Buddy Punching and Time Clock Fraud: How Employers Can Detect It Safely

A fingerprint timeclock can catch buddy punching, but in Illinois it can also create biometric privacy exposure.

Buddy punching is simple: one employee clocks in or out for another. The payroll loss can look small shift by shift, but it becomes material when employees can punch from the wrong location, the wrong device, or for someone who is late or absent.

The compliance trap is the fix. Fingerprint, face-geometry, and hand-geometry timeclocks can help detect buddy punching, but in Illinois they trigger BIPA's notice, consent, retention, destruction, disclosure, and private-lawsuit framework. The 2024 BIPA amendment, Public Act 103-0769, narrowed repeated-scan damages to one recovery per person, per method, for §15(b) and §15(d) violations. The Seventh Circuit held in Clay v. Union Pacific Railroad Co., No. 25-2185 (7th Cir. Apr. 1, 2026), that the amendment applies retroactively to pending cases. That changed the damages math; it did not remove the compliance duties.

For most employers, the safer first layer is non-biometric detection: GPS-bounded clock-in, device checks, photo-on-punch for human review, manager approval, and pattern alerts. Those controls create evidence when a punch looks wrong without turning every clock-in into a biometric privacy event.

This research walks the payroll-loss problem, the FLSA recordkeeping overlay, Illinois BIPA after the 2024 amendment, other state biometric privacy laws, and the detection mechanisms that create useful proof with less legal risk.

Quick reference

• Federal recordkeeping floor: 29 CFR §516.2 requires accurate hours-worked records; 3-year retention for payroll records (§516.5), 2-year retention for supplementary records like time cards (§516.6).
• Anderson v. Mt. Clemens Pottery Co., 328 U.S. 680 (1946) — when employer records are inaccurate, employee meets burden via "just and reasonable inference"; burden shifts to employer to prove actual hours.
• Illinois BIPA, 740 ILCS 14/15 — written notice + written release before biometric collection; written retention policy; limits on sale and disclosure; private right of action.
• Rosenbach v. Six Flags Entertainment Corp., 129 N.E.3d 1197 (Ill. 2019) — statutory violation alone confers "aggrieved" status.
• Cothron v. White Castle System, Inc., 216 N.E.3d 918 (Ill. 2023) — each unauthorized scan is a separate violation (legislatively narrowed by the 2024 amendment).
• Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019) — face-template development without consent is a concrete privacy injury; $650 million settlement on remand.
• Illinois SB 2979 / Public Act 103-0769, effective August 2, 2024 — one recovery per person, per method, per violation type for §15(b) and §15(d); electronic signature qualifies as "written release."
• Clay v. Union Pacific Railroad Co., No. 25-2185 (7th Cir. Apr. 1, 2026) — the 2024 amendment applies retroactively to pending cases.
• Texas CUBI, Tex. Bus. & Com. Code §503.001 — written notice + consent; $25,000 civil penalty per violation; AG enforcement only. Meta settled for $1.4 billion (July 30, 2024).
• Washington biometric law, Wash. Rev. Code §19.375 — notice + consent or opt-out; AG-only enforcement under the state Consumer Protection Act (§19.375.030).
• Colorado HB24-1130 — effective July 1, 2025; biometric obligations extended to employee data; AG-only enforcement; volume thresholds removed.
• Maryland MODPA — effective October 1, 2025 (enforcement begins April 1, 2026); biometric data is "sensitive data"; civil fines up to $10,000 per violation.

The 5 most expensive buddy-punching detection mistakes

1. Deploying a biometric timeclock in Illinois without BIPA §15 compliance. Rogers v. BNSF Railway, 680 F.Supp.3d 1027 (N.D. Ill. 2023), produced the first BIPA jury verdict on October 12, 2022: 45,600 reckless or intentional violations × $5,000 statutory damages = $228 million entered against BNSF. Judge Matthew Kennelly vacated the award June 30, 2023, holding BIPA §20 damages are discretionary, and ordered a new trial limited to damages. Even with the vacatur, the case stands as the largest workplace privacy verdict in U.S. history and the trigger for every subsequent BIPA workplace risk analysis.

2. Treating photo-on-punch and face-recognition timeclocks as interchangeable. Photographs are explicitly excluded from the §10 definition of "biometric identifier" in BIPA. A system that stores a photo at clock-in does not collect a biometric identifier. A system that extracts facial-geometry vectors from that photo to match against an enrolled template does, and pulls the employer into full §15 compliance. The Illinois federal courts have repeatedly enforced this distinction.

3. Recovering wages from a buddy-punching employee without secondary evidence. Under Anderson v. Mt. Clemens Pottery Co., 328 U.S. 680 (1946), inaccurate time records cut both ways. The §516.2 record showing that Employee B worked the hours becomes the employer's own evidence that the hours were worked. Without a corroborating record (badge log, CCTV, geofence log, photo), the employer cannot prove the negative and cannot defend against the employee's parallel off-the-clock claim.

4. Assuming "no private right of action" means "no exposure" in Texas. Tex. Bus. & Com. Code §503.001 allows enforcement only by the Texas Attorney General, but a $25,000 civil penalty per violation × thousands of scans × thousands of employees is material in absolute dollars. On July 30, 2024, AG Ken Paxton announced a $1.4 billion settlement with Meta over facial-geometry processing of Texas residents — the largest single-state settlement in U.S. history and the first major CUBI enforcement action.

