Buddy Punching and Time Clock Fraud: How Employers Can Detect It Safely

Buddy punching is simple: one employee clocks in or out for another. It can look small shift by shift, but it adds up when employees can punch from the wrong place, the wrong device, or on behalf of someone who is late or absent.

The tempting fix is a fingerprint or face-recognition timeclock. That may address the issue, but it can create a different problem. In Illinois, biometric timeclocks are governed by the Biometric Information Privacy Act (BIPA, 740 ILCS 14), which has a private right of action, statutory damages, and attorney-fee exposure. White Castle's worst-case per-scan exposure in Cothron v. White Castle System, Inc. was estimated at up to $17 billion before the case settled for $9.39 million. Illinois narrowed that per-scan damages theory in 2024, and the Seventh Circuit applied that change retroactively in Clay v. Union Pacific in April 2026, but the compliance duties did not disappear.

For most small employers, the better path is not "use nothing" or "use biometrics." It is layered non-biometric proof: GPS-bounded clock-in, device checks, photo-on-punch for human review, manager approval, and pattern flags. That gives you evidence when a punch looks wrong without putting every clock-in inside a biometric privacy statute.

What to use first

Quick reference

• Federal floor: no specific federal statute prohibits buddy punching. The FLSA recordkeeping rules still matter because bad time records hurt you in wage disputes.
• Illinois BIPA (740 ILCS 14): the main biometric timeclock risk. Written notice, written release, retention rules, and destruction rules matter before collection starts.
• Texas CUBI (Tex. Bus. & Com. Code §503.001): AG-only enforcement, $25,000 per violation. Set the AG-enforcement-track precedent with the $1.4 billion Texas v. Meta settlement (July 30, 2024 — $500M up front + $225M annually 2025–2028).
• Washington (RCW 19.375): notice + consent required; AG-only enforcement; no private right of action.
• Non-biometric detection (photo-on-punch, GPS clock-in, IP restriction, device-ID): lower biometric privacy risk when photos are not processed into facial-geometry templates. Electronic-monitoring notice rules may still apply.
• Multi-state employers: biometric collection from an Illinois-based remote employee triggers BIPA regardless of where the employer is headquartered.

The 5 most expensive detection mistakes

The most expensive mistakes happen when an employer solves a timekeeping problem by creating a bigger recordkeeping or privacy problem.

1. Deploying a fingerprint timeclock in Illinois without §15(b) written notice and release. Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, established that a person is "aggrieved" under §20 by a bare statutory violation — no separate actual injury required. Cothron v. White Castle System, Inc., 2023 IL 128004, held that EACH unauthorized scan was a separate violation. White Castle's exposure under the per-scan theory was estimated at up to $17 billion; the case settled on remand for $9.39 million in front of Judge John J. Tharp Jr. (N.D. Ill.). SB 2979 (2024) and Clay v. Union Pacific (2026) capped the per-person/per-method recovery — but the pre-2024 exposure shape was real and the post-2024 floor is still expensive: 1,000 employees × $5,000 = $5M minimum for an intentional §15(b) violation, before attorney's fees.

   Cited cases

   • Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186
     Illinois Supreme Court — Bare statutory violation = "aggrieved" under §20; ~$36M settlement on remand
   • Cothron v. White Castle System, Inc., 2023 IL 128004
     Illinois Supreme Court — Each scan = separate violation; ~$17B "annihilative" exposure; $9.39M settlement on remand
   • Rogers v. BNSF Railway Co., 680 F.Supp.3d 1027 (N.D. Ill. 2023)
     US District Court, N.D. Illinois — First BIPA jury verdict ($228M, Oct 2022) — VACATED Jun 2023; new damages-only trial ordered
   • Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019)
     US Court of Appeals, 9th Circuit — BIPA class-action standing affirmed; $650M settlement (2020) — largest BIPA settlement to date

2. Storing a faceprint without realizing it is different from a photo. A clock-in photo for human review is not the same thing as facial recognition. BIPA excludes photographs, but a system that extracts facial geometry from that photo for automated matching can move into BIPA territory. Ask the vendor whether the system stores photos only, or whether it creates and stores a face template.

