You are running operations across multiple California job sites. Your crew is a mix of W2 employees, 1099 contractors, and hourly workers spread across locations. Manual timesheets are not working. Buddy punching is costing you money. You found a face recognition time tracking system that solves the problem.
Then someone asks: is this even legal in California?
It is a fair question. California has some of the strictest data protection laws in the country and the rules around biometric data, including facial scans, are specific. Before you roll out any face-based attendance system across your workforce, you need to know exactly where the law stands, what it requires, and what happens if you get it wrong.
This is not just a legal question, but an operational one if you are managing a large, multi-site workforce in industries like construction, facility management, property management, and contracting.
Here is what California data privacy law actually says, what it means for your business, and how to deploy face recognition time tracking the right way.
What You Will Learn
Whether facial recognition is legal for private employers in California
What California data privacy law actually governs biometric data and who it applies to
Whether your business meets the CCPA threshold for biometric time tracking compliance
What W2 employees, 1099 contractors, and hourly workers can legally request regarding their biometric data
What your organization must do before deploying a face recognition time tracking system in California
What to look for in a biometric time tracking system built for California compliance
How Truein is designed to support California biometric privacy requirements
Is Facial Recognition Legal in California for Private Employers?
Yes. There is no California law that bans private employers from using face recognition for employee attendance or time tracking.
The restrictions on facial recognition in California apply to government agencies and law enforcement, not to private businesses. Construction companies, facility management firms, contractors, and businesses managing hourly workforces across multiple sites can legally use face-based clock-in systems.
What the law requires is compliance. California regulates biometric data, including facial scans, under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). Before deploying any face recognition time tracking system, covered businesses must meet specific notice, data rights, and security obligations.
Those obligations apply to W2 employees, 1099 contractors, and hourly workers equally. The employee exemption that previously existed under the CCPA expired on December 31, 2022. Since January 1, 2023, California employees have the same data rights as consumers.
The sections below cover exactly what those obligations are and what compliant implementation looks like in practice.
Does California Have a Biometric Information Privacy Act?
No. California does not have a standalone biometric privacy statute.
If you searched "California Biometric Information Privacy Act" expecting to find something equivalent to Illinois's BIPA, it does not exist. Many HR heads, compliance leads, and business owners make this assumption. It is understandable. Illinois BIPA is the most well-known biometric privacy law in the country and has generated significant attention since class action lawsuits began in 2015.
California took a different approach. Rather than a dedicated biometric statute, the state regulates biometric data within its broader California data protection framework. The California Consumer Privacy Act, enacted in 2018 and operative from January 1, 2020, treats biometric information as personal information subject to consumer rights and business obligations. The California Privacy Rights Act, passed by voters as Proposition 24 in November 2020, strengthened that framework further. The CPRA did not create a separate law. It amended and expanded the CCPA. The CPPA itself refers to the combined framework simply as "the CCPA."
For a business owner or HR director deciding whether to deploy face recognition time tracking across California job sites, this distinction matters practically.
How California Differs From Illinois BIPA
California (CCPA/CPRA)
Illinois (BIPA)
Type of Law
Comprehensive privacy law with biometric provisions
Standalone biometric privacy statute
Consent Model
Notice plus right to limit (opt-out model)
Explicit written consent before collection (opt-in)
Private Right of Action
Limited to data breach scenarios
Broad — any violation
Litigation Risk
Moderate
Very High
Employee Coverage
Yes, since January 1, 2023
Yes, always included
Retention Schedule
No explicit statutory requirement
Written policy required before collection
Type of Law
California (CCPA/CPRA)
Comprehensive privacy law with biometric provisions
Illinois (BIPA)
Standalone biometric privacy statute
Consent Model
California (CCPA/CPRA)
Notice plus right to limit (opt-out model)
Illinois (BIPA)
Explicit written consent before collection (opt-in)
Private Right of Action
California (CCPA/CPRA)
Limited to data breach scenarios
Illinois (BIPA)
Broad — any violation
Litigation Risk
California (CCPA/CPRA)
Moderate
Illinois (BIPA)
Very High
Employee Coverage
California (CCPA/CPRA)
Yes, since January 1, 2023
Illinois (BIPA)
Yes, always included
Retention Schedule
California (CCPA/CPRA)
No explicit statutory requirement
Illinois (BIPA)
Written policy required before collection
The practical difference for a construction company, facility management firm, or contractor managing hourly and W2 workers across multiple California locations: California does not require you to obtain written consent from every employee before enrolling them in a face recognition attendance system the way Illinois does. It requires notice before collection and gives employees the right to limit use in certain circumstances.