5. Terminating a buddy-punching employee without paying disputed wages. California Labor Code §203 imposes waiting-time penalties up to 30 days of additional pay for willful failure to pay wages at termination. If the employer withholds disputed buddy-punched hours and the §516.2 record shows the hours were worked, the §203 clock runs while the employer builds the investigative case. The disciplined sequence: pay the disputed wages, then pursue recovery separately.

The federal floor

29 CFR §516.2 — FLSA recordkeeping

Under §516.2(a), every covered employer must maintain records of:

• §516.2(a)(7) — "Hours worked each workday and total hours worked each workweek"
• §516.2(a)(8) — Total daily or weekly straight-time earnings or wages due for hours worked
• §516.2(a)(9) — Total premium pay for overtime hours
• §516.2(a)(10) — Total additions to or deductions from wages

Retention: 3 years for payroll records (§516.5), 2 years for supplementary records like time cards and wage-computation worksheets (§516.6). The DOL Fact Sheet #21 summarizes the obligations at a practitioner level.

Buddy-punched hours enter the §516 record set as false entries. The hours appear to have been worked because the timeclock recorded them. The employer that later discovers the fraud confronts a record that affirmatively says the hours were worked.

Anderson v. Mt. Clemens Pottery Co., 328 U.S. 680 (1946)

The Supreme Court established the burden-shifting framework that still governs FLSA wage-and-hour disputes. When an employer's records are "inaccurate or inadequate," the employee may meet the burden of proof by showing "the amount and extent of that work as a matter of just and reasonable inference." The burden then shifts to the employer to come forward with evidence of the precise amount of work performed or to negative the reasonableness of the inference. The decision predates the modern FLSA enforcement regime but remains the controlling authority on the evidentiary value of timekeeping records.

For buddy punching, Mt. Clemens is operationally perverse. The employer who discovers Employee A clocked in for Employee B 100 times still owns a §516.2 record that says the hours were worked. To rebut, the employer must produce secondary evidence. In any parallel off-the-clock claim by Employee B ("I worked more hours than the record shows"), the employer's argument that the records are unreliable directly supports the employee's case under Mt. Clemens. Bad records cut both ways.

The practical conclusion: detection mechanisms that produce secondary records (geofence logs, device-ID logs, supervisor-approval workflows, photos) preserve the employer's evidentiary position when the primary punch record is disputed.

The "knew or should have known" standard

The FLSA holds employers liable for off-the-clock work whenever they "knew or had reason to know" the work was being performed. Reich v. Stewart, 121 F.3d 400 (8th Cir. 1997), is one of the leading articulations. Buddy punching produces the inverse problem — the employer pays for hours the employee did not work — and the FLSA does not create a federal cause of action against the employer for over-paying. The cost is internal. The recordkeeping integrity issue, however, creates downstream FLSA exposure: bad records lose every adjacent dispute under Mt. Clemens.

Illinois BIPA — the load-bearing law

Illinois's Biometric Information Privacy Act, 740 ILCS 14, enacted October 3, 2008, is the most-litigated biometric privacy statute in the United States. Workplace fingerprint, hand-geometry, and face-recognition timeclock systems have produced hundreds of class actions and cumulative settlements exceeding $1 billion. Any analysis of buddy-punch detection has to account for BIPA because biometric authentication is the detection method most likely to trigger class-action privacy exposure.

§10 — definitions

A "biometric identifier" is "a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry." Statutory exclusions: writing samples, written signatures, photographs, demographic data, tattoo descriptions, physical descriptions, donated organs and tissues, blood and serum stored for transplant use, biological materials regulated under the Genetic Information Privacy Act. The photograph exclusion is the load-bearing carve-out for detection-by-photo systems — discussed below.

"Biometric information" is "any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual." The face-template extracted from a photograph is biometric information even when the photograph itself is not a biometric identifier.

§15(a) — written retention policy

A private entity in possession of biometric identifiers must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers when "the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the private entity, whichever occurs first." The retention-and-destruction obligation runs in parallel with — not in lieu of — the §15(b) consent obligation.

§15(b) — written notice + written release

A private entity may not collect, capture, purchase, receive through trade, or otherwise obtain a person's biometric identifier or biometric information unless it first:

1. Informs the subject (or the subject's legally authorized representative) in writing that a biometric identifier or biometric information is being collected or stored;
2. Informs the subject in writing of the specific purpose and length of term for which the identifier is being collected, stored, and used; and
3. Receives a written release executed by the subject.

The 2024 amendment clarified that "written release" includes an electronic signature.

§15(c) — prohibition on sale

No private entity in possession of biometric identifiers may sell, lease, trade, or otherwise profit from biometric identifiers.

§15(d) — disclosure restriction

No private entity may disclose, redisclose, or otherwise disseminate biometric identifiers unless (1) the subject consents in writing; (2) the disclosure completes a financial transaction requested or authorized by the subject; (3) the disclosure is required by state or federal law or municipal ordinance; or (4) the disclosure is required pursuant to a valid warrant or subpoena.

§15(e) — reasonable standard of care

A private entity must (1) store, transmit, and protect biometric identifiers using the reasonable standard of care within its industry; and (2) in a manner that is the same as or more protective than the manner in which the entity stores, transmits, and protects other confidential and sensitive information.

§20 — private right of action and damages

"Any person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party. A prevailing party may recover for each violation:

(1) against a private entity that negligently violates a provision of this Act, liquidated damages of $1,000 or actual damages, whichever is greater; (2) against a private entity that intentionally or recklessly violates a provision of this Act, liquidated damages of $5,000 or actual damages, whichever is greater; (3) reasonable attorneys' fees and costs, including expert witness fees and other litigation expenses; and (4) other relief, including an injunction, as the State or federal court may deem appropriate."

