Buddy Punching and Time Clock Fraud: Detection, BIPA, and the 2024 Amendment

Biometric privacy enforcement by state. Illinois is the only state with both a private right of action and statutory damages.

Illinois — BIPA private right of action + $1K/$5K statutory damages (post-SB 2979 cap)States with AG-only biometric enforcement (TX, WA, CO, MD)No specific biometric statute (federal Title VII / ADA still apply)

Buddy punching — one employee clocking in for another — is the most widely-tolerated form of wage-and-hour fraud in the United States. Industry estimates put the cost at roughly 2% of gross payroll (a figure widely attributed to the American Payroll Association across HR press; the primary source is hard to anchor, but the order of magnitude is consistent across surveys). QuickBooks' 2017 survey of ~1,000 employees found 16% admit to buddy punching at least once. For a 100-employee operation at $20/hour, the order-of-magnitude annual loss is in the tens of thousands of dollars. The cost compounds with workforce size, shift overlap, and the share of hours captured by employee-operated clock-ins.

The trap is that the dominant prevention technology is also the dominant litigation trigger. Fingerprint, face-geometry, and hand-geometry timeclocks in Illinois are governed by the Biometric Information Privacy Act (BIPA, 740 ILCS 14) — a statute with a private right of action and statutory damages of $1,000 per negligent violation and $5,000 per intentional violation, plus attorney's fees. White Castle's per-scan exposure in Cothron v. White Castle System, Inc. (2023) was estimated at up to $17 billion before the case settled on remand for $9.39M. Facebook's Patel settlement reached $650 million. The Illinois legislature responded in August 2024 with SB 2979, narrowing recovery to one violation per person per method; the 7th Circuit's Clay v. Union Pacific (April 2026) made that retroactive to pending cases. The peak-exposure era is over; the post-2024 floor is still expensive. This guide covers the economic case, the two detection-mechanism tracks (biometric and non-biometric, with sharply different legal-risk profiles), the BIPA framework and case law, the other state biometric privacy laws (Texas, Washington, Colorado, Maryland — all AG-only enforcement), the federal employment overlay, and the wage-hour cluster cross-links.

Quick reference

Federal floor: no specific statute prohibits buddy punching. The FLSA's recordkeeping mandate (29 CFR §516) and the Mt. Clemens burden-shifting rule create downstream exposure when time records can't be trusted — but that exposure cuts both ways (see recordkeeping requirements and off-the-clock work).
Illinois BIPA (740 ILCS 14): the load-bearing statute. Private right of action with $1,000 (negligent) / $5,000 (intentional or reckless) per violation + attorney's fees + injunctive relief. As amended by SB 2979 (August 2, 2024), recovery is capped at one violation per person per method of collection.
Texas CUBI (Tex. Bus. & Com. Code §503.001): AG-only enforcement, $25,000 per violation. Set the AG-enforcement-track precedent with the $1.4 billion Texas v. Meta settlement (July 30, 2024 — $500M up front + $225M annually 2025–2028).
Washington (RCW 19.375): notice + consent required; AG-only enforcement; no private right of action.
Non-biometric detection (photo-on-punch, GPS clock-in, IP restriction, device-ID): no BIPA exposure when photos aren't processed for facial-geometry extraction. Electronic-monitoring notice statutes apply in CT, DE, and NY (NY's §52-c covers phone/email/internet, not pure GPS).
Multi-state employers: biometric collection from an Illinois-based remote employee triggers BIPA regardless of where the employer is headquartered.

The 5 Most Expensive Buddy-Punching-and-Detection Mistakes

The patterns that drive litigation in this space. Each has produced eight- or nine-figure exposure.

