The parent entity behind Taco Bell, KFC, Pizza Hut and several other fast food brands has been hit with a proposed class action over its alleged failure to obtain consent and provide proper disclosures before collecting and storing employee fingerprint data.
Alleging violations of the Illinois Biometric Information Privacy Act (BIPA), the 15-page lawsuit claims Yum! Brands’ apparent failure to obtain consent to collecting workers’ biometric data—i.e. fingerprints—and inform them of when and how the information would be used and destroyed has exposed the individuals to “serious and irreversible privacy risks.”
“If Defendant’s database of digitized fingerprints were to fall into the wrong hands, by data breach or otherwise, the employees to whom these sensitive and immutable biometric identifiers belong could have their identities stolen, among other serious issues,” the complaint, filed in Cook County Circuit Court, scathes.
The lawsuit alleges Yum! Brands—the group behind KFC, Pizza Hut, Taco Bell, The Habit Burger Grill and WingStreet restaurants throughout Illinois—has since at least June 2017 required employees to scan their fingerprints to clock in and clock out of the company’s timekeeping system. Per the complaint, the defendant overstepped the BIPA by failing to inform the workers before collecting their sensitive biometric data of the purpose and length of time for which their information would be collected, as well as obtain their written consent to do so.
Moreover, the case claims Yum! Brands provided neither a publicly available retention schedule nor guidelines detailing when and how the workers’ fingerprint data would be destroyed, leaving them in the dark as to how long their private information would be at risk of exposure after the termination of their employment.
The plaintiff says his fingerprints were scanned, collected and stored in the company’s database when he worked at one of Yum! Brands’ KFC restaurants between June 2017 and March 2018. According to the case, the man never provided the restaurant operator with permission—written or otherwise—to collect his biometric identifiers and did not receive statutory disclosures regarding such.
Finally, the suit claims the plaintiff was never given a retention schedule or guidelines for the destruction of the data and thus “has no reason to believe Defendant actually destroyed his biometric information, despite that the sole reason Plaintiff provided his biometric information (i.e. clocking in and out of work) is now moot.”
Per the complaint, if Yum! Brands uses an outside vendor to process its payroll, there is also a “significant risk” that the defendant has disseminated workers’ biometric information without their knowledge or consent.
The lawsuit looks to cover anyone who had their fingerprints collected, captured, received or otherwise obtained and/or stored by Yum! Brands in Illinois.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.