Illinois is the only state with both a private right of action and statutory damages at the $1,000 / $5,000 level. Texas's CUBI allows AG enforcement only; Washington's RCW 19.375 allows AG enforcement only; Colorado's HB24-1130 amendments preserve AG-only enforcement; Maryland's MODPA preserves AG-only enforcement.

SB 2979 / Public Act 103-0769 — the 2024 amendment

Governor J.B. Pritzker signed Public Act 103-0769 on August 2, 2024, effective immediately. The amendment was the legislature's response to Cothron v. White Castle, which had held each unauthorized scan a separate violation and produced White Castle's estimated $17 billion exposure.

Operative change to §15(b):

"A private entity that, in more than one instance, collects, captures, purchases, receives through trade, or otherwise obtains the same biometric identifier or biometric information from the same person using the same method of collection in violation of subdivision (b) of Section 15 has committed a single violation of subdivision (b) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section."

The same per-person, per-method cap was added to §15(d). The amendment also revised the §10 definition of "written release" to expressly include an electronic signature.

Clay v. Union Pacific Railroad Co., No. 25-2185 (7th Cir. Apr. 1, 2026) — retroactivity

The Seventh Circuit held the 2024 BIPA amendment applies retroactively to cases pending when the amendment was enacted. The court applied the Illinois retroactivity test (Caveney v. Bower, 207 Ill.2d 82 (2003)), reasoning the amendment is procedural-remedial — revising the §20 damages provision rather than the §15 substantive liability standards — and therefore reaches conduct that predates August 2, 2024.

Effect: plaintiffs in pending BIPA workplace cases who alleged thousands of per-scan violations under Cothron are now bounded by a single recovery per person, per method, per violation type. A workplace fingerprint-timeclock class of 1,000 employees that previously projected billions in §15(b) damages now caps at $5 million on §15(b) alone (1,000 × $5,000 intentional). Attorneys' fees remain available.

Damages exposure under the amended structure

Section	Amended?	Per-person cap
§15(a) retention schedule	No	Arguably continuing-violation per pre-amendment doctrine
§15(b) notice + consent	Yes	One recovery per person per method
§15(c) prohibition on sale	No	No cap by amendment
§15(d) disclosure	Yes	One recovery per person per method
§15(e) standard of care	No	No cap by amendment

Attorneys' fees under §20(3) remain available across all subsections.

BIPA case law — the load-bearing cases

Rosenbach v. Six Flags Entertainment Corp., 129 N.E.3d 1197 (Ill. 2019)

The Illinois Supreme Court held unanimously that "aggrieved" under §20 means a person whose statutory rights have been violated — no separate actual injury required:

"An individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an 'aggrieved' person and be entitled to seek liquidated damages and injunctive relief."

The case arose from Six Flags Great America's fingerprinting of Stacy Rosenbach's minor son for season-pass admission. The doctrinal holding — that a technical statutory violation alone supports a private right of action — opened every subsequent BIPA workplace claim. Settlement on remand reached $36 million covering roughly 1.1 million class members; final approval entered in Lake County state court in late 2021. Class members who scanned fingerprints between October 2013 and April 2016 received up to $200; later scanners (May 2016 through December 2018) received up to $60. Distribution ran over five annual installments through 2025.

Cothron v. White Castle System, Inc., 216 N.E.3d 918 (Ill. 2023)

The Illinois Supreme Court held each unauthorized scan or transmission of biometric data is a separate violation under §15(b) and §15(d) — not a single accrual at first capture. White Castle had argued the per-scan theory was untenable because it produced "annihilative" damages for a single workplace timeclock. The court acknowledged White Castle's estimated $17 billion exposure but held the statutory text required per-scan accrual:

"Whatever the wisdom of the policy choices made by the legislature, those choices are reflected in the statutory text it has chosen, and the legislature, not this court, is the entity tasked with deciding the policy issues raised by the parties."

The decision was the direct trigger for SB 2979 the following year. On remand, Cothron settled at $9.39 million in the Northern District of Illinois (Case No. 1:19-cv-00382); final approval by U.S. District Judge John J. Tharp Jr. The class covered more than 9,000 current and former White Castle employees.

The $17 billion figure circulates widely in vendor literature as if it were a settlement. It is not. It was White Castle's estimated worst-case exposure under the pre-amendment per-scan theory, as recited in the Illinois Supreme Court's opinion and covered in ABA Business Law Today. The actual settlement is $9.39 million.

Rogers v. BNSF Railway Co., 680 F.Supp.3d 1027 (N.D. Ill. 2023) — first BIPA jury verdict

On October 12, 2022, Judge Matthew Kennelly of the Northern District of Illinois entered judgment in the first BIPA case to reach a full trial. A federal jury found BNSF violated §15(a) and §15(b) when it required truck drivers to scan fingerprints (per some sources, handprints) at rail-yard gates for identity verification. The jury found 45,600 reckless or intentional violations; the court entered judgment at $5,000 × 45,600 = $228 million. The class comprised approximately 45,000 truck drivers.

BNSF argued it did not operate the biometric equipment — a third-party vendor (Remprex) ran the gate scanners — and the jury rejected the vicarious-liability defense.

On June 30, 2023, Judge Kennelly vacated the $228 million award and ordered a new trial limited to the question of damages. The court held BIPA §20 statutory damages are discretionary, not automatic: "may recover" in §20(1)–(2) confers discretion on the factfinder. The case has continued through subsequent procedural challenges.

