric time clocks were marketed to retailers as the clear improvement—no more lost ID cards, buddy punching, or disagreements over who showed up for a shift. The pitch made sense. The theory was that fingerprints are not as easily stolen as swipe cards. It appears that a fundamental legal question was overlooked in that sales conversation: what happens if you take a permanent piece of someone’s body without properly informing them, store it improperly, or keep it for too long?
Illinois was the first to respond to that query, and she did so loudly. Before plaintiffs’ lawyers realized what they had, the state’s Biometric Information Privacy Act, which was passed in 2008, was largely ignored for ten years. A technical infraction, such as not obtaining written consent before scanning a fingerprint, is sufficient to bring a lawsuit under BIPA; proof of actual harm is not required. For each infraction, statutory damages range from $1,000 to $5,000. The math quickly becomes frightening when you multiply that by the thousands of workers who clock in every day. Retailers with hourly workers and high employee turnover—exactly the companies that embraced biometric clocks the quickest—became the most vulnerable.
It’s important to consider why retail in particular fell victim to this trap. Because the workforces in warehouses and stores are large, temporary, and frequently unionized or close to it, class actions quickly come together when one employee raises an issue. One non-compliant fingerprint system operating in hundreds of locations can result in liability that far outweighs the anticipated cost savings from the technology. Some businesses seem to have put these systems in place without ever having a legal representative review the consent language, viewing it more as an HR procurement decision than a data-privacy one.
Since then, other states have adopted Illinois’s strategy, albeit with weaker teeth. Several states are considering their own biometric laws this year, including Texas and Washington. The EU AI Act, which has been in full effect since August 2026, outright prohibits some biometric uses rather than merely regulating them. In the meantime, the regulatory climate in Europe has hardened even more. That’s a completely different stance, and it’s easy to see American lawmakers eventually adopting it.
Observing this unfold, it’s remarkable how preventable the majority of it has been. The solution is simple: a public retention schedule, written notice, written consent, and a true deletion policy after an employee departs. Businesses that did this from the beginning have largely avoided legal action. The people who are currently facing eight-figure settlements usually skipped a step somewhere, usually the dull, unglamorous paperwork portion that no one wanted to own.
Biometric timekeeping is still very useful. Accuracy increases, payroll disputes decrease, and fraud decreases. That is all undeniable. However, the technology was never truly the dangerous aspect. In 2026, it is becoming increasingly costly to ignore the risk that existed between what the scanner could do and what the company bothered to tell people about it.