Deploying a fingerprint timeclock in Illinois without §15(b) written notice and release. Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, established that a person is "aggrieved" under §20 by a bare statutory violation — no separate actual injury required. Cothron v. White Castle System, Inc., 2023 IL 128004, held that EACH unauthorized scan was a separate violation. White Castle's exposure under the per-scan theory was estimated at up to $17 billion; the case settled on remand for $9.39 million in front of Judge John J. Tharp Jr. (N.D. Ill.). SB 2979 (2024) and Clay v. Union Pacific (2026) capped the per-person/per-method recovery — but the pre-2024 exposure shape was real and the post-2024 floor is still expensive: 1,000 employees × $5,000 = $5M minimum for an intentional §15(b) violation, before attorney's fees.
Cited cases
- Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186
  Illinois Supreme Court — Bare statutory violation = "aggrieved" under §20; ~$36M settlement on remand
- Cothron v. White Castle System, Inc., 2023 IL 128004
  Illinois Supreme Court — Each scan = separate violation; ~$17B "annihilative" exposure; $9.39M settlement on remand
- Rogers v. BNSF Railway Co., 680 F.Supp.3d 1027 (N.D. Ill. 2023)
  US District Court, N.D. Illinois — First BIPA jury verdict ($228M, Oct 2022) — VACATED Jun 2023; new damages-only trial ordered
- Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019)
  US Court of Appeals, 9th Circuit — BIPA class-action standing affirmed; $650M settlement (2020) — largest BIPA settlement to date
Storing a faceprint without realizing the photo-extracted geometry is a "biometric identifier." BIPA's §10 definition explicitly EXCLUDES photographs — a timeclock that takes and stores a selfie at clock-in does NOT, by itself, collect a biometric identifier. But if the system PROCESSES the photo to extract facial-geometry data (face mesh, mathematical "faceprint" for matching), the extracted geometry IS a biometric identifier under §10. Illinois federal courts have held BIPA applies to systems that scan photographs to create facial-geometry templates. The operational pivot: storing photos for human review = outside BIPA; running automated facial-recognition matching against an enrolled face template = inside BIPA (full §15 compliance required).
Treating Texas, Washington, or NYC as "BIPA-lite." Texas's CUBI carries no private right of action — but AG enforcement is meaningful and growing. The $1.4 billion Texas v. Meta settlement (July 30, 2024 — paid as $500M up front plus $225M annually 2025–2028) established that the AG-enforcement track can produce nine-figure consequences without a class action. Washington's RCW 19.375 is similar (AG-only). NYC's Local Law 3 of 2021 covers customer-facing biometric collection at "commercial establishments" with notice + posting requirements; some interpretations reach employee-facing kiosks. Multi-state biometric deployments need to clear each state's regime independently.
Mass-deploying a facial-recognition timeclock without considering Title VII disparate-impact risk. NIST's 2019 Face Recognition Vendor Test analyzed 189 algorithms across 99 developers and found many were 10–100× more likely to misidentify Black or East Asian faces than white faces, with the highest false-positive rates for Black women. An employer's policy that produces disparate impact on a protected class is unlawful under 42 USC §2000e unless "job related and consistent with business necessity." No controlling appellate case yet establishes the theory specifically for workplace facial-recognition timeclocks, but the NIST-documented accuracy gaps make the legal posture quotable — and a disparate-impact claim layered onto a BIPA violation produces a uniquely expensive multi-statute exposure.
Terminating an employee for buddy punching without staging the wages first (California §203 trap). California Labor Code §203 imposes waiting-time penalties — up to 30 days at the employee's daily rate — when an employer "willfully" fails to pay final wages. Terminating for buddy punching while withholding disputed wages tied to the contested punches triggers the §203 risk: the employee will argue the records SHOW the hours were worked (because the records do — that's the buddy-punching problem in the first place), and the employer's argument that the records are unreliable is exactly the Mt. Clemens burden-shift turned against itself. Best practice: investigate before final termination + payroll cycle; pay the disputed wages and pursue recovery separately if the investigation confirms fraud.

The Economic Case

Industry estimates put time-clock fraud at roughly 2% of gross payroll in affected workforces. The figure is widely attributed to the American Payroll Association across HR publications and vendor blogs, but the primary APA publication anchoring it is hard to surface — treat the specific percentage as directional rather than precisely-cited. The order of magnitude is consistent across independent surveys (Robert Half estimates broader "time theft," including long breaks and personal-business time, at roughly 4.5 hours per employee per week — a superset that includes buddy punching).

QuickBooks' 2017 survey of ~1,000 employees who track time found 16% admit to buddy punching at least once. Industry concentration is consistent: restaurants, retail, healthcare, manufacturing, hospitality. The shared traits are shift work, low-supervision shifts, and a high share of hours captured by employee-operated clock-ins rather than supervisor-attested rosters.

Per-employee math at illustrative rates:

$20/hour × 4 unauthorized hours per month × 12 months = $960 per employee per year
100 employees × $960 = $96,000 annually
Same scale at 500 employees = $480,000 annually

These are baseline figures. The compounding factor isn't the per-incident loss; it's the cumulative effect across hours, employees, and years. The cost is also asymmetric across the workforce — the 16% who admit may account for substantially more than 16% of the unauthorized hours.

Detection Mechanisms

The legal-risk asymmetry between biometric and non-biometric detection is this article's load-bearing operational point. A fingerprint reader puts the employer in BIPA territory. A GPS-restricted mobile clock-in puts the employer in standard electronic-monitoring territory — notice required in a handful of states, no class-action damages, no statutory penalties stacked per-scan.

