The state of Illinois has a Biometric Information Privacy Act (BIPA) to govern the collection, storage, and use of biometric identifiers, such as fingerprints and palm scans. The complaint for this class action alleges that the OHM Concession Group, LLC and OHM Chicago, LLC, along with the biometric companies they employ, have violated BIPA by misusing individuals’ biometric information.
The OHM companies manage restaurants and concessions and employ biometric technologists Heartland Payment Systems and Cross Match Technologies, Inc., who are also defendants in this case, to collect and store biometric data. The use of biometric data helps to reduce timekeeping fraud, but it also poses risks for the individuals whose data is captured and held.
Biometric information is not replaceable. If someone steals your credit card information, you can cancel that credit card and get a new one, with a different number. But you cannot cancel your fingerprints or get a different palm.
BIPA is one attempt to help safeguard biometric data. It requires several things of companies like OHM who want to store and use biometric data: (1) that they inform the individuals involved in writing that their biometric data is being used or stored; (2) that they inform the individuals in writing of the purpose and length of term for which the biometric data will be used; (3) that they obtain a written release for the collection and storage to the biometric data; and (4) that they publish guidelines for permanently destroying the biometric data.
Plaintiff Sylvia Komorski worked at OHM restaurants in Illinois. She was required to scan her fingerprints or other biometrics every time she clocked in or out, but the complaint claims she was never given any information about the use or storage of the information, nor did any of the companies involved publish anything about the eventual destruction of the information.
The complaint alleges that OHM employees’ biometric data was shared with third parties, including “vendors for timekeeping, data storage, and payroll purposes.” Komorski was not told of this dissemination, nor did she consent to it. The complaint points out that she has no idea what will happen to her information if one of the parties which store it goes bankrupt or sells its assets, or what would happen in case of a data breach.
Two classes and a subclass have been proposed for this action.