3. Assuming Texas or Washington do not matter because employees cannot bring BIPA-style lawsuits there. Texas and Washington do not have the same private-lawsuit structure as Illinois, but state attorneys general can still enforce biometric privacy laws. Texas's $1.4 billion Meta settlement on July 30, 2024 showed that AG-only enforcement can still matter.

4. Using facial recognition without checking whether it works equally well for everyone. NIST's 2019 Face Recognition Vendor Test found large accuracy differences across demographic groups. If a timeclock misidentifies some employees more often than others, the employer may have a fairness and Title VII problem even outside Illinois.

5. Withholding disputed wages at termination before the investigation is complete. California Labor Code §203 can add up to 30 days of waiting-time penalties when final wages are willfully unpaid. If the time record says the hours were worked, do not assume you can simply withhold those wages because the punch looks fraudulent. Investigate, preserve the evidence, pay disputed final wages when required, and pursue recovery separately if appropriate.

The Economic Case

Industry estimates put time-clock fraud at roughly 2% of gross payroll in affected workforces. The figure is widely attributed to the American Payroll Association across HR publications and vendor blogs, but the primary APA publication anchoring it is hard to surface — treat the specific percentage as directional rather than precisely-cited. The order of magnitude is consistent across independent surveys (Robert Half estimates broader "time theft," including long breaks and personal-business time, at roughly 4.5 hours per employee per week — a superset that includes buddy punching).

QuickBooks' 2017 survey of ~1,000 employees who track time found 16% admit to buddy punching at least once. Industry concentration is consistent: restaurants, retail, healthcare, manufacturing, hospitality. The shared traits are shift work, low-supervision shifts, and a high share of hours captured by employee-operated clock-ins rather than supervisor-attested rosters.

Per-employee math at illustrative rates:

• $20/hour × 4 unauthorized hours per month × 12 months = $960 per employee per year
• 100 employees × $960 = $96,000 annually
• Same scale at 500 employees = $480,000 annually

These are baseline figures. The compounding factor isn't the per-incident loss; it's the cumulative effect across hours, employees, and years. The cost is also asymmetric across the workforce — the 16% who admit may account for substantially more than 16% of the unauthorized hours.

Detection mechanisms

The practical choice is not "trust everyone" or "fingerprint everyone." You can usually start with lower-risk proof and only consider biometrics if the business problem still is not solved.

Biometric track (BIPA exposure)

• Fingerprint scanner at a kiosk or mobile app. Most common. The full §15 compliance regime applies in Illinois: written policy, written notice + release, retention schedule, destruction protocol, prohibition on sale/disclosure, reasonable standard of care.
• Face geometry / faceprint capture (not just a photo — extracted facial-geometry data). Same §15 compliance regime; layered Title VII disparate-impact risk for documented accuracy gaps.
• Hand geometry / palm vein. Same regime; less common operationally.
• Voiceprint for phone-based clock-in. Rare in this context but explicitly named in §10 — same regime.

Non-biometric track (electronic-monitoring territory)

• Geolocation (GPS) on mobile clock-in. Records GPS coordinates at punch; rejects punches outside an approved geofence. Notice statutes in Connecticut (C.G.S. §31-48d), Delaware (Title 19 §705), and California's CCPA data-handling obligations apply. Not biometric under any state statute. No private right of action with statutory damages.
• IP address restriction. Clock-in permitted only from approved work-site IPs (kiosk or office Wi-Fi). Lowest privacy footprint; not regulated under monitoring statutes. Useful for fixed-location workforces, useless for field workers.
• Device fingerprint / unique device ID. Tying clock-in to a specific phone/tablet/kiosk via device identifiers (MAC address, device hash). Generally NOT biometric under any state statute.
• Photo on punch. Selfie captured at clock-in/out, stored alongside the punch record. Photographs are explicitly excluded from BIPA's §10 definition of "biometric identifier." Storing the photo for human review = outside BIPA. Running automated facial-recognition match against an enrolled template = inside BIPA. The compliance pivot is the processing step, not the capture step.
• Multi-factor combinations. PIN + photo + geofence + device-ID. None of the components are biometric identifiers; the combination produces strong detection signal AND retroactive evidentiary records for any disputed punch.
• AI / pattern detection on punch data. Vendor-side pattern recognition that flags suspicious patterns (two employees consistently clocking in at the exact same second, geographically impossible punches, repeat patterns over weeks). No identifier captured beyond what's already in the payroll record. Operationally useful, legally uncomplicated.