Biometric track (BIPA exposure)

Fingerprint scanner at a kiosk or mobile app. Most common. The full §15 compliance regime applies in Illinois: written policy, written notice + release, retention schedule, destruction protocol, prohibition on sale/disclosure, reasonable standard of care.
Face geometry / faceprint capture (not just a photo — extracted facial-geometry data). Same §15 compliance regime; layered Title VII disparate-impact risk for documented accuracy gaps.
Hand geometry / palm vein. Same regime; less common operationally.
Voiceprint for phone-based clock-in. Rare in this context but explicitly named in §10 — same regime.

Non-biometric track (electronic-monitoring territory)

Geolocation (GPS) on mobile clock-in. Records GPS coordinates at punch; rejects punches outside an approved geofence. Notice statutes in Connecticut (C.G.S. §31-48d), Delaware (Title 19 §705), and California's CCPA data-handling obligations apply. Not biometric under any state statute. No private right of action with statutory damages.
IP address restriction. Clock-in permitted only from approved work-site IPs (kiosk or office Wi-Fi). Lowest privacy footprint; not regulated under monitoring statutes. Useful for fixed-location workforces, useless for field workers.
Device fingerprint / unique device ID. Tying clock-in to a specific phone/tablet/kiosk via device identifiers (MAC address, device hash). Generally NOT biometric under any state statute.
Photo on punch. Selfie captured at clock-in/out, stored alongside the punch record. Photographs are explicitly excluded from BIPA's §10 definition of "biometric identifier." Storing the photo for human review = outside BIPA. Running automated facial-recognition match against an enrolled template = inside BIPA. The compliance pivot is the processing step, not the capture step.
Multi-factor combinations. PIN + photo + geofence + device-ID. None of the components are biometric identifiers; the combination produces strong detection signal AND retroactive evidentiary records for any disputed punch.
AI / pattern detection on punch data. Vendor-side pattern recognition that flags suspicious patterns (two employees consistently clocking in at the exact same second, geographically impossible punches, repeat patterns over weeks). No identifier captured beyond what's already in the payroll record. Operationally useful, legally uncomplicated.

The strict-everywhere recipe for multi-state employers: avoid biometric collection company-wide unless the workforce concentration justifies the per-state compliance investment. The deterrent effect of photo + GPS + device-ID is comparable to a fingerprint reader at a fraction of the legal risk.

Things Employers Consistently Miss

The photo → faceprint pivot triggers BIPA. Storing a photo at clock-in is outside BIPA (§10 explicitly excludes "photographs"). But running automated facial-recognition matching on that photo — extracting facial-geometry data, computing a face mesh — is inside BIPA, because the extracted geometry IS a §10 "scan of … face geometry." Vendor demos often blur this distinction; ask whether the system stores raw photos or stores extracted facial-geometry templates. The compliance posture is binary.
Texas is not "BIPA-lite." Texas's CUBI carries no private right of action, but the AG-enforcement track is real and growing. The $1.4 billion Texas v. Meta settlement (July 30, 2024) established that AG-track enforcement produces nine-figure consequences without a class action. Multi-state biometric deployments need to clear Texas's CUBI requirements (written notice + consent, retention limits) independently — relying on a BIPA-compliance posture isn't sufficient.
The 2024 BIPA amendment changed the litigation math, not the compliance obligations. SB 2979 narrowed recovery to one violation per person per method, but §15(a)–(e) substantive obligations are unchanged: written policy, written notice + release, retention schedule, destruction protocol, no sale, no disclosure, reasonable standard of care. Employers who interpreted the amendment as a compliance rollback created new exposure.
Facial-recognition systems trigger Title VII disparate-impact review independent of BIPA. NIST's 2019 FRVT documented 10–100× higher misidentification rates for Black and East Asian faces. Disciplinary outcomes (write-ups, missed-punch pay docking) traced to a facial-recognition system's accuracy gaps can be challenged as disparate impact under 42 USC §2000e regardless of whether BIPA is in play. The risk doesn't disappear in non-Illinois states.
The Illinois jurisdiction trigger is employee residence, not employer location. A Texas-headquartered company collecting biometrics from an Illinois-based remote employee is in BIPA. A timeclock vendor based in California serving a Wisconsin employer with an Illinois employee is in BIPA. The compliance regime follows the data subject.

Illinois BIPA — The Load-Bearing Law

The Illinois Biometric Information Privacy Act (740 ILCS 14), enacted 2008, is the most-litigated biometric privacy statute in the United States. Workplace fingerprint, face-scan, and hand-geometry timeclock systems have produced hundreds of class actions and billions in cumulative exposure. The 2024 amendment narrowed the per-scan damages theory; the 2026 7th Circuit retroactivity ruling extended that narrowing to pending cases. The post-2024 landscape is more bounded but still meaningful.