Headline lesson: $228 million is the largest reported workplace privacy verdict in U.S. history, and it is not a final judgment. Any citation that treats the $228 million as a binding precedent mis-states the procedural posture.

Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019)

Not a workplace case but the doctrinal proof point for class-action viability. The Ninth Circuit affirmed certification of a class of Facebook users alleging the "Tag Suggestions" facial-recognition feature collected facial-geometry data without consent in violation of BIPA. The court held the plaintiffs had Article III standing: development of a face template without consent invades a concrete privacy interest.

Final settlement on remand: $650 million, approved 2020. Judge James Donato rejected an initial $550 million proposal as inadequate; the parties returned with $650 million, which Judge Donato approved. Patel remains the largest BIPA settlement to date.

Named workplace BIPA settlements

Defendant	Amount	Trigger
Facebook (Patel v. Facebook)	$650M	Tag Suggestions facial recognition
Texas v. Meta (CUBI, not BIPA)	$1.4B	Facial-geometry processing of Texas residents
McDonald's (Lark v. McDonald's)	up to $50M	Employee biometric login + timeclock
BNSF Railway (Rogers v. BNSF, vacated 2023)	$228M	Truck-driver fingerprint at rail-yard gates
Six Flags (Rosenbach on remand)	$36M	Season-pass fingerprint enrollment
Kronos / UKG (Figueroa v. Kronos)	$15.3M	Fingerprint timeclocks at many Illinois employers
Biometric Impressions (Sayas v. BioMetric Impressions)	$10.85M	Inkless live-scan fingerprinting service
White Castle (Cothron on remand)	$9.39M	Employee fingerprint timeclock
iSolved	$2.48M	Employee fingerprint timeclock
Pret A Manger	$677K	Employee fingerprint timeclock

The McDonald's deal starts at $40 million with two $5 million reserves triggered by claim volume; total exposure caps at $50 million. The Kronos $15.3 million figure ($15,276,227 per court filings) covered approximately 171,000 individuals whose fingerprints were collected via Kronos timeclock software between 2014 and March 2022; the Mariano's / Roundy's class was substantially covered by this umbrella settlement (Kronos being the underlying timeclock vendor).

Other state biometric privacy laws

Texas — Capture or Use of Biometric Identifier Act (CUBI)

Tex. Bus. & Com. Code §503.001 prohibits capturing a biometric identifier "for a commercial purpose" without informing the individual and receiving consent. Civil penalty: up to $25,000 per violation. Enforcement exclusively by the Texas Attorney General; no private right of action.

On July 30, 2024, AG Ken Paxton announced a $1.4 billion settlement with Meta to resolve allegations that Meta processed facial-geometry data of Texas residents via "Tag Suggestions" in violation of CUBI and the Texas Deceptive Trade Practices-Consumer Protection Act. Payment terms: $500 million initial installment, then $225 million annually 2025-2028. The largest settlement ever obtained by a single state from a single defendant, and the first major CUBI enforcement action — CUBI was first enforced 17 years after enactment.

For workplace biometric timeclocks in Texas: no class-action exposure as in Illinois, but $25,000 per violation × thousands of scans × thousands of employees is material in absolute dollars. Texas AG enforcement has now signaled willingness to bring large cases.

Washington — Wash. Rev. Code §19.375

Wash. Rev. Code §19.375.020 prohibits enrolling a biometric identifier in a database "for a commercial purpose" without first providing notice and obtaining consent OR offering an opt-out mechanism. Notice may be context-dependent (not required to be in writing).

Wash. Rev. Code §19.375.030: "This chapter may be enforced solely by the attorney general under the consumer protection act, chapter 19.86 RCW." The word "solely" rules out any private right of action. Enforcement history is much thinner than Illinois or Texas.

Colorado — HB24-1130

Colorado amended the Colorado Privacy Act in 2024 (HB24-1130; signed May 31, 2024; effective July 1, 2025) to add biometric-specific obligations: written policy, retention schedule, data-deletion procedures, written consent before collection. AG-only enforcement. Workplace biometric collection (employee data) is covered: HB24-1130 extends biometric-specific protections to the employment context, even though the broader Colorado Privacy Act generally does not apply to employees. The law removes the Colorado Privacy Act's normal volume thresholds for biometric data — any controller processing biometric identifiers from Colorado residents must comply regardless of volume.

Maryland — Online Data Privacy Act (MODPA)

The Maryland Online Data Privacy Act takes effect October 1, 2025; enforcement begins April 1, 2026. Biometric data is classified as "sensitive data" requiring strict-necessity processing. Civil fines up to $10,000 per violation ($25,000 per subsequent same violation). Maryland AG enforces; no private right of action. The statute applies to controllers and processors generally and is not carved out by employment as a category.

Connecticut — Connecticut Data Privacy Act

The Connecticut Data Privacy Act treats biometric data as "sensitive data" subject to opt-in consent. AG-only enforcement. 2025 amendments expanded the scope of facial-recognition restrictions for state agencies; workplace biometric collection by private employers remains subject to the general CDPA sensitive-data framework.

NYC Local Law 3 of 2021 — Biometric Identifier Information

Effective July 9, 2021. Applies to "commercial establishments" (retail stores, places of entertainment, food and drink establishments) that collect, retain, or share customers' biometric identifiers. The law is customer-facing in primary scope:

• Signage requirement at all customer entrances disclosing biometric collection;
• Absolute prohibition on selling or sharing biometric data for value;
• Private right of action: $500 for failure-to-post (with 30-day cure), $500 negligent sale, $5,000 intentional/reckless sale.

