Now Serving, The Biometrics Risk Evolution

The Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1, et seq.—a statute regulating the collection of certain biometric data—has been a major driver of class action litigation in Illinois for nearly ten years.  The constant evolution of technology is no doubt to credit.  While the overwhelming bulk of the BIPA cases have been employment-related, focused primarily on time-keeping and security technology, new waves of consumer litigation have begun to crop up, as biometric technology has become nearly ever-present in the lives of consumers, from virtual try-on technology to loss-prevention technology to payment technology. 

Case in point, on August 28, 2024, Steak ‘n Shake was named in a putative class action lawsuit in the United States District Court for the Northern District of Illinois, captioned Massel v. Steak ‘n Shake, Inc.,Case No. 24-cv-07827.  Plaintiff Michael Massel alleges that Steak ‘n Shake implemented biometric facial recognition kiosks allowing consumers to make orders, track loyalty points and pay.  Plaintiff Massel alleges that the kiosk takes facial geometry scans without the consent and retention/destruction schedule required by the BIPA, and that Steak ‘n Shake improperly discloses biometric data.

As technology evolves and offers the growing promise of efficiency and convenience, it is critical to remain cognizant of laws that can impact how and whether such technology can be utilized. 

The veracity of the allegations in Massel remains to be seen.  Nevertheless, this case highlights the need to remain vigilant as efficiency in the restaurant space runs into the counterweight of legal compliance.  The restaurant industry is acutely at risk in the BIPA space, as biometric technology pervades all facets of the restaurant industry in recent years from employee time-clocks to security to customer interaction.  

The efficiency and cost-savings to be had with biometric technology is evident.  A measured approach to the use of such technology must be taken, however.  It must also be reminded that the BIPA (and other biometric laws and regulations) is broader on its face than merely fingerprints and facial geometry, and  can also encompass information derived from more traditional biometric data.  To that end, whether technology actually captures information capable of recreating, say, a face, is not necessarily the relevant inquiry.

The BIPA, however, should not be viewed as an impediment to the use of evolving and modern technology.  Biometric technology is no doubt more secure and reliable than other, old-fashioned means of identification.  The BIPA is, at its core, a notice and consent statute.  The BIPA does not generally prohibit anything, with the exception of selling or profiting from biometric data.  What it requires is a fulsome notice and consent.

To the extent a restaurant or chain is inclined to implement biometric technology for employees or consumers, there are a few key issues to keep in mind:

1. Implement a publicly available retention and destruction schedule, ensuring that whatever biometric data is obtained, is destroyed “when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual's last interaction with the private entity, whichever occurs first.”  740 ILCS 14/15(a)
2. Obtain informed consent in writing, ensuring that the individual from whom biometric data is obtained is aware of (i) the specific biometric data being obtained, (ii) the specific purpose for collecting biometric data and (ii) the duration of time for which biometric data is obtained.  740 ILCS 14/15(b)
3. Be cognizant of precisely what vendors or other entities may be storing or possessing biometric data on your behalf (including cloud vendors), as this could implicate the BIPA’s disclosure provisions.  740 ILCS 14/15(d)

As technology evolves and offers the growing promise of efficiency and convenience, it is critical to remain cognizant of laws that can impact how and whether such technology can be utilized.  Biometric technology offers significant ease and security for restaurant employees and consumers alike, but it must be implemented with the appropriate guardrails in mind to avoid the ever-present risk of litigation.