California Employees and Biometric Privacy
A clear guide to how California workplace privacy rules shape biometric data collection and employee rights.
California employers that use fingerprints, facial templates, hand scans, or other biometric tools must navigate a privacy framework that goes beyond ordinary workplace rules. State law treats biometric information as sensitive data, and in many situations employees and applicants have rights to notice, access, and limits on how that information is collected and used.
That matters because biometric tools are now common for timekeeping, secure entry, identity verification, and device access. At the same time, California law places meaningful restrictions on sharing, retention, and broader use of that information, and the rules can overlap with general privacy obligations and older labor statutes.
Why biometric data is treated differently
Biometric identifiers are unique physical or behavioral traits used to identify a person. In the workplace, that can include fingerprints, facial recognition data, voice-related identifiers, or similar technology used to authenticate access.
Unlike a password, a biometric trait cannot be changed if it is exposed or misused. For that reason, privacy laws often treat biometric data as especially sensitive and require employers to explain what they collect, why they collect it, and who may receive it.
- Biometric tools can improve security and reduce fraud.
- They can also create privacy and compliance risks if used without proper disclosures.
- Employers may face exposure if data is shared, retained too long, or collected without adequate notice.
How California law protects workers
California does not rely on a single rule for biometric privacy. Instead, employee protections come from a mix of consumer privacy law, labor law, and general data-security duties.
The California Consumer Privacy Act, as amended, covers certain employee and applicant information, including biometric information. Under that framework, covered businesses must disclose what categories of information they collect and how they use it, and workers may have rights to know, access, and in some cases delete information.
California Labor Code section 1051 adds another layer by prohibiting employers from obtaining fingerprints or photographs from employees and then furnishing that information to third parties. A violation of that section is treated as a misdemeanor.
In practice, this means that biometric use may be allowed for internal purposes such as clocking in or access control, but that does not give an employer a free hand to circulate the data outside the company.
What information may be covered
California privacy rules are broad enough to reach more than just a fingerprint file. Depending on the system in use, covered information may include identifiers tied to facial recognition, access logs linked to a worker, or records showing how biometric authentication was used.
| Type of information | Common workplace use | Key privacy concern |
|---|---|---|
| Fingerprint data | Time clocks, secure entry | Sharing, retention, unauthorized access |
| Facial recognition data | Device login, attendance systems | Notice, accuracy, third-party use |
| Voice or behavioral identifiers | Authentication systems | Overcollection and disclosure |
| Associated records | Audit trails, access logs | Linking data to a specific worker |
The practical compliance issue is not just the raw biometric template. It is also the surrounding information that shows how the system works, where the data goes, and whether vendors or affiliates can access it.
Notice and consent are central
A recurring theme in biometric privacy laws is informed notice followed by meaningful consent. Industry guidance and state-law summaries consistently explain that employers should tell workers what biometric data is being collected, how it will be used, and how long it will be kept.
In many workplaces, written consent is the safest approach even when the precise legal requirement varies by state or system. That is especially true where third-party vendors operate the technology or store the data.
- Give employees a clear written explanation before collection begins.
- Identify the purpose of the biometric system.
- Explain whether a vendor handles storage or processing.
- Obtain a signed consent form when feasible.
Employee rights under California privacy rules
California workers have privacy rights that go beyond a one-time notice. Under the CCPA framework, employees may request to know what categories of information the employer collected, where the information came from, the business purpose for collecting it, and the categories of third parties that received it.
Workers may also have rights to access specific pieces of information, and the law recognizes protections against retaliation for exercising those rights. In addition, the framework gives workers a right to understand when employers are monitoring them and why, which is especially relevant when biometric systems are paired with surveillance or attendance analytics.
For employers, this means a biometric program cannot be treated as an isolated equipment decision. It becomes part of a broader privacy compliance program that should address requests, response timelines, verification procedures, and data-handling practices.
Retention, security, and deletion
Collecting biometric data is only the beginning. Employers must also decide how to secure it, who can see it, how long it remains useful, and when it must be deleted.
Good privacy practice generally calls for limited access, strong technical safeguards, and defined disposal rules. Several state-law summaries note that biometric information should be destroyed once it is no longer needed for the purpose for which it was collected.
That approach is especially important because biometric data can create lasting harm if exposed. A breached fingerprint or facial template may be far more sensitive than a lost access card because the identifier is tied to the individual and cannot simply be reissued.
Third-party vendors create added risk
Many employers rely on outside vendors to store or process biometric data. That arrangement can simplify operations, but it also adds a legal obligation to vet the vendor’s security and privacy practices.