That said, the absence of a standalone biometric law does not mean lighter oversight. The California Privacy Protection Agency has independent authority to investigate and fine organizations without waiting for a complaint or a breach.
What California Data Privacy Law Actually Governs Biometric Data?
The California Consumer Privacy Act is the primary California data protection law that governs how organizations collect, store, and use biometric data. This includes facial scans, fingerprints, and voiceprints collected from employees for attendance and time tracking purposes.
Before getting into what it requires, there is one threshold question every business owner and CFO should answer first: does the CCPA actually apply to your organization?
Does the CCPA Apply to Your Business?
The CCPA applies to for-profit businesses that do business in California, collect California residents' personal information, and meet at least one of the following thresholds:
Annual gross revenue of $26.625 million or more in the preceding calendar year
Buy, sell, or share the personal information of 100,000 or more California residents or households annually
Derive 50% or more of annual revenue from selling or sharing California residents' personal information
If your business does not meet any of these thresholds, the CCPA may not apply directly. That said, many mid-size and large construction companies, property management firms, and facility management organizations operating across multiple California locations will meet the revenue threshold. And any business that processes attendance data for 100,000 or more California residents annually falls under the second threshold regardless of revenue.
Even if the CCPA does not apply directly, deploying face recognition time tracking without notice, security, and data controls carries operational and reputational risk. Best practice is to follow the framework regardless.
What Counts as Biometric Data Under California Law?
Under Cal. Civ. Code Section 1798.140(c), biometric information means an individual's physiological, biological, or behavioral characteristics that can be used to establish identity. For time tracking purposes, this covers:
Facial geometry and faceprints captured at clock-in
Fingerprints used in fingerprint-based time clocks
Voiceprints, iris scans, retina scans, palm and vein patterns
One distinction worth knowing. A photograph of an employee is not biometric data on its own. The moment that photograph is processed or stored for facial recognition purposes, it qualifies as biometric information under the law.
Sensitive Personal Information: A Higher Standard
The CPRA elevated biometric data used to identify an individual to a category called sensitive personal information under Cal. Civ. Code Section 1798.140(ae). This matters because sensitive personal information carries a higher set of obligations than standard personal information.
For W2 employees, 1099 contractors, and hourly workers in California, this classification means their facial scan data collected at clock-in is not treated the same as a name or email address. It sits in a protected category with specific rights attached to it.
One important boundary. Biometric data is explicitly excluded from the definition of publicly available information under the CCPA. Data captured at a shared worksite, a construction site entrance, or a facility lobby does not escape the law's scope because the location is accessible to others.
When Does Face Recognition Time Tracking Fall Under California Data Privacy Law?
If your business meets any of the CCPA thresholds covered in the previous section, and your workforce includes California residents clocking in through a face recognition system, the law applies to your deployment. Most mid-size and large construction companies, facility management firms, and contractors operating across multiple California locations will meet the revenue threshold. If you are not sure, check against the three thresholds in the section above before proceeding.
Who Is Covered Within Your Workforce
The employee exemption under the CCPA expired on December 31, 2022. Since January 1, 2023, W2 employees, 1099 contractors, and hourly workers who are California residents all have the same data rights as consumers. There is no carve-out for employment relationships.
Where Compliance Obligations Attach in the Clock-In Workflow
Three steps in a typical face recognition deployment trigger CCPA obligations:
Enrollment: This is the point of collection. Notice must be provided before the first facial scan is captured. This applies to every worker being enrolled regardless of employment type.
Clock-in verification: Each verification uses the stored biometric template. Its retention and use must be limited to the disclosed purpose of attendance verification.