Employee-only timeclocks fall outside the "commercial establishment" customer-facing scope. The law applies at the margins where a kiosk performs biometric authentication for both customers and employees.

New York Civil Rights Law §52-c — electronic monitoring

Signed by Governor Hochul November 8, 2021; effective May 7, 2022. N.Y. Civil Rights Law §52-c (also published as §52-c*2 to disambiguate from a separate §52-c on unlawful dissemination of digitized sexually explicit material) requires private employers to provide written notice upon hiring (and post in a conspicuous location) of any electronic monitoring of telephone conversations, email, or internet access/usage. The employee must acknowledge in writing or electronically. Penalties: $500 first offense, $1,000 second, $3,000 third and subsequent. Enforced by the New York Attorney General; no private right of action.

The statute's plain text reaches telephone, email, and internet monitoring — not pure GPS or biometric collection. Pure geofence-only enforcement does not trigger §52-c, but mixed surveillance that captures internet traffic alongside location data does.

Connecticut General Statutes §31-48d — electronic monitoring notice

Requires prior written notice before electronic monitoring of employees, delivered at the time of hiring or when monitoring is first implemented. Civil penalties: $500 first offense, $1,000 second offense, $3,000 third and subsequent. Enforced by the Connecticut Labor Commissioner; no private right of action.

Delaware Code Title 19 §705 — electronic monitoring notice

Two compliance options: (a) one-time written or electronic notice with employee acknowledgement (written or electronic), or (b) electronic daily notice whenever an employee accesses employer-provided email or internet services. The statute reaches telephone, email, and internet access monitoring; not biometric-specific.

The post-2024 map: Illinois remains the only state with private-right-of-action plus statutory damages combination targeting workplace biometrics. Texas's AG-track enforcement is the second-tier risk; the $1.4 billion Meta settlement signals AG willingness to bring significant cases. Colorado, Washington, Maryland, and Connecticut all create compliance obligations enforced by their respective AGs.

State-by-state landscape

Jurisdiction	Biometric privacy law	Private right of action	Workplace scope	Citation
Illinois	BIPA (740 ILCS 14)	Yes — $1,000 / $5,000 per violation	Yes	740 ILCS 14/15, 14/20
Texas	CUBI	No — AG only ($25,000/violation)	Yes	Tex. Bus. & Com. Code §503.001
Washington	RCW 19.375	No — AG only	Yes (commercial purpose)	Wash. Rev. Code §19.375.020, .030
Colorado	CPA + HB24-1130	No — AG only	Yes (HB24-1130 extends to employees)	Colo. Rev. Stat. §6-1-1308 et seq.
Maryland	MODPA	No — AG only	Yes (biometric = sensitive data)	Md. Code Com. Law §14-4607
Connecticut	CDPA	No — AG only	Yes (sensitive-data framework)	Conn. Gen. Stat. §42-515
New York (state)	None enacted (S1422 / A6031 pending)	N/A	N/A	NY Senate S1422 (2025)
New York City	Local Law 3 of 2021	Yes (customer-facing)	No (customer scope)	NYC Admin. Code §22-1201
California	CCPA / CPRA sensitive-data category	No — Cal. Privacy Protection Agency and AG	Limited (CCPA broadly excludes employment)	Cal. Civ. Code §1798.140(ae)
All other states	No biometric-specific statute	N/A	Standard tort + breach-notification laws	—

Pending New York legislation: S1422 / A6031 (2025-2026 session) is modeled on Illinois BIPA — written-release requirement, retention schedule, private right of action with statutory damages. S1422 advanced through the Senate Consumer Protection Committee in May 2025 (6-1 vote); A6031 was referred to Assembly Consumer Affairs and Protection in February 2025. Neither has been enacted. Prior session attempts (S4457 in 2023, A27 in 2021) similarly did not pass.

Non-biometric detection mechanisms

The legal-risk asymmetry between biometric and non-biometric detection is the load-bearing operational point. A fingerprint reader places the employer in BIPA territory. A GPS-restricted mobile clock-in places the employer in standard electronic-monitoring territory — notice required, no statutory damages cap.

Geolocation (GPS) on mobile clock-in

Records GPS coordinates at clock-in and clock-out; rejects punches outside an approved geofence. Notice obligations:

• New York Civil Rights Law §52-c — applies to mixed internet/telephony monitoring; pure geofence likely outside the text;
• Connecticut General Statutes §31-48d — written notice required;
• Delaware Code Title 19 §705 — one-time or daily notice;
• California Consumer Privacy Act — data-handling obligations as sensitive personal information.

Not biometric under any state statute. No private right of action with statutory damages at the BIPA $1,000 / $5,000 level. Penalty exposure for notice failures is in the hundreds to low thousands per violation, not per scan.

IP-address restrictions

Clock-in permitted only from approved work-site IPs (kiosk or office Wi-Fi). Lowest privacy footprint of any detection mechanism. Not regulated under monitoring statutes — no individual identifier captured beyond what is already collected in any web session. Useful for fixed-location workforces; not useful for field workers.

Device fingerprint / unique device ID

Tying a clock-in to a specific phone, tablet, or kiosk via device identifiers (MAC address, device hash, IMEI). Generally not biometric under any state statute. Borderline analysis where a device ID is paired with biometric unlock (face unlock to access the app) — the unlock event happens on the device and is not captured by the employer's system, so it generally does not trigger BIPA.

