34 verifiable claims extracted; 30 verified against Tier 1 primary sources (statute text on issuing-body sites, court opinions, NIST publications), 4 marked ⚠ Partial. The Illinois BIPA framework (740 ILCS 14 §§10, 15, 20), the August 2024 SB 2979 amendment, the April 2026 Clay v. Union Pacific retroactivity ruling, the Texas/Meta $1.4B settlement, and the named-case dollar amounts (Patel $650M, Cothron $9.39M, Rogers/BNSF $228M with vacatur, Six Flags $36M) all verify against issuing-body sources. The four ⚠ Partial entries are: the two American Payroll Association statistics (~2% of payroll; the underlying primary publication is hard to anchor — the article already softens to "industry estimates around 2%"), the Robert Half "4.5 hours per employee per week" figure (industry-reported, not peer-reviewed), and the QuickBooks 16% admission rate (proprietary survey, no peer review). No claims required revision.
17 claims
The FLSA's recordkeeping mandate is at 29 CFR §516.
Illinois BIPA is codified at 740 ILCS 14 with private right of action and statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus attorney's fees and injunctive relief.
§20 text confirmed verbatim against the Illinois General Assembly print view.
BIPA's §10 definition of "biometric identifier" covers retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry, and explicitly EXCLUDES photographs (among other categories).
§10 definition and exclusions confirmed verbatim against the ILGA print view.
BIPA §15(a)-(e) imposes five distinct duties: written retention/destruction policy (§15(a)), written notice + release before collection (§15(b)), prohibition on sale (§15(c)), disclosure restriction (§15(d)), reasonable standard of care (§15(e)).
§15(a)-(e) text confirmed verbatim against the ILGA print view, including 3-year-from-last-interaction retention trigger in §15(a).
SB 2979 / Public Act 103-0769 was signed by Governor J.B. Pritzker on August 2, 2024 and capped recovery at one violation per person per method for §15(b) and §15(d) violations; "written release" was updated to explicitly include electronic signatures.
PA 103-0769 text on the Illinois General Assembly site confirms the operative cap language and the electronic-signature addition; signing date confirmed by multiple law-firm analyses.
Texas's CUBI is at Tex. Bus. & Com. Code §503.001; AG-only enforcement; civil penalty up to $25,000 per violation.
§503.001(d) confirms the $25,000 per violation cap and that "[t]he attorney general may bring an action to recover the civil penalty"; the Texas AG biometric page confirms AG-exclusive enforcement.
Washington RCW 19.375 requires notice + consent and is enforced solely by the attorney general.
RCW 19.375.030 states the chapter "may be enforced solely by the attorney general under the consumer protection act, chapter 19.86 RCW" — confirming no private right of action.
NYC Local Law 3 of 2021 (Biometric Identifier Information Law) imposes notice + posting requirements at customer-facing "commercial establishments."
Customer-facing scope ("commercial establishments") and signage/posting requirements confirmed on the official NYC rules site.
New York Civil Rights Law §52-c requires written notice on hire for electronic monitoring of phone, email, and internet usage — and does NOT cover pure GPS / location monitoring.
Statute's plain text covers "telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage" — pure GPS / geolocation falls outside. Section is in N.Y. Civil Rights Law (not Labor Law); canonical section is §52-c (published as §52-c*2 to disambiguate from a separate §52-c). Article correctly uses §52-c and explicitly notes the GPS exclusion.
Connecticut General Statutes §31-48d requires written notice before electronic monitoring; civil penalties up to $3,000 for the third-tier violation.
Penalty tiers ($500 first, $1,000 second, $3,000 third+) and Labor Commissioner enforcement confirmed via the Connecticut General Assembly chapter index and the Justia codification.
Delaware Code Title 19 §705 requires written notice before electronic monitoring, with a daily-notice option available.
Two-option structure (one-time written/electronic notice + acknowledgement, OR electronic daily notice at access) confirmed via official Delaware Code and Justia.
California Labor Code §203 imposes waiting-time penalties of up to 30 days at the employee's daily rate when an employer "willfully" fails to pay final wages.
30-day cap and "willful" trigger confirmed on the California legislative-info site; DIR FAQ confirms operational interpretation.
California Labor Code §226 governs wage statements (and supports derivative §226 claims when buddy-punched hours appear on a stub the employee later disputes).
§226 wage-statement requirements and §226(e) penalty structure confirmed on the California legislative-info site.
Title VII is at 42 USC §2000e and prohibits employer policies that produce disparate impact on a protected class unless "job related and consistent with business necessity."
§2000e-2 disparate-impact framework and "job related and consistent with business necessity" defense confirmed on Cornell LII.
Colorado HB24-1130 — privacy-act biometric amendments — was signed May 31, 2024 and took effect July 1, 2025; AG-only enforcement; employer scope explicit; the CPA volume threshold is removed for biometric processing.
Signed bill PDF and Colorado General Assembly bill page confirm signing date, effective date, employer scope, and the volume-threshold removal for biometric controllers.
