Capital Fitness, Inc., which owns and operates the XSport Fitness chain in Illinois, and subsidiary Executive Affiliates have been hit with a proposed class action lawsuit over allegations the pair collected employees’ biometric information without making the requisite disclosures. The case resolves around a biometric time-keeping system managed by Executive Affiliates that scans employees’ fingerprints when they clock in and out of work.
Illinois’ Biometric Information Privacy Act (BIPA) provides certain restrictions regarding the use of individuals’ biometric identifiers, which are defined by the statute as “retina or iris scan[s], fingerprint[s], voiceprint[s], or scan[s] of hand or face geometry,” and information derived from these identifiers, the suit explains. Under the statute, companies are not permitted to sell, lease or trade biometrics for profit and are required to obtain the subject’s consent before disclosing biometric data, according to the complaint. In addition, the case states, the BIPA requires companies to:
Inform the subject that biometric data is being collected and stored;
Identify the specific purpose and length of time for which biometrics will be used;
Receive a written release from the subject authorizing the collection of biometrics; and
Provide a written retention schedule and guidelines for permanently destroying biometric information.
The complaint claims, however, that Capital Fitness never obtained consent from employees before collecting their fingerprints, never informed workers that their biometrics were being collected, and never explained the specific purpose or length of time for which workers’ data would be used. Furthermore, the defendants failed to provide employees with a retention schedule that outlined policies for permanently destroying the biometric data, according to the lawsuit.
The case contends the defendants essentially left workers in the dark as to how their biometrics might be used. From the complaint:
“Because Defendants neither publish a BIPA-mandated data-retention policy nor disclose the purposes for which they collect biometric data, Defendants’ workers have no idea whether Defendants sell, disclose, or otherwise disseminate their biometric data. Nor are Plaintiff and the putative Class told to whom Defendants disclose their biometric data, or what might happen to their biometric data were Defendants to merge with another firm or go bankrupt.”
The lawsuit seeks to represent a class of “[a]ll individuals who had their fingerprints collected, captured, received, or otherwise obtained by Defendants in Illinois” and requests damages of $5,000 for every willful BIPA violation. The suit also demands that the defendants destroy all unlawfully collected biometric data.