White Castle, Cross Match Employee Fingerprint Use BIPA Class Action

The many data breaches suffered by companies, from restaurants to retailers to credit reporting agencies, show that it’s difficult to keep personal information private. That concern is magnified when the information companies store includes biometric data, such as fingerprints or palm scans. The complaint for this class action alleges that White Castle System, Inc. and Cross Match Technologies, Inc. have not followed Illinois law on the collection, use, storage, and disclosure of biometrics.

The class for this action is all individuals working for White Castle in Illinois who had their fingerprints collected, captured, received, or otherwise obtained or disclosed by White Castle or Cross Match during the applicable statute of limitations. 

The privacy of biometric data is more sensitive than even privacy for credit card data. This is because if your credit card information is stolen, you can always cancel the credit card and get a new one; but if your fingerprint data is stolen, you cannot get new fingerprints. 

A 2015 data breach at the US Office of Personnel Management exposed personal data, including biometric data, for more than 21 million federal employees, contractors, and even job applicants. And hackers have already sold information obtained from Aadhaar, the largest biometric database in the world, which stores the information of over a billion citizens of India. 

To initiate protections for biometric information, Illinois has passed the Biometric Information Privacy Act (BIPA), to regulate the collection, storage, and use of biometrics within the state.

Many companies already use biometrics for identification and time-keeping. The complaint says that employees of fast-food company White Castle are required to scan their fingerprints to obtain their weekly pay stubs or to get access to company computers. Unfortunately, the complaint claims that White Castle and Cross Match, which supplies the technology for its biometric operations, do not follow BIPA. 

According to the complaint, the companies violate BIPA in at least three ways: 

  • Employees are not told in writing of the purpose of the collection of their fingerprints (or other biometric data) and length of time for which they will be stored and used.
  • Employees do not have access to a publicly-available retention schedule or guidelines for the eventual destruction of their fingerprints. In fact, the complaint alleges that the companies do not even have such a schedule or guidelines and do not destroy such data.
  • Employees are not asked to provide a written release giving White Castle permission to collect, store, use, or disseminate their fingerprints.

In addition, the complaint notes that employee fingerprints are shared with at least one third party, DigitalPersona, which maintains the White Castle employee database and distributes their weekly pay stubs.

Article Type: Lawsuit
Topic: Privacy
No case events.
Tags: Biometric Fingerprint Violations, Taking/Storing/Using Biometric Data, Your Privacy