Maryland Online Data Privacy Act classifies biometric data as "sensitive data"; civil fines up to $10,000–$25,000 per violation; effective October 1, 2025; AG enforcement begins April 1, 2026.
Effective date and AG-enforcement transition window confirmed via the Maryland chaptered-bill PDF and EPIC's MODPA analysis; biometric "sensitive data" classification confirmed.
A New York statewide biometric privacy bill exists in the 2025–2026 session as S1422 / A6031; not enacted as of this article's publication.
Bill numbers and "not enacted" status confirmed via the NY Senate and Assembly bill pages.
6 claims
Anderson v. Mt. Clemens Pottery Co., 328 U.S. 680 (1946) — when an employer fails to keep accurate time records, the employee can meet the burden of proof by showing "just and reasonable inference" of unpaid hours; the burden shifts to the employer.
Citation and burden-shifting holding confirmed via Cornell LII and Justia.
Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 — the Illinois Supreme Court held that a person is "aggrieved" under §20 by a bare statutory violation, no separate actual injury required.
Illinois Supreme Court opinion PDF confirms unanimous holding and "aggrieved = statutory violation alone" framework.
Cothron v. White Castle System, Inc., 2023 IL 128004 — the Illinois Supreme Court held each unauthorized scan or transmission of biometric data constitutes a separate violation.
Per-scan accrual holding confirmed against the Illinois Supreme Court slip opinion and the EPIC case repository.
Rogers v. BNSF Railway Co., 680 F.Supp.3d 1027 (N.D. Ill. 2023) — first BIPA case to go to a full jury trial; October 12, 2022 verdict found 45,600 reckless or intentional violations and entered judgment at $228 million; the $228M judgment was VACATED on June 30, 2023 when Judge Kennelly ordered a new jury trial limited to damages, holding BIPA §20 damages are discretionary.
Reporter cite (680 F.Supp.3d 1027) confirmed via the Berkeley Law case PDF; vacatur date and "damages discretionary" holding confirmed across multiple law-firm analyses. The article correctly presents the $228M as a vacated verdict, not a binding final judgment.
Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019) — Ninth Circuit affirmed class certification; held plaintiffs had Article III standing because development of a face template without consent invades a concrete privacy interest.
Citation and standing/certification holding confirmed against the official 9th Circuit slip opinion.
Clay v. Union Pacific Railroad Co., No. 25-2185 (7th Cir. April 1, 2026) — the Seventh Circuit held the 2024 BIPA amendment applies retroactively to cases pending when the amendment was enacted.
Case number, date, and retroactivity holding confirmed across the Justia case page and multiple law-firm analyses (Covington, Sidley, Paul Hastings, Jackson Lewis). Article correctly identifies the holding as bounding pre-2024 BIPA exposure.
10 claims
White Castle's per-scan exposure under Cothron was estimated at up to $17 billion before settlement.
ABA Business Law Today covers the $17B figure with reference to the Illinois Supreme Court's recitation; the slip opinion itself acknowledges the "annihilative" damages possibility raised by the defendant.
Cothron v. White Castle settled on remand for $9.39 million, finally approved by Judge John J. Tharp Jr. (N.D. Ill.), covering more than 9,000 current and former White Castle employees (Case No. 1:19-cv-00382).
$9.39M settlement amount, Judge Tharp identification, case number, and class size confirmed via Law360, the publicly available settlement agreement, and the dedicated settlement website. Tier 2/3 because court-filed final approval order isn't directly retrievable without PACER; the settlement agreement PDF anchors the dollar figure.
Patel v. Facebook final settlement was $650 million, approved 2020 (revised upward from an initial $550M after Judge James Donato rejected the first proposal).
$650M amount and revision history confirmed via Blank Rome analysis and EPIC case repository.
Rosenbach v. Six Flags settled on remand for approximately $36 million, covering ~1.1 million class members, with distribution over five annual installments (2021–2025).
$36M amount and class structure confirmed across multiple Tier 3 sources (Capitol News Illinois, Top Class Actions, Lewis Brisbois, Business Insurance). The final-approval docket order was not directly retrieved; reporting indicates preliminary approval June 22, 2021 and a final-approval hearing scheduled October 29, 2021 in Lake County. Article phrasing ("approximately $36 million") is accurate to the reported magnitude.
McDonald's "up to $50 million" BIPA settlement — $40M up front plus reserve tranches that can bring the total to $50M depending on claim volume.
$40M base + two $5M reserve tranches structure confirmed across Biometric Update and Hall Booth Smith; the Lark v. McDonald's settlement website corroborates. Article correctly frames as "up to $50 million" rather than asserting full $50M paid.
Kronos / UKG paid $15.3 million to settle BIPA claims tied to its workplace timeclock biometric data processing.
$15,276,227 precise figure (rounded to $15.3M) and ~171,000-person class confirmed via IAPP. Tier 2 / privacy-industry news; court filing not directly retrieved.
Biometric Impressions paid $10.85 million to settle BIPA claims tied to its inkless live-scan fingerprinting service.