Photo on punch

Selfie captured at clock-in and clock-out, stored alongside the punch record. Useful for (a) retroactive verification when a punch is disputed, (b) deterrent effect on buddy punching (employees know there is a photo trail), and (c) Mt. Clemens evidentiary defense — the photo proves who punched.

Under BIPA: photographs are explicitly excluded from the §10 definition of "biometric identifier." A timeclock that takes and stores a photo, full stop, does not collect a biometric identifier.

Where it gets risky: if the system processes the photo to extract facial-geometry data — a face mesh, a mathematical face template for matching — that extracted data is biometric information under §10 (a "scan of … face geometry"). Illinois federal courts have held BIPA applies to systems that scan photographs to create facial-geometry templates. The compliance pivot: storing the photo for human review is outside BIPA; running a facial-recognition match against an enrolled template is inside BIPA and requires full §15 compliance.

Multi-factor combinations

Lowest risk plus highest deterrent: PIN + photo + geofence + device-ID. None of the components are biometric identifiers. The combination produces strong signal for both detection (the system flags inconsistencies between factors) and adjudication (the photo plus GPS produces retroactive proof when a punch is challenged).

Pattern detection on punch data

Pattern-recognition systems that flag suspicious punch patterns without any biometric collection — two employees consistently clocking in at the same second, geographically impossible punches (Employee A in two places at once), repeat patterns over weeks. No identifier captured beyond what is already in the payroll record. No privacy-statute exposure.

Federal employment law adjacents

Title VII — disparate-impact risk for facial recognition

The National Institute of Standards and Technology's 2019 Face Recognition Vendor Test analyzed 189 face-recognition algorithms across 99 developers and found many algorithms 10 to 100 times more likely to misidentify Black or East Asian faces than white faces; false-positive rates were highest for Black women.

Under Title VII (42 USC §2000e), an employer policy that produces disparate impact on a protected class is unlawful unless "job related and consistent with business necessity." The EEOC's four-fifths rule treats a selection rate for a protected group below 80 percent of the majority's rate as presumptive evidence of disparate impact.

For a workplace facial-recognition timeclock with documented higher error rates on one racial group, mis-identified employees could pursue a disparate-impact theory if the resulting outcomes — disciplinary write-ups, missed punches, docked pay — affect protected-class members disproportionately. No controlling case has yet established the theory but the NIST-documented accuracy gaps make the legal posture quotable.

ADA — accommodation

Employees who cannot use a specific authentication method (worn fingerprints from manual labor, missing fingers, certain disabilities preventing facial-geometry capture) have an ADA right to reasonable accommodation. The standard accommodation is an alternate authentication method — PIN plus supervisor attest, or manual entry with review. The employer's burden is to provide a workable alternative, not to abandon the system.

NLRA — surveillance of union activity

Section 7 of the National Labor Relations Act protects concerted activity. Employer surveillance specifically directed at union activity is a §8(a)(1) unfair labor practice. Generic timeclock detection is not §8(a)(1) material in itself; mass-deploying biometric or GPS clocks in response to a union drive could be inferred as targeted surveillance. The risk is low for buddy-punch detection specifically but worth flagging in any broader employer-surveillance discussion.

Wage-hour cluster cross-links

Recordkeeping (29 CFR §516)

Buddy-punched hours enter the §516 record set as false entries. Detection mechanisms — photos, GPS logs, device IDs — produce secondary records that themselves may carry retention obligations. The §516 retention windows (3 years for payroll, 2 years for supplementary records) apply to the primary record; secondary detection artifacts inherit whichever retention period the employer's policy sets — often shorter, often per the BIPA §15(a) "3 years from last interaction" rule when biometrics are involved.

Cross-link: recordkeeping-requirements-by-state § "FLSA recordkeeping requirements (29 CFR §516)."

Off-the-clock work — inverse problem, same mechanism

Buddy punching: hours appear in the record that were not worked (employer overpays). Off-the-clock work: hours were worked but do not appear in the record (employer underpays). The same Mt. Clemens burden-shift cuts both. When records are unreliable, the employer loses the evidentiary advantage in both directions.

Cross-link: off-the-clock-work-by-state § "The Mt. Clemens burden-shifting rule."

California Labor Code §226 — pay-stub derivative claims

If buddy-punched hours appear on a §226 pay stub and the employee later disputes them, the wage statement may be "inaccurate" under §226(e), triggering penalties of $50 for the first pay period and $100 for subsequent pay periods, capped at $4,000 per employee plus attorneys' fees. The exposure is asymmetric: the employer can be on the hook for §226 penalties even on overpaid hours because the §226 claim addresses accuracy of the statement, not directionality of the error.

Cross-link: pay-stub-requirements-by-state § "California §226 derivative claims."

California Labor Code §203 — waiting-time on termination

Terminating an employee for buddy punching while withholding disputed wages triggers §203 waiting-time exposure: up to 30 days of additional pay at the employee's daily rate. The employee's argument that they did work the hours — which the §516.2 record itself supports — puts the employer in a difficult evidentiary position. Best practice: investigate buddy-punch claims before final termination plus payroll cycle; pay the disputed wages and pursue recovery separately if the investigation confirms fraud.