§15 — the operative compliance obligations

§15 imposes five distinct duties on any private entity collecting biometric identifiers or information:

§15(a) — retention schedule + destruction. Develop a written, publicly available policy establishing a retention schedule and destruction protocol. Destruction triggers at the earlier of: (1) initial purpose satisfied, or (2) three years after the individual's last interaction.
§15(b) — written notice + written release before collection. Before any biometric collection, the employer must (1) inform the subject in writing that biometrics are being collected/stored, (2) inform the subject in writing of the specific purpose and length of storage, AND (3) receive a written release from the subject.
§15(c) — prohibition on sale. No private entity in possession of biometric data may sell, lease, trade, or otherwise profit from it.
§15(d) — disclosure restriction. No disclosure or dissemination except under narrow exceptions (subject consent, completing a financial transaction the subject authorized, law/ordinance requirement, valid warrant or subpoena).
§15(e) — reasonable standard of care. Store, transmit, and protect biometric data using the reasonable industry standard, at least as protective as the treatment of other confidential information.

§10 — what counts as a "biometric identifier"

"A retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry."

Exclusions written into the statute: writing samples, written signatures, photographs, human biological samples for valid scientific testing or screening, demographic data, tattoo descriptions, physical descriptions (height/weight/hair/eye color), donated organs/tissues, and biological materials regulated under the Genetic Information Privacy Act.

The "photographs" exclusion is operationally load-bearing — see the photo-on-punch discussion above.

§20 — private right of action and damages

"Any person aggrieved by a violation of this Act shall have a right of action ... A prevailing party may recover for each violation: (1) against a private entity that negligently violates a provision of this Act, liquidated damages of $1,000 or actual damages, whichever is greater; (2) against a private entity that intentionally or recklessly violates a provision of this Act, liquidated damages of $5,000 or actual damages, whichever is greater; (3) reasonable attorneys' fees and costs ... ; and (4) other relief, including an injunction."

This private right of action with statutory damages is the doctrinal pivot. Illinois is the ONLY state with this combination — Texas's CUBI allows AG enforcement only, Washington's RCW 19.375 the same.

SB 2979 (August 2, 2024) — the per-method amendment

Signed by Governor J.B. Pritzker on August 2, 2024; effective immediately. The amendment added language to §15(b) and §15(d) capping recovery:

"a private entity that, in more than one instance, collects, captures, purchases, receives through trade, or otherwise obtains the same biometric identifier or biometric information from the same person using the same method of collection in violation of subdivision (b) of Section 15 has committed a single violation of subdivision (b) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section."

The same per-person/per-method cap applies to §15(d). The amendment also updated "written release" to explicitly include electronic signatures.

Why this happened: the Illinois Supreme Court's Cothron v. White Castle ruling (2023) held that each unauthorized scan was a SEPARATE violation. For a timeclock employee punching in and out four times a day for several years, the per-scan theory produced "annihilative" damages — White Castle's own worst-case exposure exceeded $17 billion. SB 2979 was the legislature's response.

Clay v. Union Pacific (April 1, 2026) — retroactive application

The Seventh Circuit held in Clay v. Union Pacific Railroad Co., No. 25-2185 (7th Cir. Apr. 1, 2026), that the 2024 amendment applies retroactively to cases pending when the amendment was enacted. The court reasoned that the amendment is remedial — revising the §20 damages provision rather than the §15 substantive standards — and therefore applies retroactively under the Illinois retroactivity test. The practical effect: plaintiffs in pre-2024 pending cases are now entitled to at most one recovery per person per method, regardless of whether the underlying conduct predates August 2024. The litigation-risk landscape post-2026 is meaningfully bounded compared to the 2019–2023 peak.

BIPA Case Law

Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186

The doctrinal foundation. Stacy Rosenbach sued Six Flags Great America for fingerprinting her minor son in the course of issuing a season pass. The Illinois Supreme Court held unanimously that a person is "aggrieved" under §20 by a bare statutory violation — no separate actual injury required. The decision opened the floodgates to BIPA class actions. The monetary settlement on remand was approximately $36 million covering ~1.1 million class members, with distribution over five annual installments (2021–2025).

Cothron v. White Castle System, Inc., 2023 IL 128004

The Illinois Supreme Court held that each unauthorized scan or transmission of biometric data constitutes a separate violation — not a single accrual at first capture. White Castle had argued the per-scan theory was untenable; the Court acknowledged the magnitude but held the statutory text required per-scan accrual, with the legislative fix-up (if any) for the legislature. White Castle's own worst-case exposure estimate exceeded $17 billion. The settlement on remand was $9.39 million, finally approved by Judge John J. Tharp Jr. (N.D. Ill., Case No. 1:19-cv-00382), covering more than 9,000 current and former White Castle employees. Cothron triggered SB 2979 the following year.

