Estimated reading time: 16 minutes

Key Takeaways

• Biometric data at work can improve security and convenience, but strict workplace biometric privacy law requirements apply, especially in states with dedicated statutes.

• Illinois BIPA employee rights are among the strongest in the country, including written notice, informed consent, secure storage, timely destruction, and a private right to sue.

• Yes, employers often collect biometrics like fingerprints and facial recognition for timekeeping and access control, but they must follow notice/consent and retention rules.

• If your data is mishandled, document everything, request policies in writing, file an internal complaint, and consider legal action under BIPA where available.

• Facial recognition can be legal for employers, but it raises higher risks of bias and misuse; employers should use least-invasive tools, audit for accuracy, and offer alternatives.

Table of Contents

• Introduction

• What types of biometric data can employers collect?

• Legal framework governing workplace biometric data

• Illinois BIPA employee rights (and how they work in practice)

• Facial recognition and employer use — legal considerations

• Challenges and remedies — what to do if your biometric data is misused

• Common violations & legal precedents (short examples)

• Best practices — what employers should do

• Best practices — what employees should do

• Resources & links

• Conclusion

• FAQ

Introduction

Biometric data at work refers to employers collecting unique physical or behavioral traits—like fingerprints and facial features—to identify or authenticate employees.

Companies are adopting biometrics to strengthen security, reduce fraud, speed up timekeeping, and create user-friendly logins. These tools promise lower risk of impersonation and better convenience compared with passwords or badges, which can be lost or shared. Industry sources describe biometrics as increasingly common for identity verification and access management in modern workplaces, driven by accuracy and usability gains in modalities such as fingerprints and facial scans, as well as improvements in templates and matching algorithms, trends discussed by Fraud.com’s overview of biometric data and Veridas’s primer on what biometric data is and how it works.

At the same time, employees are asking hard questions: Can an employer collect fingerprints? Is facial recognition employer legal? What are my Illinois BIPA employee rights? How long can my employer keep this data, who can they share it with, and how do I challenge misuse?

This guide explains the types of biometrics employers use, the state-by-state legal landscape with a focus on Illinois BIPA, practical steps to protect your privacy, and how to seek remedies if your data is mishandled. For broader workplace surveillance rules (monitoring email, cameras, GPS), see our guide to workplace privacy rights and employer monitoring.

What types of biometric data can employers collect?

Biometric identifiers are unique physiological or behavioral traits used for identification and authentication in the workplace.

Common modalities and use cases include:

• Fingerprints. Often used for time clocks and door access. Fingerprint scanners are popular because they are fast and hard to share. They can still misread, especially with worn skin, moisture, or dirt, which can cause false rejects or slowdowns. See definitions and pros/cons discussed by Fraud.com’s biometric data primer and Veridas’s guide to biometric types.

• Facial recognition. Used for building entry, computer login, and camera-based timekeeping. Accuracy can vary by lighting and camera angle; bias and disparate error rates are ongoing concerns, particularly for people with darker skin tones or certain facial features, issues highlighted in biometric trend analyses.

• Voiceprints. Used in call centers and phone-authentication systems. Voiceprints are convenient for remote access but raise permanence concerns—your voice can change with illness or age, and recordings may expose you to spoofing risks—tradeoffs explained in Veridas’s overview.

• Iris or retina scans. Employed in high-security environments because of their stability and accuracy. They are relatively rare in ordinary workplaces, as summarized in the World Bank’s ID4D biometric guide.

• Hand or palm geometry scans. Used for access control as a fingerprint alternative. Geometry systems can be less sensitive to minor skin changes but still require hygiene and maintenance.

Can an employer collect fingerprints?

Yes — employers can collect fingerprints in many workplaces for legitimate business purposes such as timekeeping and access control, but collection is subject to state and federal privacy laws and specific notice/consent requirements in some states, as reflected in technology primers by Fraud.com and Veridas.

Whether your employer may scan and store your fingerprint template depends on where you work, what notice/consent you received, how the data is stored, and how long it is kept. In states with specific biometric privacy laws, employers must follow clear rules before collecting any biometric identifier.

