A class-action lawsuit has been filed in Illinois against fast food restaurant chain Wendy's accusing the company of breaking state laws in regards to the way it stores and handles employee fingerprints.
The lawsuit was filed on September 11, in a Cook County court, according to a copy of the complaint obtained by ZDNet.
The complaint is centered around Wendy's practice of using biometric clocks that scan employees' fingerprints when they arrive at work, when they leave, and when they use the Point-Of-Sale and cash register systems.
Plaintiffs, represented by former Wendy's employees Martinique Owens and Amelia Garcia, claim that Wendy's breaks state law --the Illinois Biometric Information Privacy Act (BIPA)-- because the company does not make employees aware of how the company handles their data.
More specifically, the lawsuit claims that Wendy's does not inform employees in writing of the specific purpose and length of time for which their fingerprints were being collected, stored, and used, as required by the BIPA, and nor does it obtain a written release from employees with explicit consent to obtain and handle the fingerprints in the first place.
Wendy's also doesn't provide a publicly available retention schedule and guidelines for permanently destroying employees' fingerprints after they leave the company, plaintiffs said.
"While there are tremendous benefits to using biometric time clocks in the workplace, there are also serious risks. Unlike key fobs or identification cards--which can be changed or replaced if stolen or compromised--fingerprints are unique, permanent biometric identifiers associated with the employee," the plaintiffs said in the complaint. "This exposes employees to serious and irreversible privacy risks."
The class-action also names Discovery NCR Corporation, which is the software provider that supplies Wendy's with the biometric clocks and POS and cash register access systems used in restaurants. Plaintiffs said they believe NCR may hold fingerprint information on other Wendy's employees.
NCR wasn't named by accident in the lawsuit. The BIPA law was enacted in 2008 after a huge privacy scandal in the state of Illinois, because of a similar vendor.
In late 2007, a biometric company called Pay By Touch, which provided major retailers throughout Illinois with fingerprint scanners to facilitate consumer transactions, filed for bankruptcy.
At the time, state officials and consumers realized that fingerprints collected at stores weren't actually stored by the retailers, but were sent to Pay By Touch. This alarmed everyone because this data was, at the time, eligible to be sold off to anyone to recoup costs during the bankruptcy procedures. This led lawmakers to come up with BIPA to prevent similar incidents.
Plaintiffs are now requesting a judge a class-action classification and a jury trial. Besides equitable relief, litigation expenses, and
attorneys' fees, plaintiffs also want Wendy's to disclose if it "sold, leased, traded, or otherwise profited from Plaintiffs' and the Class's biometric identifiers or biometric information," and if Wendy's or NCR have ever used plaintiffs' and any of the subsequent class filers' fingerprints to track them.
Wendy's did not respond to a request for comment. Plaintiffs' lawyers declined to comment when reached.