Rogers v. BNSF Railway Co. (N.D. Ill. 2022 / 2023)

The first BIPA case to go to a full jury trial. October 12, 2022 — a federal jury in the Northern District of Illinois (Judge Matthew Kennelly) found BNSF Railway violated §15(a) and §15(b) when it required truck drivers to scan fingerprints at rail-yard gates for identity verification. The jury found 45,600 reckless or intentional violations; judgment entered at $5,000 × 45,600 = $228 million.

Crucial procedural posture: the $228M judgment was VACATED on June 30, 2023 when Judge Kennelly ordered a new jury trial limited to the question of damages. The court held that BIPA §20 statutory damages are DISCRETIONARY, not automatic. The case has continued through procedural challenges since then. The $228M figure cannot be cited as a settled-law data point; it was a verdict that didn't stand. The case remains important as the first BIPA jury verdict and for the doctrinal point about vicarious liability for third-party-operated biometric equipment.

Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019)

Not a workplace case, but the doctrinal proof point for class-action viability. The Ninth Circuit affirmed certification of a class of Facebook users alleging the "Tag Suggestions" facial-recognition feature violated BIPA. The court held plaintiffs had Article III standing — development of a face template without consent invades a concrete privacy interest. Final settlement was $650 million, approved 2020 (revised upward from an initial $550M after Judge James Donato rejected the first proposal as inadequate). Still the largest BIPA settlement to date.

Named Workplace BIPA Settlements

The dollar magnitudes that illustrate the post-Rosenbach pre-2024 exposure era. All amounts verified against secondary sources; underlying court records cited in the article's source list.

Defendant	Amount	Trigger
Facebook (Patel)	$650M	Tag Suggestions facial recognition
McDonald's (Illinois employees)	up to $50M	Employee biometric login + timeclock
BNSF Railway (jury verdict; vacated 2023)	$228M	Truck-driver fingerprint at rail yards
Six Flags (Rosenbach on remand)	$36M	Season-pass fingerprint enrollment
Kronos / UKG	$15.3M	Workplace timeclock biometric data processing
Biometric Impressions	$10.85M	Inkless live-scan fingerprinting
White Castle (Cothron on remand)	$9.39M	Employee fingerprint timeclock
iSolved	$2.48M	Workplace biometric data processing
Pret A Manger	$677K	Employee fingerprint timeclock

McDonald's settlement is "up to $50 million" — $40M up front plus reserve tranches that can bring the total to $50M depending on claim volume. The general magnitude (mid-eight-figures to nine-figures for large workforces) is the pattern that drove the 2024 legislative response.

Other State Biometric Privacy Laws

Texas — Capture or Use of Biometric Identifier Act (CUBI), Tex. Bus. & Com. Code §503.001. Requires written notice + consent before collection; AG-only enforcement, no private right of action. Civil penalty up to $25,000 per violation. The AG enforcement track produced the $1.4 billion Texas v. Meta settlement announced July 30, 2024 — $500 million up front, $225 million annually 2025–2028. Largest single-state biometric privacy settlement to date.
Washington — RCW 19.375. Notice + consent for biometric "enrollment" for commercial purposes. AG-only enforcement; no private right of action.
NYC — Local Law 3 of 2021 (Biometric Identifier Information Law). Customer-facing scope at "commercial establishments" — notice posting required, sale prohibited. Some interpretations reach employee-facing kiosks; defensible posture is to treat any kiosk visible to customers as in scope.
Colorado — Privacy Act biometric amendments (HB24-1130, effective July 1, 2025). AG-only enforcement; written policy + consent required; employer scope explicitly included; volume threshold for applicability removed.
Maryland — Online Data Privacy Act. Biometric data classified as "sensitive data"; civil fines up to $10,000–$25,000 per violation. Effective October 1, 2025; AG enforcement begins April 1, 2026.
New York — proposed S1422/A6031 (2025–2026 session). Statewide biometric privacy bill modeled on BIPA. As of this article's publication date, not enacted.

Notice statutes for electronic monitoring (relevant to GPS clock-in, not biometric collection):

Connecticut C.G.S. §31-48d — written notice required before electronic monitoring; civil penalties up to $3,000 for the third-tier violation.
Delaware 19 Del. C. §705 — written notice required; daily notice option available.
New York Civil Rights Law §52-c — written notice on hire required for electronic monitoring of phone, email, and internet usage. The statute does NOT cover pure GPS / location monitoring. Employers deploying GPS clock-in in New York should still provide notice as a defensive matter, but §52-c is not the operative statute.

