What is Employee Biometric Consent?
The Employee Biometric Consent option in Fingercheck offers employees a sign-able digital consent form explaining how Fingercheck clocks collect their biometric data for timekeeping purposes. This consent option is useful for U.S. states with legislation on collecting biometric data, such as fingerprints or facial information before it can be used.
If your company uses biometric clocks within a state that implements biometric consent laws, we have a form that employees can sign when they log in to their self-service accounts.
Enabling employee biometric consent
Log in to your Fingercheck account.
Click the SETUP tab > Company > Clock Management.
If you have a biometric clock, you'll see a line for it on this screen.
Click the Edit icon (pencil) to edit the clock.
Select the Show Employee Biometric Consent checkbox.
Click Save.
With this option enabled, the next time your employees log in using their Fingercheck Self-Service accounts, they'll be shown a consent form, which they can sign or dismiss.
Some states may require consent before using biometric data. If you're in one of those states, Fingercheck will have you covered thereby requiring that the employee sign the agreement form.
What if I have an employee who doesn't want to consent?
The server will reject any punches for an employee if they do not consent to the storage of their biometric data, which will result in the server not receiving their punch data, which is obviously a problem.
Below are some alternative methods by which an employee can punch in and out using Fingercheck.
If the employee has a smartphone, they can punch in using the Fingercheck Mobile App.
If the employee does not have a smartphone, they can still punch in by using the website or via SMS Text.
For information about our privacy policy as it pertains to the collection of biometric data, click here.
What are the states that require consent?
As of 12/2024, three states have passed legislation regarding biometric consent, collection, and data storage.
The Biometric Information Privacy Act (BIPA) mandates that private companies must notify individuals in writing when they collect or store their biometric data. In February 2023, the Illinois Supreme Court ruled that claims under BIPA arise for each scan or transmission of an individual's biometric information.
The Capture or Use of Biometric Identifier (CUBI) Act prohibits the collection of an individual's biometric identifiers for commercial purposes without their consent.
The My Health My Data Act (MHMDA) is a privacy bill that complements the Health Insurance Portability and Accountability Act (HIPAA). It limits the gathering, processing, and sharing of health data for consumers in Washington. The MHMDA became effective for "regulated entities" on March 31, 2024, and later for "small businesses."
Illinois (Biometric Information Privacy Act - BIPA)
Consent Requirement: Employers must obtain written, informed consent from employees before collecting biometric data.
Additional Requirements:
Provide a written policy outlining the purpose and duration of data storage.
Avoid disclosing biometric data without the individual’s consent unless required by law.
Penalties: Individuals can sue for violations, with damages ranging from $1,000 to $5,000 per violation.
Texas (Capture or Use of Biometric Identifier Act - CUBI)
Consent Requirement: Informed consent is required before collecting biometric data.
Additional Requirements:
Prohibit selling or disclosing biometric data except under certain conditions.
Mandate secure storage and destruction policies.
Penalties: Civil penalties are enforceable by the Attorney General.
Washington (Biometric Privacy Law)
Consent Requirement: Consent is required for biometric data collection unless it's part of a security system.
Additional Requirements: Similar to Texas, it restricts disclosure and mandates reasonable care in data handling.
Penalties: Violations are enforceable by the Attorney General.
California (California Consumer Privacy Act - CCPA)
Consent Requirement: While not specific to biometric data, the CCPA considers biometric information as personal data and requires notice and opt-out options for certain uses.
Additional Requirements: Employers must disclose data collection practices in privacy notices.
Penalties: Civil penalties and private rights of action for data breaches.
New York City (Biometric Identifier Information Law)
Consent Requirement: Businesses must post clear notices if they collect biometric information (applies to employees in NYC).
Additional Requirements: Prohibits the sale of biometric data.
Penalties: Fines and private lawsuits for violations.
Emerging Legislation
Other states like Arkansas, Virginia, and Colorado have introduced or enacted data privacy laws that include biometric data provisions. However, the specifics around employment are less detailed compared to Illinois, Texas, and Washington.
For compliance, employers should:
Obtain written consent.
Provide clear policies and notices.
Securely store and handle biometric data.
Periodically review state-specific laws to ensure adherence.
This information is not intended to serve as legal or tax advice and is provided as a courtesy; it is subject to change. We try to keep the information in this article current, and new laws may go into effect.