A class-action lawsuit has been filed in Illinois against fast-food restaurant chain Wendy’s, accusing the company of breaking state laws in regard to the way it stores and handles biometric data, namely employees’ fingerprints. The complaint is based on Wendy’s practice of using biometric clocks that scan employees’ fingerprints when they arrive at work, when they leave and when they use the Point-Of-Sale and cash register systems.
The lawsuit was filed on Sept. 11, according to a copy of the complaint obtained by ZDNet.
Former Wendy’s employees Martinique Owens and Amelia Garcia filed the suit, claiming that Wendy’s breaks state law, specifically the Illinois Biometric Information Privacy Act, because the company does not make employees aware of how the company handles their data.
More specifically, the lawsuit claims that Wendy’s does not inform employees in writing of the specific purpose and length of time for which their fingerprints were being collected, stored, and used, as required by the BIPA, and nor does it obtain a written release from employees with explicit consent to obtain and handle the fingerprints in the first place. The fast-food chain also doesn’t provide a publicly available retention schedule and guidelines for permanently destroying employees’ fingerprints after they leave the company, plaintiffs said.
“While there are tremendous benefits to using biometric time clocks in the workplace, there are also serious risks. Unlike key fobs or identification cards–which can be changed or replaced if stolen or compromised–fingerprints are unique, permanent biometric identifiers associated with the employee,” the plaintiffs wrote in the complaint. “This exposes employees to serious and irreversible privacy risks.”
In addition to asking for equitable relief, litigation expenses, and attorneys’ fees, plaintiffs also want Wendy’s to disclose if it “sold, leased, traded, or otherwise profited from Plaintiffs’ and the Class’s biometric identifiers or biometric information,” and if Wendy’s ever used plaintiffs’ and any of the subsequent class filers’ fingerprints to track them.
(Wendy’s did not respond to a ZDNet request for comment and plaintiffs’ lawyers declined to comment when reached.)
Matthew Kellam, a partner at Laner Muchin Ltd. is not involved in the Wendy’s lawsuit, but he recently told HRE only three states currently have biometric privacy laws on the books: Illinois, Texas and Washington. (Biometric privacy bills recently failed in Alaska, California, Idaho, Montana, New York, Connecticut, Massachusetts and New Hampshire.)
“The leading state is Illinois,” he said. “This doesn’t just apply to brick-and-mortar companies in Illinois, it applies to Facebook and other companies obtaining biometric data from Illinois residents. A lot of those entities don’t fully understand how to comply with this law or even know about it.”
He says employers in every state should be more aware of current biometric-collection laws for the sake of cybersecurity.
“It’s 2018,” he said. “As cybersecurity becomes more influential in our lives, there’s no way [biometric-privacy laws will only affect employers in] just three states.”