Vendor involvement: If a third-party vendor operates your system, they are a service provider under the CCPA. Your contract with them must include data processing terms consistent with CCPA requirements.
For HR heads, COOs, and compliance leads managing hourly workforces across California sites, compliance is an ongoing operational requirement, not a one-time setup task.
What California Data Protection Law Requires Employers to Do
Once the CCPA applies to your deployment, here is what it requires. Each obligation is translated into what it means for a business running face recognition time tracking across hourly and multi-site workforces.
Notice at Point of Collection
Before capturing any facial scan, employees must be informed of what is being collected and why. This must be a clear disclosure delivered before enrollment begins. It applies to every W2 employee, 1099 contractor, and hourly worker being onboarded into the system.
Privacy Policy Disclosure
Your privacy policy must list biometric information as a category of data collected, the purpose, and any third parties it is shared with. If you use a third-party time tracking vendor, that relationship must be disclosed.
Right to Know
Employees can request disclosure of what biometric data has been collected, the source, and how it is used. Your organization must respond within 45 calendar days, with a possible 45-day extension.
Right to Delete
Employees can request deletion of their biometric data. This right is not absolute. Exceptions exist where the business needs the data to complete the employment relationship, comply with a legal obligation, or for certain internal uses compatible with the original collection purpose.
Right to Limit Use of Sensitive Personal Information
This right applies only when your organization uses biometric data for purposes beyond those specifically permitted by statute. If facial scan data is used solely for identity verification at clock-in, that use may already fall within permitted purposes. This right does not automatically allow employees to opt out of a biometric attendance system entirely.
Data Security
Reasonable security procedures must be in place to protect biometric data. Encryption, access controls, and documented retention policies are expected. A breach of unencrypted biometric data due to inadequate security gives affected employees the right to file a civil lawsuit.
Third-Party Sharing Restrictions
California Labor Code Section 1051 prohibits sharing employee fingerprints or photographs with third parties where it could be used to the employee's detriment. This is not a blanket prohibition on using vendors. It targets sharing that could harm the employee.
Penalties for Non-Compliance
Getting this wrong carries real financial exposure.
The CPPA can impose administrative fines of up to $2,663 per unintentional violation and up to $7,988 per intentional violation. Fines are calculated per affected individual. A non-compliant deployment across a workforce of 300 hourly workers does not produce one fine. It can produce up to 300.
If a data breach exposes unencrypted biometric data due to inadequate security, affected employees can file a civil lawsuit without needing to show additional harm. Statutory damages are $100 to $750 per consumer per incident, or actual damages if higher. Class actions are permitted.
The CPPA does not need to wait for a complaint or a breach to investigate. It can act on its own initiative.
For CFOs and business owners running operations across multiple California sites, the exposure scales directly with workforce size. The cost of getting compliance right before deployment is significantly lower than remediation after an enforcement action.
What California Biometric Privacy Compliance Means for Your Time Tracking System
Understanding the law is one thing. Knowing what it means for the system you deploy is another.
Many businesses assume compliance is their responsibility alone. It is not that simple. The time tracking system you choose either makes compliance easier or harder. If the system is not built with California data protection requirements in mind, the burden falls entirely on your team to fill the gaps manually.
Here is what a compliant biometric time tracking workflow looks like in practice.
Enrollment Must Include Disclosure
The clock-in system should deliver the required notice to each worker before any facial scan is captured. This should be built into the enrollment flow itself, not handled separately through a paper form. It must cover W2 employees, 1099 contractors, and hourly workers equally. The disclosure must be documented and auditable.
Raw Images Should Not Be Retained
A system that stores raw facial photographs after enrollment creates unnecessary risk. A compliant approach captures the scan, converts it into a mathematical template, and discards the original image. Only the template is used for verification at clock-in. This limits the scope of biometric data held and reduces exposure in the event of a security incident.
Data Retention Must Be Configurable
Your system needs to support configurable retention schedules. When a worker leaves, their biometric template should be deletable. When a deletion request is submitted and validated, the system should be able to fulfill it. A system with no deletion capability leaves your organization exposed to Right to Delete obligations it cannot meet.
