Wendy's Sued for Alleged Illinois Biometric Data Law Violations
Author: Robert S. Teachout, XpertHR Legal Editor
October 14, 2019
Two former employees have filed a lawsuit in Illinois against the Wendy's restaurant chain claiming that the way that the company stores and handles biometric data violates the Illinois Biometric Information Privacy Act (BIPA). The suit claims Wendy's biometric practices break state law because the company does not make employees aware of how their data is handled.
BIPA requires companies to develop written policies establishing a retention schedule and guidelines for permanently destroying biometric information once the initial purpose for collecting the biometric information has been satisfied. The law also requires affirmative consent to collect biometric markers and for companies' guidelines to be made available to the public.
The lawsuit specifically targets Wendy's use of biometric clocks that scan employees' fingerprints to log employees' clock-in and clock-out times, and when employees use the Point-of-Sale and cash register systems. The lawsuit claims that Wendy's violates the BIPA provisions by:
- Not informing employees in writing of the specific purpose and length of time for which their fingerprints were being collected, stored and used;
- Not obtaining a written release from employees with explicit consent to obtain and handle the fingerprints; and
- Failing to provide a publicly available retention schedule and guidelines for permanently destroying employees' fingerprints after they leave the company.
In a January 2019 ruling, the Illinois Supreme Court noted that the state legislature made clear that biometrics are unlike other unique identifiers when it enacted BIPA. It said biometrics are "biologically unique to the individual; therefore, once compromised, the individual has no recourse" and is at greater risk for identity theft.
"Unlike key fobs or identification cards - which can be changed or replaced if stolen or compromised - fingerprints are unique, permanent biometric identifiers associated with the employee," the complaint states, so the use of biometric time clocks exposes employees to serious and irreversible privacy risks.
In a recent XpertHR podcast, Greg Abrams, a partner in the Chicago office of the Faegre Baker Daniels law firm, explained, "There's no prohibition on using biometric information. The prohibition is on doing so when the proper steps are not followed. So employers can continue to use biometric identifiers and biometric information, so long as they follow the steps set forth in BIPA."
The plaintiffs are seeking class-action classification and a jury trial for equitable relief, litigation expenses and attorney fees. They also want information on whether Wendy's has "sold, leased, traded, or otherwise profited" from the collected biometric data or used their fingerprints to track them.