$10.85M figure and inkless-live-scan service description confirmed via Top Class Actions and the dedicated settlement website.
iSolved paid $2.48 million to settle BIPA claims tied to workplace biometric data processing.
$2.48M figure confirmed via Top Class Actions; court filing not directly retrieved (Tier 3 only).
Pret A Manger paid $677,000 to settle BIPA claims tied to its employee fingerprint timeclock.
$677K figure and worker-fingerprint timeclock trigger confirmed via Cook County Record local trade reporting.
The Texas v. Meta settlement (announced July 30, 2024) was $1.4 billion — paid as $500 million up front plus $225 million annually 2025–2028.
$1.4B total, July 30, 2024 announcement date, $500M up-front + $225M-annually 2025–2028 schedule confirmed via the Texas AG press release and Texas Tribune coverage. Article correctly notes the payment structure (not a lump sum).
3 claims
Time-clock fraud costs roughly 2% of gross payroll (industry estimate, widely attributed to the American Payroll Association).
The "2% of gross payroll" claim is widely attributed to the American Payroll Association across vendor blogs and HR publications, but the underlying APA primary publication is not surfaced online. Some secondary citations attribute the figure to Nucleus Research alongside or instead of the APA. The article correctly softens to "industry estimates around 2% of gross payroll" with explicit attribution caveat rather than asserting a specific verified APA percentage. Status is ⚠ Partial because the order-of-magnitude claim is consistent across independent sources, but no Tier 1 anchor exists for the specific figure.
QuickBooks' 2017 survey of ~1,000 employees who track time found 16% admit to buddy punching at least once.
16% buddy-punching admission rate confirmed against the publisher's own survey page. Status is ⚠ Partial because the figure comes from a proprietary vendor survey (no peer review, no public methodology audit). The percentage is widely re-cited across HR press; the article correctly identifies it as the source.
Robert Half estimates employers lose roughly 4.5 hours per employee per week to broader "time theft" (long breaks, personal-business time, buddy punching, etc.).
The "4.5 hours per employee per week" figure is widely attributed to Robert Half across HR publications; the underlying Robert Half survey publication is not directly retrievable. The article correctly frames this as a broader-time-theft superset that includes (but isn't limited to) buddy punching. ⚠ Partial because the primary Robert Half report isn't anchored.
1 claim
NIST's 2019 Face Recognition Vendor Test analyzed 189 algorithms across 99 developers and found many were 10–100× more likely to misidentify Black or East Asian faces than white faces, with the highest false-positive rates for Black women.
NISTIR 8280 (the 2019 FRVT demographic-effects publication) confirms the 189 algorithms / 99 developers methodology and the demographic accuracy gaps; the NIST news release summarizes the same findings.
2 claims
As of this article's publication, the New York statewide biometric privacy bill (S1422 / A6031) is not enacted.
NY Senate bill page and LegiScan tracker confirm S1422 has not been enacted as of the verification date; A6031 referred to Assembly Consumer Affairs and Protection committee Feb 25, 2025.
The SB 2979 amendment was effective immediately upon signing (August 2, 2024).
PA 103-0769 confirms "effective immediately upon becoming law" August 2, 2024.
69 unique sources cited across the report — click to audit any claim directly against its evidence.
APA "around 2% of gross payroll" statistic is industry-estimate, not Tier 1. Body text explanation: the figure is widely attributed to the American Payroll Association across HR press, but no primary APA publication anchors the specific percentage. Some sources attribute it to Nucleus Research instead. The article already softens the claim to "industry estimates around 2% of gross payroll" with an explicit attribution caveat. Suggested revision: none required — the framing is appropriate for the available evidence.
QuickBooks 16% admission rate comes from a proprietary vendor survey. Body text explanation: 16% is verified against the publisher's own survey page, but the survey is a vendor publication without peer review or public methodology audit. The article correctly identifies QuickBooks as the source. Suggested revision: none required — the attribution is accurate.
Robert Half "4.5 hours per employee per week" is widely-attributed but the primary Robert Half publication isn't directly retrievable. Body text explanation: industry-estimate quality; multiple HR-press citations agree on the figure, but the underlying Robert Half report isn't anchored. The article correctly frames this as the broader "time theft" superset, not specifically buddy punching. Suggested revision: none required — the framing is appropriate.
Rosenbach $36M final-approval order is reported across Tier 3 sources but the docket order itself was not directly retrieved. Body text explanation: preliminary approval June 22, 2021 is reported; final-approval hearing scheduled October 29, 2021 in Lake County. The $36M amount and class structure are reported consistently across Capitol News Illinois, Top Class Actions, Lewis Brisbois, and Business Insurance. Suggested revision: none required — the article's "approximately $36 million" framing matches the reported magnitude.
Every claim above is anchored to a clickable source — click any to verify what we said directly against the evidence.
See our fact-checking methodology for the standards this report follows.
Clockspot is online time clock software for small businesses — the simplest way to track employee time, with GPS location tracking, PTO accruals, job costing, and overtime calculation. Used in all 50 states since 2007.
Want to simplify how your team tracks time? See how Clockspot works.