Employers should confirm that the vendor limits use of the data, protects confidentiality, and does not repurpose the data for its own commercial goals. They should also make sure contracts address access controls, retention, deletion, and incident response.
If a vendor operates across state lines, the employer should also consider whether out-of-state collection triggers other biometric privacy laws. Some state statutes can apply based on where the data is collected or where the business activity occurs, not just where the employer is headquartered.
Biometric use is allowed, but only with discipline
California law does not ban every workplace use of biometric technology. Internal uses such as clocking in, identity confirmation, or secure entry can be lawful when they are handled carefully.
The legal risk rises when the employer expands use beyond the original purpose, discloses the information to outsiders, or fails to maintain reasonable security. In that sense, the critical question is not whether biometrics are used at all, but whether the employer can justify the collection, limit the use, and protect the data at every step.
Compliance steps for employers
Employers that want to use biometric tools in California should build privacy requirements into the program before rollout, not after complaints arise.
- Inventory every biometric tool and every type of data it captures.
- Prepare a written notice that explains purpose, storage, access, and deletion.
- Use written consent forms where possible.
- Limit collection to what is necessary for the stated business need.
- Review contracts with vendors and cloud providers.
- Adopt retention and destruction schedules.
- Train HR, IT, and managers on how to respond to worker requests.
Employers should also test whether a less intrusive alternative can accomplish the same purpose. That question is especially important when a biometric system is being proposed for convenience rather than security.
Common mistakes that create liability
Several recurring mistakes drive biometric privacy disputes. One is failing to give a meaningful explanation before collecting data. Another is using the data for a different purpose than the one originally disclosed.
Other common problems include storing the data indefinitely, allowing too many employees to access it, or assuming that a vendor contract alone solves the legal issue. Employers also create risk when they overlook the special rules that apply to employee data under California privacy law and labor law.
Frequently asked questions
Can an employer use fingerprint time clocks in California?
Yes, internal use of biometrics for workplace functions such as timekeeping may be allowed, but the employer must still comply with notice, consent, security, and disclosure rules.
Can a California employer share employee fingerprints with a vendor?
That depends on the arrangement, but sharing biometric data outside the business raises significant legal risk and should be reviewed carefully. California Labor Code section 1051 specifically restricts furnishing employee fingerprints or photographs to third parties.
Do employees have rights to their biometric data?
Under California privacy rules, workers may have the right to know what data was collected, how it is used, and in some cases to access or delete certain information.
Is written consent required?
Written consent is widely recommended and often required by state biometric privacy laws outside California. Even where the law is less explicit, written consent is one of the strongest ways to reduce legal risk.
What should employers do before adopting biometric technology?
They should assess the business need, review the privacy implications, prepare written policies, confirm vendor safeguards, and make sure employees receive understandable notice before collection starts.
Practical takeaway
For California employers, biometric technology is best treated as a regulated privacy program rather than a simple workplace tool. The law expects transparency, restraint, security, and careful control over sharing and retention.
For workers, the key point is that biometric information is not ordinary personnel data. It is sensitive information with special protections, and California law gives employees meaningful tools to ask questions, object to misuse, and demand accountability.
References
- Employee Biometric Data Issues Under California Law — California Employment Law Report. 2020-02-01. https://www.californiaemploymentlawreport.com/2020/02/employee-biometric-data-issues-under-california-law/
- Biometric Data — California Employment Lawyer — Law Office of Ronald P. Ackerman. 2026-07-10. https://lawofficeofronaldpackerman.com/biometric-data/
- Biometric privacy laws | What employers need to know — McNees Law. 2024-07-10. https://www.mcneeslaw.com/biometric-privacy-laws/
- Overview of New Rights for Workers under the California Consumer Privacy Act — UC Berkeley Labor Center. 2024-07-10. https://laborcenter.berkeley.edu/overview-of-new-rights-for-workers-under-the-california-consumer-privacy-act/
- Biometrics in the workplace: Employee privacy considerations — BLR. 2024-07-10. https://blr.com/resources/biometrics-in-the-workplace-employee-privacy-considerations/
- Learn the Rules on Employers’ Use of Biometric Data — SHRM. 2024-07-10. https://www.shrm.org/topics-tools/employment-law-compliance/learn-rules-employers-use-biometric-data
- Biometric Information & Facial Recognition Under the CA Privacy Law — Clarip. 2024-07-10. https://www.clarip.com/data-privacy/ccpa-biometric-information/
- Global Biometrics Regulation Chart — Baker Donelson. 2024-07-10. https://www.bakerdonelson.com/webfiles/Publications/Global-Biometrics-Laws-Chart.pdf
Read full bio of medha deb