Recent changes (last 18 months)

Change	Effective	Significance
Illinois SB 2979 / Public Act 103-0769	August 2, 2024	Per-person, per-method recovery cap on §15(b) and §15(d); electronic signature qualifies as written release
Texas v. Meta settlement ($1.4B)	July 30, 2024	First major Texas CUBI AG enforcement; established AG-track viability
Colorado HB24-1130	July 1, 2025	AG-only enforcement; written policy + consent; employee data scope; volume thresholds removed
Maryland Online Data Privacy Act	October 1, 2025 (enforcement April 1, 2026)	Biometric data classified as sensitive; civil fines up to $10,000 / $25,000
Clay v. Union Pacific Railroad Co. (7th Cir.)	April 1, 2026	The 2024 BIPA amendment applies retroactively to pending cases

The throughline: the 2024 BIPA amendment plus the 2026 retroactivity ruling has materially narrowed Illinois workplace BIPA exposure. The peak was 2019-2023; the post-2024 landscape is more bounded. Texas-style AG enforcement is the rising risk in other states.

FAQ

Does federal law prohibit buddy punching?

No federal statute directly prohibits buddy punching. The federal exposure is indirect, via 29 CFR §516.2 recordkeeping integrity. Inaccurate records lose every adjacent FLSA dispute under Anderson v. Mt. Clemens Pottery Co., 328 U.S. 680 (1946).

Can an employer use a fingerprint timeclock in Illinois?

Yes, with full BIPA §15 compliance: written notice, written release before first capture, written retention-and-destruction policy made available to the public, reasonable standard of care for storage and transmission, no sale or disclosure absent the §15(d) exceptions. The 2024 amendment (Public Act 103-0769) caps per-person recovery for repeated identical violations at one recovery per method, but it does not waive the compliance obligations themselves.

Is a photo timeclock subject to BIPA?

Not if the system only captures and stores a photograph — photographs are explicitly excluded from the §10 definition of "biometric identifier." A system that extracts facial-geometry data from the photograph for matching against an enrolled template does fall within BIPA, because the extracted facial-geometry information meets the §10 definition.

What's the difference between BIPA and Texas CUBI?

Both require notice and consent before biometric collection. Illinois BIPA confers a private right of action with $1,000 negligent / $5,000 intentional statutory damages per violation; Texas CUBI permits enforcement only by the Texas Attorney General with a $25,000 civil penalty per violation. Illinois has produced the workplace class-action litigation; Texas has produced the AG-led billion-dollar enforcement action (the $1.4 billion Meta settlement in July 2024).

Does GPS clock-in require notice in New York?

GPS-only collection is not clearly covered by N.Y. Civil Rights Law §52-c, which reaches telephone, email, and internet monitoring. Mixed surveillance that captures internet traffic alongside location data does trigger §52-c. Best practice: provide written notice on hire of any electronic monitoring, including geolocation, even when the statute's text is ambiguous.

Can I recover wages from an employee who buddy-punched?

The employer can pursue recovery, but the §516.2 record showing the hours were worked is the employer's own evidence that the hours were worked. Without secondary evidence (badge logs, CCTV, geofence logs, photos, supervisor testimony), the employer cannot prove the negative. Best practice: build the secondary record before disciplinary action; pay disputed wages at termination to avoid California Labor Code §203 waiting-time exposure; pursue recovery separately.

Does the 2024 BIPA amendment apply to my pending case?

Yes, per Clay v. Union Pacific Railroad Co., No. 25-2185 (7th Cir. Apr. 1, 2026). The Seventh Circuit held the amendment applies retroactively because it is procedural-remedial — revising the §20 damages provision rather than the §15 substantive liability standards. Plaintiffs in pending cases who alleged thousands of per-scan violations are now capped at one recovery per person, per method, per violation type.

What's the cheapest detection method that still produces an evidentiary record?

PIN plus photo at clock-in, paired with a geofence check, produces a multi-factor record without crossing into BIPA. The PIN authenticates against the employee record; the photo creates a stored image (excluded from BIPA's §10 definition); the geofence verifies location. None of the three components is a biometric identifier under any state statute. The combined record is admissible in any subsequent dispute about whether the hours were worked.

If you discover you've been doing this wrong

1. Stop the bleed first. Pause the disputed enforcement action (termination, write-up, wage recovery) until the secondary evidence record is in place. Continuing to act on inaccurate timeclock data compounds the exposure.

2. Document the recordkeeping gap. Identify which §516.2 records are unreliable. Catalogue the time period, the employees affected, the parallel records that exist (badge logs, CCTV retention windows, dispatcher notes). The catalog is the foundation of every subsequent decision.

3. If you're using biometric authentication in Illinois without §15 compliance, stop collecting. Disable the biometric capture. Switch to non-biometric authentication (PIN, photo, badge) for the interim. Then layer in §15 compliance — written notice, written release, retention-and-destruction policy posted publicly — before reactivating biometric capture. Consult counsel about pending-case exposure; the 2024 amendment caps recovery but does not waive the compliance obligation.

4. Pay disputed wages at termination; recover separately. California Labor Code §203 imposes up to 30 days of additional pay at the employee's daily rate for willful failure to pay wages at termination. Withholding disputed buddy-punched hours runs the §203 clock while the investigation continues. The disciplined sequence: pay, then investigate, then recover via separate civil action if warranted.

5. Stand up secondary records prospectively. Geofence on mobile clock-in. Photo on punch (stored, not face-matched). Device-ID binding to a specific phone or tablet. Supervisor approval workflow for edits. The secondary record set is what preserves the employer's evidentiary position under Mt. Clemens when the primary punch record is later disputed.