The strict-everywhere recipe for multi-state employers: avoid biometric collection company-wide unless the workforce concentration justifies the per-state compliance investment. Photo + GPS + device-ID often gives enough deterrence and evidence without turning a timekeeping control into a biometric privacy program.

What employers often miss

• A photo is not the same as a faceprint. Storing a photo at clock-in for human review is different from extracting facial geometry for automated matching. Vendor demos can blur that line, so ask exactly what is stored.
• Texas is not "BIPA-lite." Texas's CUBI carries no private right of action, but the AG-enforcement track is real and growing. The $1.4 billion Texas v. Meta settlement (July 30, 2024) established that AG-track enforcement produces nine-figure consequences without a class action. Multi-state biometric deployments need to clear Texas's CUBI requirements (written notice + consent, retention limits) independently — relying on a BIPA-compliance posture isn't sufficient.
• The 2024 BIPA amendment changed damages, not the basic duties. SB 2979 narrowed repeated-scan recovery, but employers still need the written policy, notice, release, retention, destruction, and data-protection pieces before collecting biometrics.
• Facial-recognition accuracy can become an employment issue. If a system misidentifies some employees more often than others, discipline based on that system can create fairness and discrimination risk.
• Illinois risk can follow the employee. A company outside Illinois can still run into BIPA if it collects biometrics from an Illinois employee.

Illinois BIPA — the law to understand before biometrics

The Illinois Biometric Information Privacy Act (740 ILCS 14), enacted 2008, is the most-litigated biometric privacy statute in the United States. Workplace fingerprint, face-scan, and hand-geometry timeclock systems have produced hundreds of class actions and billions in cumulative exposure. The 2024 amendment narrowed the per-scan damages theory; the 2026 7th Circuit retroactivity ruling extended that narrowing to pending cases. The post-2024 landscape is more bounded but still meaningful.

§15 — the operative compliance obligations

§15 imposes five distinct duties on any private entity collecting biometric identifiers or information:

• §15(a) — retention schedule + destruction. Develop a written, publicly available policy establishing a retention schedule and destruction protocol. Destruction triggers at the earlier of: (1) initial purpose satisfied, or (2) three years after the individual's last interaction.
• §15(b) — written notice + written release before collection. Before any biometric collection, the employer must (1) inform the subject in writing that biometrics are being collected/stored, (2) inform the subject in writing of the specific purpose and length of storage, AND (3) receive a written release from the subject.
• §15(c) — prohibition on sale. No private entity in possession of biometric data may sell, lease, trade, or otherwise profit from it.
• §15(d) — disclosure restriction. No disclosure or dissemination except under narrow exceptions (subject consent, completing a financial transaction the subject authorized, law/ordinance requirement, valid warrant or subpoena).
• §15(e) — reasonable standard of care. Store, transmit, and protect biometric data using the reasonable industry standard, at least as protective as the treatment of other confidential information.

§10 — what counts as a "biometric identifier"

"A retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry."

Exclusions written into the statute: writing samples, written signatures, photographs, human biological samples for valid scientific testing or screening, demographic data, tattoo descriptions, physical descriptions (height/weight/hair/eye color), donated organs/tissues, and biological materials regulated under the Genetic Information Privacy Act.

The "photographs" exclusion matters for photo-on-punch systems — see the discussion above.

