Major Fast Food Chains Face New BIPA Class Action Suit

August 30, 2022 | 4 minutes read
Major Fast Food Chains Face New BIPA Class Action Suit

On August, 29, 2022, major news outlets around the U.S. reported that several well-known fast-food restaurants, including Applebees, Chipotle, and Red Lobster, among many others, were being hit with a class-action lawsuit for failing to obtain consent from consumers prior to collecting and storing their voiceprints that were obtained through interactions between automated voice ordering (AVO) systems. This class action lawsuit was filed in accordance with the Illinois Biometric Information Privacy Act (BIPA), the first of such legislation to be passed by any state within the U.S. To this end, the provisions of the BIPA mandate that businesses and organizations take steps to protect the biometric information of the numerous customers they serve, lest they face monetary penalties and punitive damages.

To this last point, the lawsuit that was recently filed in Cook County Circuit Court in Chicago, Illinois alleges that the multitude of fast-food establishments that have been named in the case “never adequately informed any of the Restaurant Defendants’ customers who have interacted with the AVO systems that the AVO systems collect and/or store their voiceprints and biometric information.” Under the provisions of the BIPA, a business within the state of Illinois is effectively responsible for providing consumers with information regarding the manner in which their biometric information will be collected, retained, transmitted, or disclosed prior to collecting such information from said customers.

Automated voice ordering

While AVO systems have become commonplace for many fast-food restaurants and retail companies around the world, the enactment of the BIPA in 2008 set a new legal precedent for the ways in which businesses and organizations that utilized this technology within the state of Illinois could do so legally. Nevertheless, major fast-food chains such as Chipotle and Applebee’s will invariably be operating thousands of individual locations throughout the country, in addition to locations that are present within larger scale establishments such as restaurants that are present within shopping malls or town centers. To this end, retaining the biometric data of an American citizen in the overwhelming majority of U.S. states would not constitute a violation of any particular data privacy law.

Subsequently, consumers around the country use AVO systems to order a wide range of products and services on a daily basis. In lieu of a biometric data protection law such as the BIPA, the businesses that employ these systems have no obligation to provide these consumers with insight into how their biometric information is being handled. When coupled with the general approach that many large-scale corporations take as it concerns standardizing their respective operations, it makes sense that Chipotle and Applebees had failed to provide consumers in Illinois with information regarding the collection of their biometric data, as these measures would be unnecessary in virtually any other business context.

BIPA enforcement

On top of the stipulations that businesses serving customers within Illinois must adhere to as it pertains to the collection of biometric data, the BIPA is also unique in that the law permits citizens within the state to exercise the private right of action against any parties they felt have violated the privacy rights they are afforded under the law. This private right of action forms the foundation of the class action lawsuit that was filed this past Monday, as the law states that any aggrieved party has the right to liquidated damages of up to $1,000 for negligent violations of the law, as well as liquidated damages of up to $5,000 for reckless violations of the law. What’s more, the law also states Illinois citizens have the right to recover actual damages, should the dollar amount of said damages exceed $1,000 or $5,000 respectively, in addition to reasonable court costs, attorney fees, and other relevant litigation expenses.

While other states around the U.S. have enacted their own biometric data protection laws since the BIPA was introduced in 2008, this landmark piece of legislation has undoubtedly altered the ways in which businesses and organizations are permitted to collect biometric information from American consumers. For this reason, while the number of biometric data protection laws within America is currently relatively small, this number could grow exponentially in the coming years, as advances in technology have led many businesses to automate jobs and tasks that once required manual input. Likewise, American consumers will also have to adjust the ways in which they view their own personal privacy, as a person’s biometric data will reveal more to the general public about them than any other form of personal information possibly could.

Related Reads

Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
FISA Section 702, Is The US Government Monitoring You?
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
The Gap You Won’t Want to Close: Air-Gapped Systems
June 05, 2023 | 6 minutes read
The Gap You Won’t Want to Close: Air-Gapped Systems

An air-gapped system is a computer, or network that is physically isolated from any external connections and networks which includes the Internet. It operates in total isolation with neither wired nor wireless connections to other devices.

Learn More »
Using Redaction for Privacy Maintenance as An Investigator
May 31, 2023 | 5 minutes read
Using Redaction for Privacy Maintenance as An Investigator

These oaths emphasize upholding the law, serving the public, and protecting the rights of individuals. One of these many rights is privacy. An investigator must adhere to the legal and ethical guidelines within the jurisdiction and perform their investigation within those specifically set boundaries.

Learn More »