BIPA and AI Time Clocks 2026: Biometric Timekeeping Lawsuit Risk for Employers
Biometric time clocks — fingerprint punch clocks and now AI-powered facial-recognition systems — have generated more Illinois BIPA class actions than any other single technology category. The math is brutal: per-scan damages, twice a day, across an entire workforce.
Why Time Clocks Are BIPA's Biggest Target
Biometric time clocks are attractive to employers because they eliminate buddy-punching and reduce payroll fraud. They're also the single most litigated category under Illinois's Biometric Information Privacy Act, for a simple reason: every employee scans in and out multiple times a day, every workday, for as long as they're employed.
A retailer, warehouse, or manufacturer with a few hundred hourly employees using a fingerprint or facial-recognition clock can generate hundreds of thousands of individual scans a year. Under BIPA, each of those scans is a potential separate violation if proper consent wasn't collected before the system went live.
This is the fact pattern behind the largest BIPA settlements to date, and it's exactly the exposure that AI-enhanced time clocks — now adding facial liveness detection on top of fingerprint or badge scans — are walking into without updated consent processes.
The Cothron v. White Castle Per-Scan Problem
In 2023, the Illinois Supreme Court ruled in Cothron v. White Castle that a BIPA claim accrues every time a company scans or transmits biometric data without proper consent — not once per person, as many defendants had argued. White Castle faced potential damages that commentators estimated could exceed $17 billion across its workforce before the case ultimately settled.
For time clocks specifically, this ruling multiplies exposure dramatically:
- An employee who scans in and out twice a day generates roughly 500 scans per year
- Over a five-year statute of limitations window, that's 2,500 scans per employee
- At $1,000 (negligent) to $5,000 (reckless/intentional) per scan, a single employee's claim can reach into the millions before any class-wide multiplication
- Multiply by a workforce of hundreds or thousands, and even a mid-size employer's uncured consent gap becomes an existential liability
Employers with any biometric time clock deployed without a documented, BIPA-compliant consent process are sitting on this exposure right now, whether or not a lawsuit has been filed yet.
Why AI-Enhanced Time Clocks Raise the Stakes
Time clock vendors are increasingly adding AI-based facial recognition and liveness detection — distinguishing a live employee's face from a photo held up to the scanner — to close buddy-punching loopholes that fingerprint clocks don't fully solve. This adds a second layer of BIPA exposure on top of the original scan:
Compliance Checklist for Employers
Whether you run fingerprint clocks, AI facial-recognition clocks, or both, the compliance baseline is the same: written policy, informed consent, and a defined retention schedule — before the first scan, not after.
- ☐Publish a written policy specifying what biometric identifiers are collected and by which system
- ☐State the specific purpose of collection (timekeeping/payroll accuracy, fraud prevention)
- ☐Define a retention schedule and a destruction guideline — no later than 3 years after the last interaction, or sooner if the purpose is satisfied
- ☐Make the policy publicly available, not just referenced internally
- ☐Obtain a signed release from each employee before their first scan — not embedded in a general handbook acknowledgment
- ☐Disclose that facial or fingerprint data is being collected and how it will be used
- ☐Re-collect consent if the AI vendor or system materially changes (e.g., switching from fingerprint to facial recognition)
- ☐Retain signed consent records for at least as long as the employee's biometric data is retained
- ☐Confirm whether facial matching happens on-device or via a cloud API — cloud processing requires additional disclosure of the third party receiving the data
- ☐Get written confirmation from the vendor of their own retention and deletion practices for captured biometric data
- ☐Prohibit vendor use of employee biometric data for model training without separate, explicit consent
- ☐Require prompt notification from the vendor of any data breach involving biometric data
- ☐Delete biometric data within the timeframe stated in your written policy after an employee's termination or the end of the collection purpose
- ☐Confirm the vendor also deletes or purges data on their end, not just your local system
- ☐Document deletion so you can demonstrate compliance if challenged
Beyond Illinois: Other States to Watch
Illinois BIPA is the only state law with a private right of action, which is why it dominates time clock litigation. But employers running biometric time clocks across multiple states should not treat this as an Illinois-only problem:
- Texas (CUBI) and Washington have biometric privacy statutes enforced by their attorneys general rather than private lawsuits, but still carry real penalty exposure
- New York City's biometric identifier law requires disclosure signage for commercial establishments collecting biometric data from customers or employees
- Multi-state employers standardizing on one time clock policy nationwide should build to BIPA's stricter written-consent standard rather than maintaining state-by-state variants
Frequently Asked Questions
We've used a fingerprint time clock for years without any written consent process. What's our exposure?
Every scan collected without a compliant written policy and prior informed consent is a potential separate violation under the Cothron per-scan standard, going back up to five years. The most urgent step is implementing a compliant consent and policy process going forward, and consulting counsel about remediation and potential retroactive exposure for past collection.
Does switching to a badge-and-PIN system remove our BIPA risk entirely?
Yes, prospectively — if the new system captures no biometric identifiers, BIPA no longer applies to future timekeeping. However, this does not resolve exposure from biometric data already collected historically, and any residual biometric data from the old system must still be properly deleted per your retention policy.
Our time clock vendor says their AI system is BIPA-compliant. Is that enough?
A compliant system configuration doesn't replace your obligations as the employer collecting the data. You still need your own written policy, your own employee consent process, and your own retention/deletion practices — the vendor's compliant technology is necessary but not sufficient on its own.
Can employees sue individually, or does it have to be a class action?
BIPA allows individual employees to sue directly; class actions are common because time clock violations affect entire workforces uniformly, making class certification straightforward. A single non-compliant deployment can support either an individual claim or, more commonly given the scale, a workforce-wide class action.
Fix Consent Before You Fix Anything Else
Every other piece of BIPA compliance — retention schedules, vendor contracts, deletion processes — is secondary to the one thing that determines whether you have exposure at all: did you get informed written consent before the first scan. Audit that first.
If your time clock has been running without it, the priority is stopping the bleeding — implementing compliant consent now — while you assess what, if anything, needs to be done about data already collected.