NCR Point-of-Service Products and Use of Biometrics Illinois BIPA Class Action

NCR Corporation’s hardware, software, and other items are designed for banking, telecommunications, retail, and restaurant uses. At issue in this case are its point-of-sale (POS) systems that allow the use of employee biometrics. The complaint alleges that NCR collects and stores the biometrics but does not fulfill the requirements of the Illinois Biometric Information Privacy Act (BIPA) when biometrics are taken for subjects in that state.

The class for this action is all individuals in Illinois who had their biometric identifiers or biometric information collected, captured, taken, received, converted, or otherwise obtained, maintained, stored, used, shared, disseminated, or disclosed by NCR during the applicable statutory period.

Biometrics carry unique risks among identifiers in that they cannot be changed or replaced. If fingerprints are stolen, the subject cannot get a new set of fingers or otherwise replace their prints in the way they can replace a credit or ID card. Biometrics can include such things as fingerprints, retina or iris scans, voiceprints, and scans of facial geometry.

Financial institutions and businesses already use biometrics for timekeeping and other functions, such as identification for bank accounts and cell phones. Hackers and identity thieves have already hit companies like Clearview AI, Facebook/Cambridge Analytica, Suprema, and also Aadhaar, which stores the biometric data of more than a billion citizens of India. Once their biometrics are stolen, individuals have no means of preventing their use for identity theft.

BIPA at least sets a minimum standard for the collection, storage, and use of biometrics for subjects in Illinois.

The NCR equipment at issue in this case consists of both terminal hardware, like the NCR CX5, and cloud-based software, like NCR Aloha. The equipment can be configured to use biometrics, with a fingerprint scanner, to require workers to scan their fingerprints repeatedly at the POS system, for clocking in and out but also for entering restaurant food orders.

The complaint alleges that the workers’ biometric data captured by the POS system “is automatically uploaded to an NCR database, where it is managed, maintained, and stored on NCR’s hosted environments and servers.”

BIPA requires that those who wish to collect, store, and use the biometrics of people in Illinois to do certain things:

• Inform subjects in writing of the purpose and length of time for which their biometrics will be collected, stored, and used.
• Obtain a written release from them permitting their biometrics to be collected, stored, and used.
• Offer a publicly-available retention schedule and guidelines for permanently destroying the biometrics after their original purpose has passed.
• Obtain the consent of subjects to disclose or otherwise disseminate their biometrics to other parties.

The complaint alleges that NCR has done none of these things for its POS systems and workers in Illinois and has therefore violated BIPA.

Article Type: Lawsuit
Topic: Privacy
Tags: BIPA, Biometric Data, Taking/Storing/Using Biometric Data, Your Privacy