Companies are beginning to use biometric identifiers for employees in place of cards, key fobs, or other identification methods. Illinois is one of the few states that has even begun to wrestle with the privacy and security issues this raises. The complaint for this class action alleges that PAR Technology Corp. has violated Illinois Biometric Information Privacy Act (BIPA).
The class for this action is all residents of Illinois whose fingerprints were collected, captured, received, or otherwise obtained or disclosed by PAR Technology while they were living in Illinois.
In the early 2000s, some corporations began testing biometric-facilitated financial transactions in Chicago and other places in Illinois.
In 2007, one such company, Pay By Touch, filed for bankruptcy. This awoke consumers to the fact that Pay By Touch had files of fingerprint information in its possession which might very well be sold or transferred in the bankruptcy proceedings, creating security risks for a large number of people.
Biometric information includes such things as retina and iris scans, voiceprints, scans of hand and face geometry, and fingerprints. Unlike employee numbers or ID cards, these cannot be changed or replaced. Legislators in Illinois, recognizing the need to begin regulating and protecting such information, passed BIPA.
Under the law, if a company wants to “collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifiers or biometric information,” it must first do three things:
BIPA also defines standards for the handling of the information. For example, companies must have a written policy, available to the public, that sets forth a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. The destruction must occur when the original purpose for collecting the information has passed or within three years of the person’s last interaction with the company, whichever comes first.
The complaint alleges that PAR Technology violates this still-simple act. PAR sells or leases its point-of-service systems to restaurants. Employees of the restaurants must have their fingerprints collected in order to work there. They then use their fingerprints to scan in and out of work.
According to the complaint, PAR does not tell employees of the purpose for which it is collecting the data. It does not tell employees who will receive or use the data. It does not give employees access to a written, publicly available retention schedule.