§20 — private right of action and damages

"Any person aggrieved by a violation of this Act shall have a right of action ... A prevailing party may recover for each violation: (1) against a private entity that negligently violates a provision of this Act, liquidated damages of $1,000 or actual damages, whichever is greater; (2) against a private entity that intentionally or recklessly violates a provision of this Act, liquidated damages of $5,000 or actual damages, whichever is greater; (3) reasonable attorneys' fees and costs ... ; and (4) other relief, including an injunction."

This private right of action with statutory damages is the doctrinal pivot. Illinois is the ONLY state with this combination — Texas's CUBI allows AG enforcement only, Washington's RCW 19.375 the same.

SB 2979 (August 2, 2024) — the per-method amendment

Signed by Governor J.B. Pritzker on August 2, 2024; effective immediately. The amendment added language to §15(b) and §15(d) capping recovery:

"a private entity that, in more than one instance, collects, captures, purchases, receives through trade, or otherwise obtains the same biometric identifier or biometric information from the same person using the same method of collection in violation of subdivision (b) of Section 15 has committed a single violation of subdivision (b) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section."

The same per-person/per-method cap applies to §15(d). The amendment also updated "written release" to explicitly include electronic signatures.

Why this happened: the Illinois Supreme Court's Cothron v. White Castle ruling (2023) held that each unauthorized scan was a SEPARATE violation. For a timeclock employee punching in and out four times a day for several years, the per-scan theory produced "annihilative" damages — White Castle's own worst-case exposure exceeded $17 billion. SB 2979 was the legislature's response.

Clay v. Union Pacific (April 1, 2026) — retroactive application

The Seventh Circuit held in Clay v. Union Pacific Railroad Co., No. 25-2185 (7th Cir. Apr. 1, 2026), that the 2024 amendment applies retroactively to cases pending when the amendment was enacted. The court reasoned that the amendment is remedial — revising the §20 damages provision rather than the §15 substantive standards — and therefore applies retroactively under the Illinois retroactivity test. The practical effect: plaintiffs in pre-2024 pending cases are now entitled to at most one recovery per person per method, regardless of whether the underlying conduct predates August 2024. The litigation-risk landscape post-2026 is meaningfully bounded compared to the 2019–2023 peak.

BIPA Case Law

Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186

The doctrinal foundation. Stacy Rosenbach sued Six Flags Great America for fingerprinting her minor son in the course of issuing a season pass. The Illinois Supreme Court held unanimously that a person is "aggrieved" under §20 by a bare statutory violation — no separate actual injury required. The decision opened the floodgates to BIPA class actions. The monetary settlement on remand was approximately $36 million covering ~1.1 million class members, with distribution over five annual installments (2021–2025).

Cothron v. White Castle System, Inc., 2023 IL 128004

The Illinois Supreme Court held that each unauthorized scan or transmission of biometric data constitutes a separate violation — not a single accrual at first capture. White Castle had argued the per-scan theory was untenable; the Court acknowledged the magnitude but held the statutory text required per-scan accrual, with the legislative fix-up (if any) for the legislature. White Castle's own worst-case exposure estimate exceeded $17 billion. The settlement on remand was $9.39 million, finally approved by Judge John J. Tharp Jr. (N.D. Ill., Case No. 1:19-cv-00382), covering more than 9,000 current and former White Castle employees. Cothron triggered SB 2979 the following year.

Rogers v. BNSF Railway Co. (N.D. Ill. 2022 / 2023)

The first BIPA case to go to a full jury trial. October 12, 2022 — a federal jury in the Northern District of Illinois (Judge Matthew Kennelly) found BNSF Railway violated §15(a) and §15(b) when it required truck drivers to scan fingerprints at rail-yard gates for identity verification. The jury found 45,600 reckless or intentional violations; judgment entered at $5,000 × 45,600 = $228 million.

