Labor & Employment Law Daily Retroactive consent didn’t save Little Caesar’s from lawsuit attacking its biometric timekeeping practices
News
Thursday, August 13, 2020

Retroactive consent didn’t save Little Caesar’s from lawsuit attacking its biometric timekeeping practices

By Marjorie Johnson, J.D.

While the Illinois Biometric Information Privacy Act did not forbid the employer from attempting to obtain the employee’s consent retroactively, it failed to identify any legal theory under which the consent barred her BIPA claim as a matter of law at the pleadings stage.

Two former employees of Little Caesar’s restaurants advanced a putative class action for alleged violation of the Illinois Biometric Information Privacy Act (BIPA) despite the employer’s submission of sample screenshots it claimed showed that one of the employees retroactively consented to use of its biometric time clock system to collect fingerprint data six months after she was hired. Denying the employer’s motion to dismiss, a federal court in Illinois ruled that even if the exhibits could be considered at the pleadings stage, they did not defeat the employee’s BIPA claims as a matter of law, nor did the generalized retroactive consent establish that she waived her claims (Lenoir v. Little Caesar Enterprises, Inc., August 7, 2020, Dow, R.).

Biometric time clock. The employees who brought this action formerly worked at Little Caesar pizza restaurants located in Illinois. During their tenure, they were required to use the company’s biometric time clock system to scan their fingerprints when they clocked in and out of their shifts and for breaks. They claimed that the employer’s practices violated BIPA since the company never obtained their written consent before collecting, storing, disseminating, or using their fingerprints. They also claimed that it unlawfully shared their biometric data with its time-keeping vendor without their consent and stored the data without publishing data retention and destruction policies.

BIPA. BIPA restricts how private entities—including employers—collect, retain, disclose, and destroy biometric data, including fingerprints. Amongst other things, the law requires private entities that collect a person’s biometric data to disclose that the data is being collected or stored, state the purpose and length of the collection and storage, and obtain written consent to collect the data. BIPA additionally prohibits private entities “in possession of” biometric data from selling the data and disclosing it without consent or other authorization.

Motion to dismiss. The employer argued that one of the employees voluntarily gave up her right to pursue a BIPA claim because on January 16, 2019—six months after she was hired—she “affirmatively consented” to provide her finger scan to verify her identity to access its timekeeping system. To support this argument, it submitted “representative sample screens” that she purportedly viewed on that date in which she allegedly consented to “the past, present and future collection, use, and storage of your fingerprint data.”

Exhibits not properly before court. The employer’s argument failed because the exhibits purporting to show her consent were not properly before the court on a motion to dismiss. While the company asserted that they were central to the employee’s lawsuit because she routinely stated that she never received a written consent, this misstated the claims. The employees alleged that the company never provided any “written materials about its collection, retention, destruction, use, or dissemination of their fingerprints before requiring them to use a biometric time clock” and never obtained the employees’ “written consent, or release as a condition of employment, before collecting, storing, disseminating, or using their fingerprints.” Such allegations were not rendered false by purported evidence that the employee signed a consent six months after the company had already collected, retained, used, and disseminated her fingerprints.

Didn’t bar claims. Even if the exhibits were properly before the court, they did not establish that the employee’s BIPA claim was barred as a matter of law. BIPA makes clear that a private entity may not collect, capture, purchase, or otherwise obtain a person’s biometric data unless it first informs the individual in writing that biometric data is being collected or stored and states the specific purpose and length of time, and receives a written release executed by the individual. While the statute does not forbid a private entity from attempting to obtain consent retroactively, the employer failed to identify any legal theory under which the consent it obtained from the employee barred her BIPA claim.

No waiver. At this early stage, the court also could also not rule as a matter of law that the employee “knowingly, voluntarily, and intentionally” gave up any right to bring a BIPA claim for violations that occurred prior to signing the consent. Notably, the alleged consents did not mention BIPA or any other right to sue, nor did they acknowledge that the employer previously collected her biometric data, which was the basis for her right to sue. There was also no case law supporting the theory that a generalized consent to past collection, use and storage of fingerprint data necessarily invalidates a BIPA claim.

Negligent or reckless violation? The employer also argued that the lawsuit should be dismissed because the employees failed to adequately allege that its violation of BIPA was negligent or reckless. However, BIPA provides for a private right of action for “any person aggrieved by a violation” of the statute and the Illinois Supreme Court has explained that the violation “in itself” is sufficient to support the individual’s claim. The “negligent” and “intentionally and recklessly” standards are only relevant to deciding remedies.

But even if the employees were required allege that the employer’s violation of BIPA was negligent, they plausibly did so here. In particular, they claimed that the statute “was enacted in 2008 and numerous articles and court filings about the Act’s requirements were published before [their hire].” The employer also apparently became aware of BIPA at some point before this lawsuit was filed as it attempted to obtain retroactive consent from one of the plantiffs.

Not barred by WC law. Finally, following the lead of other district courts and Illinois trial courts, the court rejected the employer’s contention that the employees’ BIPA claims were barred by the Illinois Workers’ Compensation Act.

Interested in submitting an article?

Submit your information to us today!

Learn More

Labor & Employment Law Daily: Breaking legal news at your fingertips

Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on labor and employment legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.