Dive Brief:
- A former PetSmart employee in Illinois filed a putative class action challenging the company's use of voiceprint and voice recognition technology. The suit claimed PetSmart's practices violate the state's Biometric Information Privacy Act (Stegmann v. Petsmart LLC, No. 1:22-cv-01179 (notice of removal filed N.D. Ill 3/04/22)).
- PetSmart required warehouses workers to use the technology to create an individual voiceprint, unique to each person, the complaint alleged. Workers then carried out orders sent from a central computer by interacting with voice recognition software, which responded based on their voiceprint. The voiceprints, stored in a file containing the worker's name and employee number, could have been subject to hacking and put the workers at risk for identity theft, according to the lawsuit.
- Petsmart violated BIPA, the suit claimed, by: failing to obtain workers' written consent to collect their voiceprints; failing to inform them in writing of the length and purpose for which their voiceprints would be collected, used and stored; and failing to timely destroy the voiceprints. Petsmart did not respond to requests for comment.
Dive Insight:
Employers are increasingly using biometric data for timekeeping, security and warehouse operations. But legislators and regulators have taken note and are working to put limits on that use.
Passed in 2008, Illinois' BIPA restricts the use of biometric information and biometric "identifiers," which include retina, fingerprint, voiceprint, hand or face geometry scans, but not writing samples or written signatures. It requires that covered entities provide notice to and obtain a written release from a person before they can collect, use or store biometric information. Employesr also must develop and make publicly available a retention and destruction policy and follow their industry's reasonable standard of care to protect the information. A Texas law has similar requirements, as do bills proposed in Maryland, New York and California.
Notably, BIPA gives individuals, by themselves or as a class, the right to sue a private entity for damages. This can be costly for defending businesses. Prevailing plaintiffs are entitled to $1,000 in damages for a negligent violation and $5,000 for an intentional violation.
Last year, Topgolf denied allegations it violated BIPA but agreed to settle a class action involving more than 2,600 employees for $2,633,400. And in January a federal district court approved a $677,000 settlement between sandwich shop chain Pret a Manger and nearly 800 workers.
Unlike BIPA, Texas' law and a similar law in Washington don't allow individuals to bring private lawsuits, but the Maryland, New York and California bills would. As biometric privacy laws advance in other states, court rulings in Illinois have made it easier for plaintiffs to pursue BIPA claims. For example, on February 3, in McDonald v. Symphony Bronzeville Park LLC, 2022 IL 126511 (Ill. 2022), the Illinois Supreme Court ruled that the state's workers' compensation law doesn't bar employees from suing for damages under BIPA.
Partly because of BIPA's stringent requirements and partly because it has become a model for proposed legislation in other states, businesses are keeping a close eye on the statute and the ever-increasing number of related lawsuits.