Practical example: A retail chain installs fingerprint time clocks at every location to prevent “buddy punching.” Employees sign in and out with a quick touch. If the company fails to give written notice, obtain informed consent, or publish its retention/destruction schedule where required by law, it risks liability for each scan event.

Legal framework governing workplace biometric data

U.S. law is a patchwork—few states have biometric-specific statutes; many rely on general privacy or workplace-monitoring law. Where a dedicated statute exists, it usually applies to private entities that collect or possess biometric identifiers, sets out notice and consent rules, and requires security and retention controls.

In states without a biometric statute, employee protections may come from privacy torts, unfair practices laws, data breach statutes, or general employment law. For a high-level summary of the landscape and employer obligations, see the analysis compiled by Epstein Becker Green in their Expert Q&A on biometrics in the workplace.

Deep dive: Illinois Biometric Information Privacy Act (BIPA). BIPA is the most consequential U.S. biometric privacy law. As summarized by EBG, BIPA “regulates collection, use, storage, and destruction of biometric identifiers.” It defines covered identifiers to include “retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry,” and it excludes categories like photographs and certain samples regulated elsewhere. A key feature is a private right of action, meaning individuals can sue companies for violations rather than relying solely on government enforcement, a uniqueness emphasized in the EBG Law Q&A.

Employer obligations under BIPA typically include:

• Providing written notice that biometric identifiers will be collected or stored, and stating the purpose and length of time for which they will be retained.

• Obtaining written, informed consent prior to collection.

• Implementing reasonable safeguards for storage and protection, and adopting a publicly available written policy with a destruction schedule triggered when the purpose is fulfilled or within a set period after the employment relationship ends.

• Honoring disclosure limits and vendor-management obligations to prevent unauthorized sharing.

Violations carry significant litigation risk, including statutory damages, attorneys’ fees, and injunctive relief. EBG’s summary notes potential liquidated damages commonly cited as $1,000 per negligent violation and $5,000 per intentional or reckless violation, reinforcing why employers must carefully plan any biometric rollout and why employees should watch for red flags in notice, consent, and retention practices, as detailed in the EBG Law guidance.

For general definitions, modalities, and use cases, see the World Bank’s biometric guide and Veridas’s background explainer. These help distinguish raw images from templates and explain why modern systems prefer stored templates over full images for security.

Note: Some employers pair biometric tools with other forms of workplace monitoring (email, apps, GPS). If you are also worried about non-biometric tracking, review our primer on workplace privacy rights and monitoring limits.

Illinois BIPA employee rights (and how they work in practice)

Under BIPA, employees have specific rights: notice, written consent, limitations on storage/use, destruction, and the right to sue.

Advance notice. Before collection, your employer must inform you in writing that it plans to collect or store your biometric identifiers, and it must specify the purpose and retention schedule. A clear notice might read: “We will collect your biometric identifiers (e.g., fingerprints, facial scans) for [purpose]. They will be retained for [X days/months] and will be destroyed when no longer needed.” This aligns with the requirements discussed in the EBG Law analysis.

Written consent. Consent must be obtained before the first scan. A strong consent form typically includes: employee name; description of the specific biometric data collected; the precise purpose (e.g., timekeeping, access control); the retention period; whether data may be shared with identified vendors; and the employee’s signature and date. A sample consent sentence: “I acknowledge that [employer] will collect and store my [identifier] solely for [purpose] and I consent to such collection, storage, and use for [retention period], subject to [employer]’s destruction schedule.”

Data security and storage. Employers should implement technical and administrative controls, such as encryption at rest, encryption in transit, hashed/templates rather than raw images, role-based access controls, access logs, and vendor agreements mandating parallel safeguards. BIPA requires reasonable care and policies designed to protect against unauthorized disclosure, points reinforced in the EBG Law Q&A.