Federal Employment Overlay

Three federal statutes interact with biometric workplace surveillance:

Title VII (42 USC §2000e) — disparate-impact risk. NIST's 2019 Face Recognition Vendor Test found facial-recognition algorithms 10–100× more likely to misidentify Black and East Asian faces than white faces, with the highest false-positive rates for Black women. An employer whose policy produces disparate impact on a protected class is liable unless the policy is "job related and consistent with business necessity." No controlling appellate case yet establishes the theory specifically for workplace facial-recognition timeclocks, but the documented accuracy gaps make the legal posture quotable.
NLRA — surveillance of union activity. Section 7 of the NLRA protects concerted activity; employer surveillance directed at union organizing is a §8(a)(1) unfair labor practice. Generic timeclock detection is not §8(a)(1) material in itself, but mass-deploying biometric or GPS clocks in response to a union drive could be inferred as targeted surveillance.
ADA — accommodation. Employees who cannot use a specific authentication method (worn fingerprints, missing fingers, disabilities preventing facial-geometry capture) have an ADA right to reasonable accommodation. The employer's burden is to provide an alternative authentication method (PIN + supervisor attestation, manual entry with review) — not to abandon the system.

The Wage-Hour Cluster Cross-Links

Buddy punching is the inverse of off-the-clock work — same Mt. Clemens burden-shift mechanism, different direction.

Recordkeeping. Buddy-punched hours go INTO the §516 record set as false entries. Detection mechanisms (photos, GPS logs, device IDs) produce SECONDARY records that may themselves trigger retention obligations. See recordkeeping requirements for the §516 retention windows + the Mt. Clemens cascade.
Off-the-clock work. Buddy punching: hours appear in the record that weren't worked (employer overpays). Off-the-clock: hours were worked but don't appear (employer underpays). Same recordkeeping-integrity failure. See off-the-clock work by state for the Mt. Clemens framework.
Time-clock rounding. Post-Camp, California's exact-time-capture requirement makes buddy-punch detection more precise. See time clock rounding rules for the pending Cal. Supreme Court review.
Pay-stub (California §226). Buddy-punched hours on a §226 wage statement that the employee later disputes can trigger derivative §226 claims even on overpaid hours — the §226 claim is about ACCURACY of the statement, not directionality of the error. See pay-stub requirements by state.
California §203 (waiting-time penalties). Terminating for buddy punching while withholding disputed wages triggers §203 risk: up to 30 days of additional pay at the employee's daily rate. Investigate BEFORE final termination; pay disputed wages and pursue recovery separately if the investigation confirms fraud.

Multi-State and Remote Workers

Biometric collection follows the employee's work location, not the employer's HQ. The compliance map:

Texas-headquartered employer with an Illinois-based remote employee → BIPA applies. The Illinois employee's biometric collection triggers full §15 compliance, regardless of where the timeclock system or the company is based.
Illinois-headquartered employer with a Texas-based remote employee → Texas CUBI applies (notice + consent, AG enforcement).
Multi-state workforce with employees in IL, TX, WA, NYC, CO, MD → six different compliance regimes layered. The strict-everywhere recipe is BIPA-grade compliance company-wide: written policy, written notice + release, retention schedule, destruction protocol — applied uniformly even where state law would permit less.

The non-biometric alternative is functionally always easier multi-state. GPS, photo, IP, and device-ID detection produce equivalent deterrent effect without the per-state compliance investment.

Recent Changes (2024–2026)

Texas v. Meta settlement (July 30, 2024) — $1.4 billion. First major Texas CUBI AG enforcement; $500M up front + $225M annually 2025–2028. Established the AG-track viability for states without a private right of action.
Illinois SB 2979 / Public Act 103-0769 (August 2, 2024). Per-person/per-method recovery cap on §15(b) and §15(d) BIPA violations; electronic signatures explicitly OK for "written release."
Colorado HB24-1130 (effective July 1, 2025). Privacy Act biometric amendments; AG-only enforcement; employer scope; volume threshold removed.
Maryland Online Data Privacy Act (effective October 1, 2025; enforcement April 1, 2026). Biometric data is "sensitive data"; AG enforcement; civil penalties up to $10,000–$25,000.
Connecticut Data Privacy Act biometric amendments (2025). AG enforcement track strengthened; sensitive-data treatment for biometric.
Clay v. Union Pacific Railroad Co., No. 25-2185 (7th Cir. April 1, 2026). SB 2979 applies retroactively to pending cases. Materially shrinks pre-2024 BIPA exposure; the litigation-risk landscape post-2026 is meaningfully bounded.

Frequently Asked Questions

What is buddy punching?

Buddy punching is when one employee clocks in or out for another — typically because the second employee is late, leaving early, or absent. The fraudulent punches appear in the employer's time records as legitimate hours, and the employer pays for hours that weren't actually worked. Industry estimates put the cost at roughly 2% of gross payroll across affected workforces; a 2017 QuickBooks survey found 16% of employees who track time admit to buddy punching at least once. Most-affected industries: restaurants, retail, healthcare, manufacturing, hospitality.