Crucial procedural posture: the $228M judgment was VACATED on June 30, 2023 when Judge Kennelly ordered a new jury trial limited to the question of damages. The court held that BIPA §20 statutory damages are DISCRETIONARY, not automatic. The case has continued through procedural challenges since then. The $228M figure cannot be cited as a settled-law data point; it was a verdict that didn't stand. The case remains important as the first BIPA jury verdict and for the doctrinal point about vicarious liability for third-party-operated biometric equipment.

Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019)

Not a workplace case, but the doctrinal proof point for class-action viability. The Ninth Circuit affirmed certification of a class of Facebook users alleging the "Tag Suggestions" facial-recognition feature violated BIPA. The court held plaintiffs had Article III standing — development of a face template without consent invades a concrete privacy interest. Final settlement was $650 million, approved 2020 (revised upward from an initial $550M after Judge James Donato rejected the first proposal as inadequate). Still the largest BIPA settlement to date.

Named Workplace BIPA Settlements

The dollar magnitudes that illustrate the post-Rosenbach pre-2024 exposure era. All amounts verified against secondary sources; underlying court records cited in the article's source list.

McDonald's settlement is "up to $50 million" — $40M up front plus reserve tranches that can bring the total to $50M depending on claim volume. The general magnitude (mid-eight-figures to nine-figures for large workforces) is the pattern that drove the 2024 legislative response.

Other State Biometric Privacy Laws

• Texas — Capture or Use of Biometric Identifier Act (CUBI), Tex. Bus. & Com. Code §503.001. Requires written notice + consent before collection; AG-only enforcement, no private right of action. Civil penalty up to $25,000 per violation. The AG enforcement track produced the $1.4 billion Texas v. Meta settlement announced July 30, 2024 — $500 million up front, $225 million annually 2025–2028. Largest single-state biometric privacy settlement to date.
• Washington — RCW 19.375. Notice + consent for biometric "enrollment" for commercial purposes. AG-only enforcement; no private right of action.
• NYC — Local Law 3 of 2021 (Biometric Identifier Information Law). Customer-facing scope at "commercial establishments" — notice posting required, sale prohibited. Some interpretations reach employee-facing kiosks; defensible posture is to treat any kiosk visible to customers as in scope.
• Colorado — Privacy Act biometric amendments (HB24-1130, effective July 1, 2025). AG-only enforcement; written policy + consent required; employer scope explicitly included; volume threshold for applicability removed.
• Maryland — Online Data Privacy Act. Biometric data classified as "sensitive data"; civil fines up to $10,000–$25,000 per violation. Effective October 1, 2025; AG enforcement begins April 1, 2026.
• New York — proposed S1422/A6031 (2025–2026 session). Statewide biometric privacy bill modeled on BIPA. As of this article's publication date, not enacted.

Notice statutes for electronic monitoring (relevant to GPS clock-in, not biometric collection):

• Connecticut C.G.S. §31-48d — written notice required before electronic monitoring; civil penalties up to $3,000 for the third-tier violation.
• Delaware 19 Del. C. §705 — written notice required; daily notice option available.
• New York Civil Rights Law §52-c — written notice on hire required for electronic monitoring of phone, email, and internet usage. The statute does NOT cover pure GPS / location monitoring. Employers deploying GPS clock-in in New York should still provide notice as a defensive matter, but §52-c is not the operative statute.

Federal Employment Overlay

Three federal statutes interact with biometric workplace surveillance:

• Title VII (42 USC §2000e) — disparate-impact risk. NIST's 2019 Face Recognition Vendor Test found facial-recognition algorithms 10–100× more likely to misidentify Black and East Asian faces than white faces, with the highest false-positive rates for Black women. An employer whose policy produces disparate impact on a protected class is liable unless the policy is "job related and consistent with business necessity." No controlling appellate case yet establishes the theory specifically for workplace facial-recognition timeclocks, but the documented accuracy gaps make the legal posture quotable.
• NLRA — surveillance of union activity. Section 7 of the NLRA protects concerted activity; employer surveillance directed at union organizing is a §8(a)(1) unfair labor practice. Generic timeclock detection is not §8(a)(1) material in itself, but mass-deploying biometric or GPS clocks in response to a union drive could be inferred as targeted surveillance.
• ADA — accommodation. Employees who cannot use a specific authentication method (worn fingerprints, missing fingers, disabilities preventing facial-geometry capture) have an ADA right to reasonable accommodation. The employer's burden is to provide an alternative authentication method (PIN + supervisor attestation, manual entry with review) — not to abandon the system.