Destruction policy. Biometric identifiers must be destroyed when the original purpose has been satisfied or within a set time after the employment relationship ends, as defined in the written policy. Secure deletion may include NIST-compliant wiping of digital templates and physical destruction for paper records. Employers should avoid indefinite retention.

Right to sue and damages. BIPA permits private lawsuits by individuals. Courts can award liquidated damages commonly cited as $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus attorneys’ fees and injunctive relief, as summarized in the EBG Law overview. In some workplaces, each scan could be argued to be a separate violation, which can quickly multiply risk.

If you’re outside Illinois. In states without a biometric statute, your options may be limited to general privacy, data breach, unfair practices, or workplace laws. Some rights exist, but remedies can be narrower and enforcement more difficult, a gap noted in the EBG Law resource. If your biometric data overlaps with health information, learn more about employee medical privacy rights and ADA/HIPAA limits to understand related protections.

Facial recognition and employer use — legal considerations

Is facial recognition employer legal? It can be legal, but in covered states it is subject to the same notice, consent, retention, and security rules, and it faces heightened scrutiny because of invasiveness and the potential for bias and misidentification.

Legal risks. Using facial recognition without BIPA-compliant notice and consent, or without a publicly available retention/destruction schedule, can create liability. Disclosing face templates to vendors without proper agreements and safeguards can also violate the law. These risks and obligations are addressed in the EBG Law Q&A.

Bias and discrimination. If an algorithm misidentifies employees from protected classes more often than others, its use can contribute to discriminatory outcomes (e.g., false flags, discipline, or lost pay). This intersects with broader concerns about algorithmic bias and automated HR tools discussed in our guide on AI hiring discrimination and employee rights.

Reputational and regulatory scrutiny. Facial recognition can be perceived as intrusive surveillance. Misuse or breach may trigger regulatory attention, negative press, and morale problems. Employers must weigh privacy costs against security benefits and consider less-invasive alternatives where possible.

Vendor and contract risk. If a vendor processes your face data, compliance obligations flow downstream. Contracts should mandate notice/consent support, security standards, retention/destruction, audit rights, and breach notification, as recommended in the EBG analysis.

Ethics and privacy vs. security tradeoffs. Biometric access can deter tailgating and speed entry, but it also creates a permanent record of physical traits and movements. Employees often prefer systems that limit scope, store hashed templates (not raw images), and provide opt-in/opt-out choices where feasible.

Compliance-first deployment checklist (practical steps).

• Conduct a data protection impact assessment to document purpose, alternatives, necessity, and proportionality.

• Use least-invasive technology; prefer templates/hashes over raw images and minimize third-party sharing.

• Provide robust opt-in consent and, where practical, an alternative like a badge or PIN for those who decline.

• Audit for bias and accuracy across demographics; test in varied lighting and angles, and recalibrate regularly.

• Maintain access logs, user-level permissions, and a written retention and destruction schedule aligned with law.

If your employer insists on a single mandatory facial-recognition system without alternatives, ask for the written policy, retention schedule, and vendor details. If they cannot provide them, that’s a red flag.

Challenges and remedies — what to do if your biometric data is misused

If you suspect misuse of your biometric data, follow these concrete steps.

• Document what happened. Keep dates and times of scans, device or kiosk names, who instructed you to scan, what you were told about policies, and any screenshots, timecards, or access logs showing biometric prompts.

• Save communications and policies. Preserve all emails, HR messages, handbook entries, posted notices, and any consent forms. Back up files to a personal device or paper copy if your access could be revoked.

• Request information formally. Email HR asking for (1) what identifiers were collected, (2) the specific purpose, (3) the retention schedule, (4) the destruction method/timeline, and (5) copies of notices and consent forms. Example language: “Please provide the written policy describing your collection, use, storage, and destruction of my biometric identifiers; the purpose for collection; the length of time you will retain my data; and copies of any notices and consent forms I signed.”

• File an internal complaint. If the employer cannot produce compliant documents or you never gave written consent, submit a formal complaint and keep proof (email receipts, ticket numbers).

