Major Fast Food Chains Face New BIPA Class Action Suit
On August, 29, 2022, major news outlets around the U.S. reported that several well-known fast-food restaurants, including Applebees, Chipotle, and Red Lobster, among many others, were being hit with a class-action lawsuit for failing to obtain consent from consumers prior to collecting and storing their voiceprints that were obtained through interactions between automated voice ordering (AVO) systems. This class action lawsuit was filed in accordance with the Illinois Biometric Information Privacy Act (BIPA), the first of such legislation to be passed by any state within the U.S. To this end, the provisions of the BIPA mandate that businesses and organizations take steps to protect the biometric information of the numerous customers they serve, lest they face monetary penalties and punitive damages.
To this last point, the lawsuit that was recently filed in Cook County Circuit Court in Chicago, Illinois alleges that the multitude of fast-food establishments that have been named in the case “never adequately informed any of the Restaurant Defendants’ customers who have interacted with the AVO systems that the AVO systems collect and/or store their voiceprints and biometric information.” Under the provisions of the BIPA, a business within the state of Illinois is effectively responsible for providing consumers with information regarding the manner in which their biometric information will be collected, retained, transmitted, or disclosed prior to collecting such information from said customers.
Automated voice ordering
While AVO systems have become commonplace for many fast-food restaurants and retail companies around the world, the enactment of the BIPA in 2008 set a new legal precedent for the ways in which businesses and organizations that utilized this technology within the state of Illinois could do so legally. Nevertheless, major fast-food chains such as Chipotle and Applebee’s will invariably be operating thousands of individual locations throughout the country, in addition to locations that are present within larger scale establishments such as restaurants that are present within shopping malls or town centers. To this end, retaining the biometric data of an American citizen in the overwhelming majority of U.S. states would not constitute a violation of any particular data privacy law.
Subsequently, consumers around the country use AVO systems to order a wide range of products and services on a daily basis. In lieu of a biometric data protection law such as the BIPA, the businesses that employ these systems have no obligation to provide these consumers with insight into how their biometric information is being handled. When coupled with the general approach that many large-scale corporations take as it concerns standardizing their respective operations, it makes sense that Chipotle and Applebees had failed to provide consumers in Illinois with information regarding the collection of their biometric data, as these measures would be unnecessary in virtually any other business context.
BIPA enforcement
On top of the stipulations that businesses serving customers within Illinois must adhere to as it pertains to the collection of biometric data, the BIPA is also unique in that the law permits citizens within the state to exercise the private right of action against any parties they felt have violated the privacy rights they are afforded under the law. This private right of action forms the foundation of the class action lawsuit that was filed this past Monday, as the law states that any aggrieved party has the right to liquidated damages of up to $1,000 for negligent violations of the law, as well as liquidated damages of up to $5,000 for reckless violations of the law. What’s more, the law also states Illinois citizens have the right to recover actual damages, should the dollar amount of said damages exceed $1,000 or $5,000 respectively, in addition to reasonable court costs, attorney fees, and other relevant litigation expenses.
While other states around the U.S. have enacted their own biometric data protection laws since the BIPA was introduced in 2008, this landmark piece of legislation has undoubtedly altered the ways in which businesses and organizations are permitted to collect biometric information from American consumers. For this reason, while the number of biometric data protection laws within America is currently relatively small, this number could grow exponentially in the coming years, as advances in technology have led many businesses to automate jobs and tasks that once required manual input. Likewise, American consumers will also have to adjust the ways in which they view their own personal privacy, as a person’s biometric data will reveal more to the general public about them than any other form of personal information possibly could.