Audit Trails Are Non-Negotiable
Every enrollment, every clock-in verification, and every data rights request should be logged. This matters for internal compliance reviews and for any CPPA inquiry. If you cannot demonstrate what data was collected, when, and how it was handled, you cannot demonstrate compliance.
Vendor Contracts Must Reflect CCPA Requirements
If your time tracking system is operated by a third-party vendor, that vendor is a service provider processing sensitive personal information on your behalf. Your contract must include data processing terms consistent with CCPA requirements. Specifically, the vendor must be restricted from using biometric data for any purpose beyond providing the attendance service. Vendors without adequate security measures create exposure for your organization.
The system you choose is not just a time tracking decision. For HR directors, COOs, and compliance heads managing hourly workforces across California, it is a compliance infrastructure decision.
What to Look for in a California-Compliant Biometric Time Tracking System
If you are evaluating face recognition time tracking for a California workforce, the compliance architecture of the system matters as much as the features. Here is a practical checklist for HR heads, COOs, CFOs, and compliance leads making this decision.
Built-in Consent and Disclosure Flow
The system should deliver employee notice and capture acknowledgment before any facial scan is taken. This should not require a separate process managed by your HR team. It should be built into enrollment. Look for systems where the disclosure step is configurable, documented, and produces an auditable record for every W2 employee, 1099 contractor, and hourly worker enrolled.
Template-Based Storage, Not Raw Image Storage
Ask your vendor directly: do you store raw facial images after enrollment? A compliant system converts the facial scan into a mathematical template and discards the original image. Raw image storage increases the scope of sensitive personal information held and raises security and compliance risk unnecessarily.
Deletion and Retention Controls
The system must support deletion of individual worker records. When an employee leaves or submits a validated deletion request, their biometric template must be removable. Configurable retention schedules are essential for multi-site operations managing high worker turnover, common in construction, facility management, and contracting environments.
Audit Logs
Every enrollment, clock-in event, and data rights request should be logged with timestamps. This is not optional. Without audit trails, you cannot demonstrate compliance to the CPPA, respond to employee data requests accurately, or defend against a breach claim.
Access Controls
Biometric data should be accessible only to authorized personnel. Role-based access controls limit who within your organization can view, export, or manage employee biometric records. This is a basic security requirement under the CCPA's reasonable security standard.
Vendor Data Processing Agreement
Your vendor contract must restrict the vendor from using biometric data for any purpose beyond providing the time tracking service. It should also specify security standards, breach notification obligations, and data deletion procedures at contract termination. If a vendor cannot provide a data processing agreement consistent with CCPA requirements, that is a red flag.
Security Certifications
Look for vendors with independently verified security certifications. ISO 27001 and SOC 2 Type II are the standard benchmarks. These certifications indicate that security controls have been independently audited, not just self-declared.
Offline Capability With Secure Sync
For construction sites, remote facilities, and locations with unreliable connectivity, the system should support offline clock-in with secure data sync when connectivity is restored. This is an operational requirement for multi-site hourly workforces, and the sync process must maintain the same security standards as online operation.
For business owners and operations heads evaluating options, a vendor that cannot clearly answer questions about data storage, deletion capability, audit logs, and security certifications is not ready for a California deployment.
How Truein Supports Biometric Privacy Compliance in California
Truein is built for exactly the kind of workforce this article is about. Construction companies, facility management firms, property managers, and contractors managing W2 employees, 1099 contractors, and hourly workers across multiple California locations. Face-verified clock-in is the core attendance method.
Here is how Truein handles the compliance requirements covered in this article. Worth noting upfront: compliance depends on how your organization implements and configures the system. Truein provides the tools. Your team is responsible for deploying them correctly.
Consent Before Collection
Before any facial scan is captured, employees see a consent screen in the Truein app. They have to actively tap to agree before the camera opens. No scan happens without that step. This is configurable through admin settings and can be enforced across every site and location from a single place.
No Raw Image Storage
Truein does not keep raw facial images after enrollment. The scan comes in, a mathematical template is generated, and the original image is discarded. What gets stored is the template. That is what verifies identity at every clock-in. Less data held means less exposure if something goes wrong.