Are biometric timeclocks legal?

Federally, yes — there is no federal statute prohibiting biometric workplace authentication. State law is where the exposure lives. Illinois's Biometric Information Privacy Act (BIPA, 740 ILCS 14) requires written notice + written release before any biometric collection, plus a published retention/destruction policy and reasonable data-protection standards. Texas (Tex. Bus. & Com. Code §503.001), Washington (RCW 19.375), Colorado (HB24-1130), and Maryland (Online Data Privacy Act) impose similar requirements but with AG-only enforcement rather than private rights of action. Illinois is the only state with statutory per-violation damages ($1,000 negligent / $5,000 intentional + attorney's fees), capped post-SB 2979 (August 2024) at one recovery per person per method of collection.

What is Illinois BIPA and when does it apply?

The Illinois Biometric Information Privacy Act (740 ILCS 14, enacted 2008) regulates private-entity collection of "biometric identifiers" — retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry. It applies whenever an Illinois resident's biometric is collected, regardless of where the employer is headquartered or where the timeclock system is hosted. §15 imposes five duties: written retention/destruction policy (§15(a)), written notice + release before collection (§15(b)), no sale of biometrics (§15(c)), no disclosure except under narrow exceptions (§15(d)), and reasonable data-protection standards (§15(e)). §20 provides a private right of action with statutory damages of $1,000 (negligent) / $5,000 (intentional or reckless) per violation, plus attorney's fees.

How did the 2024 BIPA amendment change the landscape?

Illinois SB 2979 (Public Act 103-0769), signed by Governor Pritzker on August 2, 2024, narrowed BIPA recovery to one violation per person per method of collection. Before SB 2979, the Illinois Supreme Court's Cothron v. White Castle ruling (2023 IL 128004) had held that each unauthorized scan was a separate violation — for a timeclock employee punching four times a day for years, the per-scan theory produced "annihilative" damages (White Castle's exposure estimate was up to $17 billion). The 2024 amendment caps recovery at $5,000 (or actual damages, whichever is greater) per person per method, regardless of scan count. The 7th Circuit's Clay v. Union Pacific Railroad Co. (No. 25-2185, April 1, 2026) extended this to pending cases — the amendment applies retroactively.

Is photo-on-punch covered by BIPA?

Photos are explicitly EXCLUDED from BIPA's definition of "biometric identifier" in §10. A timeclock that takes and stores a selfie at clock-in does NOT, by itself, collect a biometric identifier under BIPA. The risk arises when the system PROCESSES the photo to extract facial-geometry data (a "faceprint" or face mesh for matching) — that extracted geometry IS a biometric identifier under §10's "scan of … face geometry." Illinois federal courts have held BIPA applies to systems that scan photographs to create facial-geometry templates. The compliance pivot: storing photos for human review is outside BIPA; running automated facial-recognition matching against an enrolled template is inside BIPA (full §15 compliance required).

What states require notice for GPS clock-in?

Three states have explicit electronic-monitoring notice statutes that touch GPS-tracked workplace activity: Connecticut (C.G.S. §31-48d, written notice before any electronic monitoring, civil penalties up to $3,000 for repeat violations), Delaware (Title 19 §705, daily or one-time notice required), and California (CCPA data-handling obligations for employee location data as "sensitive personal information"). New York's Civil Rights Law §52-c requires written notice on hire for monitoring of phone, email, and internet usage but does NOT specifically cover pure GPS location monitoring — employers deploying GPS clock-in in New York should still provide notice as a defensive posture but §52-c is not the operative statute. None of these regimes carry BIPA-class exposure: notice failures cap in the hundreds-to-thousands per violation, not per scan, with no private right of action layered on statutory damages.

How do I detect buddy punching without biometric collection?

Four non-biometric mechanisms produce comparable deterrent effect without BIPA exposure. (1) Photo-on-punch — a selfie at clock-in stored alongside the punch record, useful for retroactive verification and deterrence (photos are explicitly excluded from BIPA's definition of biometric identifier as long as no facial-geometry extraction occurs). (2) GPS-bounded mobile clock-in — rejects punches outside an approved geofence. (3) Device fingerprint — ties clock-in to a specific phone/tablet/kiosk via device identifiers. (4) IP address restriction — clock-in permitted only from approved work-site IPs. Multi-factor combinations (PIN + photo + geofence + device-ID) produce the strongest detection signal and the strongest retroactive evidentiary record when a punch is disputed — without crossing any biometric-privacy statute's collection threshold.

What if I discover an employee has been buddy punching?