Related wage-and-hour issues

Buddy punching is connected to several other timekeeping issues. The common thread is record quality: when time records are wrong, every later dispute gets harder.

• Recordkeeping. Buddy-punched hours can become false entries in the time record. Detection records, such as photos, GPS logs, and device IDs, help explain what happened later. See recordkeeping requirements.
• Off-the-clock work. Buddy punching puts hours into the record that may not have been worked. Off-the-clock work leaves worked hours out of the record. Both problems start with unreliable records. See off-the-clock work by state.
• Time-clock rounding. Exact punch records make suspicious patterns easier to see. See time clock rounding rules.
• Pay stubs. Incorrect hours can flow into wage statements. See pay-stub requirements by state.
• California final pay. If employment ends after suspected buddy punching, final-pay timing still matters. Investigate before termination when possible, and be careful before withholding disputed wages.

Multi-State and Remote Workers

Biometric collection follows the employee's work location, not the employer's HQ. The compliance map:

• Texas-headquartered employer with an Illinois-based remote employee → BIPA applies. The Illinois employee's biometric collection triggers full §15 compliance, regardless of where the timeclock system or the company is based.
• Illinois-headquartered employer with a Texas-based remote employee → Texas CUBI applies (notice + consent, AG enforcement).
• Multi-state workforce with employees in IL, TX, WA, NYC, CO, MD → six different compliance regimes layered. The strict-everywhere recipe is BIPA-grade compliance company-wide: written policy, written notice + release, retention schedule, destruction protocol — applied uniformly even where state law would permit less.

The non-biometric alternative is functionally always easier multi-state. GPS, photo, IP, and device-ID detection produce equivalent deterrent effect without the per-state compliance investment.

Recent Changes (2024–2026)

• Texas v. Meta settlement (July 30, 2024) — $1.4 billion. First major Texas CUBI AG enforcement; $500M up front + $225M annually 2025–2028. Established the AG-track viability for states without a private right of action.
• Illinois SB 2979 / Public Act 103-0769 (August 2, 2024). Per-person/per-method recovery cap on §15(b) and §15(d) BIPA violations; electronic signatures explicitly OK for "written release."
• Colorado HB24-1130 (effective July 1, 2025). Privacy Act biometric amendments; AG-only enforcement; employer scope; volume threshold removed.
• Maryland Online Data Privacy Act (effective October 1, 2025; enforcement April 1, 2026). Biometric data is "sensitive data"; AG enforcement; civil penalties up to $10,000–$25,000.
• Connecticut Data Privacy Act biometric amendments (2025). AG enforcement track strengthened; sensitive-data treatment for biometric.
• Clay v. Union Pacific Railroad Co., No. 25-2185 (7th Cir. April 1, 2026). SB 2979 applies retroactively to pending cases. Materially shrinks pre-2024 BIPA exposure; the litigation-risk landscape post-2026 is meaningfully bounded.

Frequently Asked Questions

If You Discover Buddy Punching

The unwinding playbook when a detection signal (photo mismatch, geographically impossible punch, AI pattern flag) surfaces possible buddy punching:

1. Investigate before disciplining. Pull the photo + GPS + device-ID records for the suspect punches alongside CCTV (where available), badge access logs, and witness testimony. The detection signal alone is necessary but not sufficient; build the evidentiary record before any action.

2. Stage the wages — don't withhold disputed amounts at termination. California §203 waiting-time penalties (up to 30 days of additional pay at the employee's daily rate) attach when the employer "willfully" withholds wages at separation. If the records SAY the hours were worked (which they do — that's the buddy-punching problem in the first place), the employer's argument that the records are unreliable is exactly the Mt. Clemens burden-shift turned against itself. Pay the disputed wages at termination; pursue recovery separately as a civil claim if the investigation confirms fraud.

