Maybe it’s your first day on the job. Perhaps your manager just made an announcement. You’ve been asked to scan your fingerprint every time you clock in and out. Is that even allowed?

From Hooters to Hyatt Hotels, employers tantalized by the promise of a futuristic, streamlined way to track workers’ attendance are starting to use time clock machines that fingerprint employees.

Vendors like Kronos and Allied Time say that because the machines are tied to your biometric information—unique characteristics such as your face, fingerprints, how you talk, and even how you walk—they provide a higher level of workplace security and limit employees’ ability to commit “time theft” by punching in for one another.

But the benefits for your boss may come at a cost to you—both your privacy and possibly your health.

With the global outbreak of COVID-19, your personal health could be at risk when using frequently touched screens and fingerprint scanners. The Centers for Disease Control says that coronavirus can remain on surfaces for hours, so screens and scanners should be regularly disinfected with cleaning spray or wipes. And you should wash your hands for 20 seconds or use alcohol-based hand sanitizer immediately after using one.

In addition to these health concerns, critics argue that biometric devices pose massive personal security issues, exposing workers to potential identity theft and subjecting them to possible surveillance from corporations and law enforcement.  

In an amicus brief in a case before a federal court of appeals, a group of privacy advocates, including the ACLU and the EFF, wrote that “the immutability of biometric information” puts people “at risk of irreparable harm in the form of identity theft and/or tracking.”

“You can get a new phone, you can change your password, you can even change your Social Security number; you can’t change your face,” said Kade Crockford, the Technology for Liberty program director at ACLU of Massachusetts. 

Companies facing legal action over their use of the machines range from fast food joints like McDonald’s and Wendy’s, to hotel chains like Marriott and Hyatt, to airlines like United and Southwest.  

In some cases, the companies have countered in the lawsuits that their employees’ union agreement allows the use of the machines: “Southwest and United contend that the plaintiffs’ unions have consented—either expressly or through the collective bargaining agreements’ management-rights clauses—and that any required notice has been provided to the unions,” the court’s opinion states.

Other companies have not responded to requests for comment or have said they cannot comment on active litigation. 

Privacy and labor laws have lagged behind the shifts in the American workplace. But in some places, you have the right to refuse and even sue.

As the collection and use of biometrics has exploded, lawmakers in three states have responded by passing laws restricting its deployment. 

Illinois
Illinois’s Biometric Information Privacy Act (BIPA), enacted in 2008, was the first major biometric privacy law passed by a state. Enacted after a company, Pay-By-Touch, went bankrupt and attempted to sell off customers’ fingerprint data, the law restricts companies’ ability to use and distribute biometric data. But consumers aren’t the only ones protected.

If you’re working in Illinois, your employer is required to inform you that your biometric data is being collected, why it’s being collected, and how long it is being stored—all in writing. It also has to get your written permission.

If your employer doesn’t comply, you’re entitled to a private right of action. Dozens of companies have been sued in Illinois for their use of fingerprint-scanning time clocks without the consent of their employees.

Texas and Washington
Texas and Washington have similar laws to Illinois’s on the books, but with a few key differences. Both states leave the right to litigation to the attorney general.

In Texas, the Capture or Use of Biometric Identifier law, or CUBI, relates only to biometric data used for a “commercial purpose,” a pretty vague term. While your employer still has to ask for your consent, the bar is a little lower—it doesn’t need your written permission. If you leave your job, your employer is supposed to delete your biometric information.

Washington’s biometric identifiers law has an exemption for security purposes. This means that your employer’s use of biometrics may not be covered by the law if your employer argues that it improves the security of your workplace. (The promise of improved security is one of the pitches vendors of the biometric time clocks make to businesses.)

Some object to biometric data collection out of religious concerns. In West Virginia, the EEOC took Consolidation Coal Company to court after it forced a longtime employee to retire because his religious beliefs prevented him from scanning his hand to track his work attendance.

As an Evangelical Christian, he said he believed that scanning his hand would place the “Mark of the Beast” on him, as described in the Bible’s Book of Revelation. 

The EEOC won the case against the mining company, and the man was awarded $150,000 in damages.

In New York, it’s illegal for your boss to use biometric fingerprinting, thanks to a labor department interpretation of a state law banning the fingerprinting of most employees. This hasn’t stopped employers from trying. (SwipeClock, a finger-scanning time clock vendor, assures potential buyers that “the very employees” who are probably committing time theft “are the ones that would not voluntarily use biometric time clocks” and that New Yorkers can simply “implement hand geometry, and iris or retina scanning” to get around the law.) 

Collective bargaining can help employees who might be confronted with new tech in the workplace. “One of the things that’s usually in union contracts is language about any changes that the management would make that impact the working conditions,” said  Crockford. “One way that people can organize to ensure that their employers are not forcing this kind of technologies on them is to unionize.”

New York’s Metropolitan Transit Authority began installing fingerprint time clock machines in earnest last summer, after an independent investigation found an unexpected $119 million jump in overtime over the previous year. The Association of Commuter Rail Employees filed a complaint with the New York State Department of Labor regarding the machines. 

In a November letter to the MTA board, Carolyn Pokorny, the MTA inspector general, wrote that the full implementation of the machines faced “challenges such as union agreements and access by remote mobile field staff” but noted that the time clocks weren’t the only solutions the MTA has in mind. It also has been testing mobile phone and “voice authorization” check-ins for employees.

An MTA spokesperson told The Markup that “the vast majority of our 74,000 employees are registered and actively using our modern timekeeping system, with the exception of a small number of employees affected by collective bargaining issues and clocks being installed at remote field locations.” 

When asked for clarification about how many “a small number” was, the spokesperson responded, “A few thousand.”

Does your workplace make you use your fingers, face, or other body parts to clock in? Let us know at tips@themarkup.org. 

Do you have a question for Ask The Markup? Email us at ask@themarkup.org.