The bottom line

The recordkeeping integrity problem and the biometric privacy problem are the same problem from opposite directions. Inaccurate time records lose every adjacent FLSA dispute under Mt. Clemens; biometric authentication that prevents inaccuracy creates BIPA exposure that can exceed the value of the inaccuracy it prevented. The highest-leverage move is the secondary record: photo plus geofence plus device-ID, none of them a biometric identifier under any state statute, all of them admissible when the primary timeclock record is disputed. The 2024 BIPA amendment and the 2026 retroactivity ruling have narrowed but not eliminated the Illinois workplace exposure; the Texas $1.4 billion Meta settlement signals AG-track risk is rising in the remaining biometric-statute states.

Sources

Federal

• 29 CFR §516.2 (FLSA recordkeeping) — https://www.ecfr.gov/current/title-29/subtitle-B/chapter-V/subchapter-A/part-516/subpart-A/section-516.2
• 29 CFR §516.5 — https://www.ecfr.gov/current/title-29/subtitle-B/chapter-V/subchapter-A/part-516/subpart-A/section-516.5
• 29 CFR §516.6 — https://www.ecfr.gov/current/title-29/subtitle-B/chapter-V/subchapter-A/part-516/subpart-A/section-516.6
• DOL Fact Sheet #21 (FLSA recordkeeping) — https://www.dol.gov/agencies/whd/fact-sheets/21-flsa-recordkeeping
• 42 USC §2000e (Title VII) — https://www.law.cornell.edu/uscode/text/42/2000e
• 29 USC §157 (NLRA Section 7) — https://www.law.cornell.edu/uscode/text/29/157
• 29 USC §158(a)(1) (NLRA Section 8(a)(1)) — https://www.law.cornell.edu/uscode/text/29/158
• NIST Face Recognition Vendor Test (2019 demographic effects) — https://www.nist.gov/news-events/news/2019/12/nist-study-evaluates-effects-race-age-sex-face-recognition-software

State

• 740 ILCS 14 (Illinois BIPA) — https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004
• Illinois Public Act 103-0769 (SB 2979) — https://www.ilga.gov/legislation/publicacts/103/103-0769.htm
• Tex. Bus. & Com. Code §503.001 (Texas CUBI) — https://statutes.capitol.texas.gov/Docs/BC/htm/BC.503.htm
• Texas AG biometric page — https://www.texasattorneygeneral.gov/consumer-protection/file-consumer-complaint/consumer-privacy-rights/biometric-identifier-act
• Wash. Rev. Code §19.375 — https://app.leg.wa.gov/RCW/default.aspx?cite=19.375
• Wash. Rev. Code §19.375.030 — https://app.leg.wa.gov/RCW/default.aspx?cite=19.375.030
• Colorado HB24-1130 (signed bill PDF) — https://content.leg.colorado.gov/sites/default/files/2024a_1130_signed.pdf
• Colorado General Assembly HB24-1130 bill page — https://leg.colorado.gov/bills/hb24-1130
• Maryland Online Data Privacy Act (Md. Code Com. Law §14-4601 et seq.) — https://mgaleg.maryland.gov/2024RS/chapters_noln/Ch_454_sb0541E.pdf
• NYC Local Law 3 of 2021 (Biometric Identifier Information) — https://rules.cityofnewyork.us/rule/biometric-identifier-information/
• NYC Admin. Code Chapter 12 — https://codelibrary.amlegal.com/codes/newyorkcity/latest/NYCadmin/0-0-0-42626
• N.Y. Civil Rights Law §52-c — https://www.nysenate.gov/legislation/laws/CVR/52-C*2
• NY Senate S1422 (2025) — https://www.nysenate.gov/legislation/bills/2025/S1422
• NY Assembly A6031 (2025) — https://www.nysenate.gov/legislation/bills/2025/A6031
• Conn. Gen. Stat. §31-48d — https://www.cga.ct.gov/current/pub/chap_557.htm#sec_31-48d
• Del. Code tit. 19 §705 — https://delcode.delaware.gov/title19/c007/sc01/index.html
• Cal. Lab. Code §203 — https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=203.&lawCode=LAB
• Cal. Lab. Code §226 — https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=226.&lawCode=LAB

Case law

• Anderson v. Mt. Clemens Pottery Co., 328 U.S. 680 (1946) — https://www.law.cornell.edu/supremecourt/text/328/680
• Rosenbach v. Six Flags Entertainment Corp., 129 N.E.3d 1197 (Ill. 2019) — https://www.illinoiscourts.gov/Resources/f71510f1-fb2a-43d8-ba14-292c8009dfd9/123186.pdf
• Cothron v. White Castle System, Inc., 216 N.E.3d 918 (Ill. 2023) — https://www.illinoiscourts.gov/Resources/4a91d1c6-cbc7-4523-b9d9-f9c8ce0e3e21/128004.pdf
• Rogers v. BNSF Railway Co., 680 F.Supp.3d 1027 (N.D. Ill. 2023) (vacatur) — https://www.law.berkeley.edu/wp-content/uploads/2025/03/14-Rogers-v-BNSF-Railway-Company.pdf
• Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019) — https://cdn.ca9.uscourts.gov/datastore/opinions/2019/08/08/18-15982.pdf
• Clay v. Union Pacific Railroad Co., No. 25-2185 (7th Cir. Apr. 1, 2026) — https://law.justia.com/cases/federal/appellate-courts/ca7/25-2185/25-2185-2026-04-01.html
• Reich v. Stewart, 121 F.3d 400 (8th Cir. 1997) — https://law.justia.com/cases/federal/appellate-courts/F3/121/400/602856/