3. Document the secondary record. Photos, GPS logs, device-IDs, and any AI pattern-detection output need to be preserved under whatever retention policy applies — typically the longer of (a) the §516 supplementary-record retention (2 years federally, 3+ years per state) or (b) the litigation-hold posture once any dispute is anticipated. See recordkeeping requirements for the framework.

4. If you're using a biometric system, verify BIPA / state-statute compliance is current. The fraud investigation itself doesn't trigger a BIPA claim, but the discovery process often surfaces gaps in §15 compliance that the employer didn't realize were there. Fixing the compliance gaps proactively limits the downstream litigation exposure.

5. Consult counsel before a class-affecting policy change. If buddy-punching detection prompts deployment of a new authentication mechanism — facial recognition, fingerprint reader, mandatory mobile clock-in with GPS — the policy change itself can trigger Title VII disparate-impact review, NLRA scrutiny (if union activity is in progress), ADA accommodation review, and (in Illinois) full BIPA §15(b) compliance for any new biometric collection. The policy-change vehicle is when the legal exposure cascades.

The Through-Line

The strongest prevention technology is not always the safest first choice. The economic case for buddy-punch detection is real, but the standard answer (fingerprint reader, facial-recognition clock-in) can put the employer in BIPA territory in Illinois, in CUBI territory in Texas, and in disparate-impact territory under Title VII anywhere the chosen biometric has documented accuracy gaps.

The 2024 SB 2979 amendment and the 2026 Clay v. Union Pacific retroactivity ruling have bounded the peak Illinois exposure. But "bounded" still means $5,000 per intentional violation × workforce size, plus attorney's fees. The Texas v. Meta settlement at $1.4 billion proved that AG-only enforcement in non-Illinois states can produce nine-figure consequences without a class action. The pre-2024 peak is over; the post-2026 floor is not.

The non-biometric alternative is often enough for the real business problem. Photo-on-punch + GPS-bounded mobile clock-in + device-ID + pattern detection produce useful detection signals at a fraction of the biometric privacy risk. The strongest defensive posture is not the most invasive authentication; it is the layered proof that deters bad punches and gives you a record when a punch is disputed. Pick the technology that does the job without inviting the bigger lawsuit.

Sources and Authorities

Federal

• 29 CFR §516.2 — FLSA recordkeeping requirements
• 42 USC §2000e (Title VII)

State biometric privacy

• Illinois Biometric Information Privacy Act (740 ILCS 14)
• Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code §503.001)
• Washington RCW 19.375
• NYC Local Law 3 of 2021

State electronic monitoring (for non-biometric GPS / device monitoring)

• New York Civil Rights Law §52-c
• Connecticut General Statutes §31-48d
• Delaware Code Title 19 §705

California

• California Labor Code §203 (waiting-time penalties)
• California Labor Code §226 (wage statements)

Case law

• Anderson v. Mt. Clemens Pottery Co., 328 U.S. 680 (1946) — recordkeeping burden-shifting.
• Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 — "aggrieved" = bare statutory violation; ~$36M settlement on remand.
• Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019) — BIPA class-action standing; $650M settlement (2020).
• Rogers v. BNSF Railway Co., 680 F.Supp.3d 1027 (N.D. Ill. 2023) — first BIPA jury verdict ($228M, October 2022); judgment vacated June 30, 2023 with new damages trial ordered.
• Cothron v. White Castle System, Inc., 2023 IL 128004 — each scan = separate violation; ~$17B "annihilative" exposure estimate; $9.39M settlement on remand (Judge Tharp, N.D. Ill.).
• Clay v. Union Pacific Railroad Co., No. 25-2185 (7th Cir. April 1, 2026) — 2024 BIPA amendment applies retroactively.

Texas v. Meta

• Texas Attorney General Settlement Announcement (July 30, 2024)