Investigate before disciplining — the detection signal (photo mismatch, geographically impossible punch, AI pattern flag) is necessary but not sufficient; pull CCTV, badge access logs, and witness testimony to build the evidentiary record. Critically, do not withhold disputed wages at termination: California Labor Code §203 imposes waiting-time penalties of up to 30 days at the employee's daily rate when an employer "willfully" withholds final wages, and the employer's argument that the time records are unreliable (because the records show the disputed hours WERE worked) cuts against itself under the Mt. Clemens burden-shift. Best practice: pay the disputed wages at termination, then pursue recovery separately as a civil claim if the investigation confirms fraud.

If You Discover Buddy Punching

The unwinding playbook when a detection signal (photo mismatch, geographically impossible punch, AI pattern flag) surfaces possible buddy punching:

Investigate before disciplining. Pull the photo + GPS + device-ID records for the suspect punches alongside CCTV (where available), badge access logs, and witness testimony. The detection signal alone is necessary but not sufficient; build the evidentiary record before any action.
Stage the wages — don't withhold disputed amounts at termination. California §203 waiting-time penalties (up to 30 days of additional pay at the employee's daily rate) attach when the employer "willfully" withholds wages at separation. If the records SAY the hours were worked (which they do — that's the buddy-punching problem in the first place), the employer's argument that the records are unreliable is exactly the Mt. Clemens burden-shift turned against itself. Pay the disputed wages at termination; pursue recovery separately as a civil claim if the investigation confirms fraud.
Document the secondary record. Photos, GPS logs, device-IDs, and any AI pattern-detection output need to be preserved under whatever retention policy applies — typically the longer of (a) the §516 supplementary-record retention (2 years federally, 3+ years per state) or (b) the litigation-hold posture once any dispute is anticipated. See recordkeeping requirements for the framework.
If you're using a biometric system, verify BIPA / state-statute compliance is current. The fraud investigation itself doesn't trigger a BIPA claim, but the discovery process often surfaces gaps in §15 compliance that the employer didn't realize were there. Fixing the compliance gaps proactively limits the downstream litigation exposure.
Consult counsel before a class-affecting policy change. If buddy-punching detection prompts deployment of a new authentication mechanism — facial recognition, fingerprint reader, mandatory mobile clock-in with GPS — the policy change itself can trigger Title VII disparate-impact review, NLRA scrutiny (if union activity is in progress), ADA accommodation review, and (in Illinois) full BIPA §15(b) compliance for any new biometric collection. The policy-change vehicle is when the legal exposure cascades.

The Through-Line

The dominant prevention technology is the dominant litigation trigger. That's the structural feature this article rests on. The economic case for buddy-punch detection is real — industry estimates around 2% of payroll, 16% of employees admitting to it at least once — but the standard answer (fingerprint reader, facial-recognition clock-in) puts the employer in BIPA territory in Illinois, in CUBI territory in Texas, and in disparate-impact territory under Title VII anywhere the chosen biometric has documented accuracy gaps.

The 2024 SB 2979 amendment and the 2026 Clay v. Union Pacific retroactivity ruling have bounded the peak Illinois exposure. But "bounded" still means $5,000 per intentional violation × workforce size, plus attorney's fees. The Texas v. Meta settlement at $1.4 billion proved that AG-only enforcement in non-Illinois states can produce nine-figure consequences without a class action. The pre-2024 peak is over; the post-2026 floor is not.

The non-biometric alternative is functionally equivalent for deterrence and stronger for retroactive evidence. Photo-on-punch + GPS-bounded mobile clock-in + device-ID + AI pattern detection produce comparable detection signal at a fraction of the legal risk — and they sidestep the Title VII disparate-impact theory entirely. The strongest defensive posture isn't the most-invasive authentication; it's the layered non-biometric signal that produces both deterrence AND a retroactive evidentiary record when a punch is disputed. Pick the technology that does the job without inviting the lawsuit.

Sources and Authorities

Federal

State biometric privacy

State electronic monitoring (for non-biometric GPS / device monitoring)

California

Case law

Anderson v. Mt. Clemens Pottery Co., 328 U.S. 680 (1946) — recordkeeping burden-shifting.
Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 — "aggrieved" = bare statutory violation; ~$36M settlement on remand.
Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019) — BIPA class-action standing; $650M settlement (2020).
Rogers v. BNSF Railway Co., 680 F.Supp.3d 1027 (N.D. Ill. 2023) — first BIPA jury verdict ($228M, October 2022); judgment vacated June 30, 2023 with new damages trial ordered.
Cothron v. White Castle System, Inc., 2023 IL 128004 — each scan = separate violation; ~$17B "annihilative" exposure estimate; $9.39M settlement on remand (Judge Tharp, N.D. Ill.).
Clay v. Union Pacific Railroad Co., No. 25-2185 (7th Cir. April 1, 2026) — 2024 BIPA amendment applies retroactively.

Texas v. Meta

Texas Attorney General Settlement Announcement (July 30, 2024)