• Seek external help. Consult a privacy/employment attorney if you see red flags: no notice or written consent; no retention/destruction policy; broad third-party sharing without contracts; or a data breach involving your template. If a breach occurs, see our guidance on employer data breach notifications and employee rights.

How to sue employer biometric data misuse (Illinois BIPA)

In Illinois, BIPA gives individuals a direct path to court. Plaintiffs commonly seek liquidated damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation, injunctive relief to stop unlawful practices, and attorneys’ fees, as summarized in the EBG Law Q&A.

Evidence to collect. Save any consent forms, written policies, emails, training materials, vendor lists and contracts (if available), device manuals, logs, and witness statements confirming how scans were taken and whether notice/consent occurred before first use.

Class actions. If many employees were scanned under the same noncompliant policy, a class action may be appropriate. Some employers try to route claims to arbitration; review your arbitration documents and see our guide on arbitration agreements and enforceability at work to understand how class-action waivers may apply.

Suggested timeline for escalation. Day 0: Request policies/records from HR. Day 14: If no complete response, file an internal complaint and request a written reply within 30 days. Day 30: If the response is incomplete or noncompliant, consult an attorney about litigation options. Day 60–90: If appropriate, file suit seeking damages and injunctive relief. See EBG’s biometrics legal overview for background.

If your workplace also uses drug or medical testing alongside biometrics, read our state-specific guide to drug testing at work rights to understand related privacy and consent rules.

Common violations & legal precedents (short examples)

• Scenario 1: Fingerprint timeclock without consent. A company deploys fingerprint clocks but never gives written notice or collects signatures. Likely violation: failure to provide notice and obtain written informed consent before collection, and potentially no published retention policy. Remedy: employer issues compliant notices, obtains consent, adopts and posts a destruction schedule; employees in Illinois may pursue statutory damages under BIPA. Background principles appear in EBG’s analysis of workplace biometrics.

• Scenario 2: Vendor sharing without safeguards. An employer sends fingerprint templates to a timeclock vendor without a contract imposing security and retention standards. Likely violation: unauthorized disclosure and inadequate vendor controls. Remedy: immediate vendor contract addendum mandating security, retention, breach notice, and deletion; employees may have claims, and a breach could trigger duties discussed in our employer data breach notification guide.

• Scenario 3: Mandatory facial recognition with no alternative. A business requires face scans for entry and payroll, provides no opt-out, and cannot produce a retention schedule. Risks: BIPA non-compliance and discrimination concerns if error rates vary across protected groups. Remedy: provide a badge/PIN alternative, publish retention/destruction policy, obtain informed consent, and audit for bias as recommended by EBG’s Q&A.

Best practices — what employers should do

Employers can reduce risk and build trust by adopting a clear, compliance-first program.

• Write a plain-language biometric policy. State which identifiers you collect (e.g., fingerprints, hand geometry, facial templates), the precise purposes (timekeeping, access control), who has access, and where the data resides. Include a retention schedule and destruction method, and publish it where employees can easily find it.

• Obtain written consent before collection. Use a form with employee name, modality collected, purpose, retention period, vendor sharing details, and signature/date. Store signed forms securely and tie them to the onboarding process.

• Limit collection and sharing. Choose the least-invasive modality that meets the business need. Consider non-biometric alternatives (badge, PIN) for those who decline. Avoid unnecessary third-party sharing; if sharing is needed, limit scope and duration.

• Implement technical safeguards. Encrypt data in transit and at rest, store hashed/templates instead of raw images, enforce role-based access, keep tamper-resistant logs, conduct regular security audits, and require vendors to meet or exceed your standards through contract clauses.

• Retention and destruction. Align with BIPA norms: “Biometric identifiers will be retained only as long as needed for timekeeping and access purposes and will be destroyed within 30–90 days after employment termination or when the original purpose is fulfilled.” Confirm legal requirements and tailor timing to your jurisdiction and industry. EBG’s legal guidance emphasizes publishing a schedule and following it consistently.