Your Data Stays Yours
Data collected through Truein belongs to your organization, not to Truein. Truein processes it on your behalf as a service provider. It does not sell it, share it, or use it for anything beyond running the attendance system.
Security That Has Been Tested
Truein holds ISO 27001 and SOC 2 certifications. Data is encrypted at rest and in transit. The platform goes through regular penetration testing and vulnerability assessments, with issues tracked through to verified fixes. A dedicated Data Protection Officer and Chief Information Security Officer oversee how privacy and security are managed across the platform.
No Model Training With Your Data
Truein uses AI for one thing: matching a face at clock-in to verify identity. It does not run generative AI. It does not train models on customer data. The biometric template is used for attendance verification and nothing else.
Deletion When You Need It
When a worker leaves or submits a deletion request, their biometric template and associated records can be removed from the system. Truein supports configurable retention schedules and deletion workflows to help your team respond to these requests. Exceptions under the CCPA still apply, but the system gives you the controls to act when deletion is appropriate.
Built for More Than California
Truein aligns with GDPR and India's Digital Personal Data Protection Act alongside California's framework. Privacy-by-design is applied across markets, not bolted on for a single jurisdiction.
For HR directors, compliance heads, COOs, and CFOs evaluating biometric time tracking for California operations, Truein is designed to support your obligations under California data protection law. Whether it meets your specific requirements depends on your organization's deployment, configuration, and internal processes.
See how Truein works for California-based teams: Schedule a Demo
Conclusion
California does not ban face recognition time tracking. It regulates it. That is an important distinction for any business owner, HR director, COO, or CFO evaluating biometric attendance systems for a California workforce.
The CCPA and CPRA set clear obligations. Notice before collection. Data rights for every W2 employee, 1099 contractor, and hourly worker. Reasonable security. Vendor accountability. These are operational requirements, not legal abstractions. They attach to real steps in your deployment workflow.
The compliance question is not whether you can use face recognition time tracking in California. You can. The question is whether your implementation is built to meet what the law requires. That starts with how your system handles enrollment and ends with how your vendor manages data on your behalf.
For businesses running hourly and multi-site operations in construction, facility management, property management, contracting, and similar industries, the operational case for face-based attendance is strong. Buddy punching eliminated. Payroll accuracy improved. Clock-in across multiple locations without hardware dependency. The California Biometric Privacy Law does not change that case. It shapes how you execute it.
Get the implementation right. Choose a system built with compliance in mind. And make sure your internal processes for notice, data rights, and security are in place before go-live, not after.
If you are evaluating face-verified time tracking for a California workforce and want to understand how Truein handles compliance, start with a demo.
1. Does California have a biometric information privacy act?
No. California does not have a standalone biometric privacy statute. Biometric data is regulated as sensitive personal information under the CCPA and CPRA, embedded within California's broader data protection framework.
2. Is facial recognition legal for private employers in California?
Yes, under current law. No state-level statute prohibits private employers from using facial recognition.
3. What are the penalties for violating California's biometric privacy rules?
The CPPA can impose fines of up to $2,663 per unintentional violation and up to $7,988 per intentional violation, calculated per affected individual. Employees can also file civil lawsuits if a data breach exposes their biometric data due to inadequate security.
4. Do employees have to consent to biometric time tracking in California?
California follows a notice-based model with rights to limit use, rather than requiring explicit prior written consent. Employers must provide notice before collection and give employees the right to limit use of their biometric data. Unlike Illinois BIPA, explicit prior written consent before collection is not required for California data privacy law.
5. Does the CCPA apply to 1099 contractors and hourly workers, not just full-time employees?
Yes. Since the employee exemption expired on December 31, 2022, all California residents have the same data rights under the CCPA regardless of employment type. W2 employees, 1099 contractors, and hourly workers are all covered. There is no carve-out based on how a worker is classified or how many hours they work.
Disclaimer: This article is for general informational purposes only and does not constitute legal advice. California privacy laws, including the CCPA and CPRA, are complex and may apply differently based on your organization’s structure, data practices, and use of biometric systems. You should consult qualified legal counsel to understand how these laws apply to your specific situation.
Stop Time thefts and irregularities!
Bring transparency and Control. Explore Truein for your organization.
