Fast-food chain Wendy’s is facing down a lawsuit in Illinois over its use of fingerprint scanners to track employees at work in retail locations, according to court documents obtained by ZDNet.
The complaint, a class action filed by former Wendy’s employees Martinique Owens and Amelia Garcia, argues that Wendy’s use of Discovery NCR Corporation fingerprint scanners to track employee hours and access to cash registers and point-of-sale systems is in violation of the Illinois Biometric Information Privacy Act (BIPA). Namely, BIPA requires employees to be notified in writing “of the specific purpose and length of time for which their fingerprints were being collected, stored, and used,” ZDNet wrote, as well as requires employers obtain “explicit consent” from staff in the form of writing to collect and use their biometric data. The plaintiffs say Wendy’s does not do this.
According to ZDNet, the plaintiffs say Wendy’s does not even inform staff what will happen to their fingerprints if they quit, are fired, or otherwise leave the company:
Wendy’s also doesn’t provide a publicly available retention schedule and guidelines for permanently destroying employees’ fingerprints after they leave the company, plaintiffs said.
... Wendy’s did not respond to a request for comment. Plaintiffs’ lawyers declined to comment when reached.
In the complaint, ZDNet added, the plaintiffs wrote that biometric information like fingerprints are unique and permanent, and sloppy handling of such information could expose staff to “serious and irreversible privacy risks.” They want Wendy’s to pay out damages, as well as clarify whether the fast food chain sold and/or leased any of the data or used it to track employees.
BIPA itself was created in the aftermath of Pay By Touch, a “point of sale biometric authentication” company that promised to revolutionize retail by letting customers simply touch a sensor to pay for products like groceries. It later crashed amid allegations of mismanagement and securities fraud.
As the company collapsed, it became clear that fingerprint and banking data collected by stores that had installed Pay By Touch terminals was ending up in its central servers. That potentially made it eligible for resale to the highest bidder, ZDNet noted. Even at the time, newspapers noted that the theft of a unique biometric identifier can be a bigger problem than losing other data, like a Social Security number. (Just look at India’s sprawling Aadhaar database, which is allegedly rife with counterfeiting and fraud, and the potential for the use of biometrics in mass surveillance programs.)
BIPA’s passage set off a number of legal battles between tech giants like Facebook and Google on the one hand and consumers who said biometrics were being collected without explicit opt-in consent. Alphabet, Google’s parent company, launched a lobbying campaign aimed at exempting photos from the law after a similar one by Facebook petered out, according to Bloomberg. Most of the lawsuits filed under BIPA, however, have related to employers who collected data on staff.