• Training and transparency. Explain the policy during onboarding and annually. Provide an internal contact for questions. Log and address complaints promptly.

Suggested policy snippet: “Our company collects limited biometric identifiers solely for timekeeping and access control. We will inform you of the purpose and retention period, obtain your written consent before collection, protect your data using industry-standard security controls, and destroy it when the purpose is complete or within our posted retention period.”

For broader compliance planning and intersecting privacy topics beyond biometrics, review our overview of workplace compliance attorney services to understand common policy components and risk areas across employment law.

Best practices — what employees should do

Use this simple checklist to protect your biometric privacy at work.

• Ask for the written biometric policy and the retention/destruction schedule before you scan for the first time.

• Ask whether you can use an alternative (badge, PIN) if you prefer not to provide biometrics.

• Keep copies of any notices and consent forms you sign, plus screenshots of device prompts and HR messages.

• Report concerns to HR in writing. If no remedy, escalate to the privacy officer or seek independent legal counsel.

• Consider litigation only after you have gathered documents and assessed your state’s law with a qualified attorney. If automated tools are involved, see our resource on AI and algorithmic bias in employment decisions.

One-paragraph email template to request information: “I understand the company is using a biometric system for [timekeeping/access]. Please provide the written policy covering collection, use, storage, and destruction of my biometric identifiers; the specific purpose for collection; the retention schedule; whether any third parties receive my data; and copies of any notices and consent forms. I request these in writing within 14 days.”

Resources & links

For technology background, definitions, and modality overviews, see Fraud.com’s biometric data explainer, Veridas’s guide to biometric types and uses, and the World Bank’s ID4D biometric guide.

For legal obligations, BIPA requirements, and litigation exposure, consult the Epstein Becker Green Expert Q&A on biometrics in the workplace.

Conclusion

Biometric data at work means employers collect unique physical or behavioral traits—like fingerprints and facial scans—to identify or authenticate employees. Used correctly, biometrics can increase security and convenience, but they also introduce sensitive privacy risks and legal duties.

Illinois BIPA employee rights set a high standard: written notice, informed consent, secure storage, destruction on schedule, and a private right to sue for violations. Employees who suspect misuse should document events, demand policies in writing, file an internal complaint, and consider legal action where available. Employers should adopt least-invasive tools, publish clear policies, obtain consent before collection, and enforce retention/destruction rigorously to satisfy workplace biometric privacy law requirements.

Need help now? Get a free and instant case evaluation by US Employment Lawyers. See if your case qualifies within 30-seconds at https://usemploymentlawyers.com.

FAQ

Can an employer collect fingerprints?

Yes, many employers use fingerprint systems for timekeeping and access control, but they must follow state law and, in some states, give written notice, obtain consent, and follow a retention/destruction policy, as explained in Fraud.com’s overview and the legal summary by Epstein Becker Green.

What are my rights under Illinois BIPA?

You have the right to written notice, written informed consent before collection, secure storage, timely destruction, and a private right of action for violations, as outlined in the EBG Law BIPA analysis.

Can I sue my employer for biometric data misuse?

In Illinois and other BIPA-like jurisdictions, you may sue directly and seek liquidated damages (commonly cited as $1,000 per negligent violation or $5,000 per intentional or reckless violation), plus injunctive relief and fees; outside those states, consult counsel for available options, per EBG’s guidance.

Is facial recognition legal for employers?

It can be, but it carries heightened legal, privacy, and bias risks. Employers in covered states must follow strict notice/consent and retention rules and should audit systems for accuracy and discrimination risks, as recommended in the EBG Law Q&A.

How do I protect myself if my biometric data is at risk?

Request the written policy, consent and retention details, and destruction timeline; keep copies of everything; file an internal complaint; and consider legal advice. For broader surveillance issues, see our guide to workplace privacy rights and monitoring.

This post is informational and does not constitute legal advice. Laws change, and outcomes depend on facts and jurisdiction. For advice about your situation under workplace biometric privacy law and related issues tied to biometric data at work, consult a qualified attorney.