On September 5, 2017, Stephan Zouras, LLP filed a complaint on behalf of consumers of Wow Bao Restaurant seeking to protect their biometric data.
Plaintiffs allege that Wow Bao LLC and Lettuce Entertain You Enterprises, Inc. have violated the Illinois Biometric Information Privacy Act, or “BIPA”, through their self-order kiosks (which use facial biometrics as a means of authentication) for food and beverage purchases. Plaintiffs allege that Wow Bao collects and stores their consumers’ biometric information without the appropriate notice, requisite consent and proper safeguards.
Biometrics such as fingerprints, retina scans, voice recognition and facial imaging are biologically unique to each individual; therefore, once compromised, an individual has no recourse and is at a heightened risk for identity theft. This exposes employees and consumers to serious and irreversible privacy risks.
For example, if a fingerprint database is hacked, breached, or otherwise exposed in the same manner as the recent Equifax breach, employees have no means to prevent the misappropriation and theft of their own biometric makeup. Unlike social security numbers or other financial information, biometric data is part of Plaintiffs’ physical being and cannot be changed.
Recognizing these risks, Illinois has enacted the Biometric Information Privacy Act “BIPA” – one of the strongest state laws protecting individuals’ biometric data. BIPA achieves its goal by making it unlawful for business to, among other things, “collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifiers or biometric information, unless it first:
- Informs the subject . . . in writing that a biometric identifier or biometric information is being collected or stored;
- Informs the subject . . . in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
- Receives a written release executed by the subject of the biometric identifier or biometric information.”
BIPA also establishes standards for how employers must handle Illinois citizens’ biometric identifiers and biometric information. For example, BIPA prohibits businesses from disclosing a person’s or customer’s biometric identifier or biometric information without first obtaining consent for that disclosures.
BIPA also prohibits selling, leasing, trading, or otherwise profiting from a person’s biometric identifiers or biometric information (740 ILCS 14/15(c)) and requires private entities to develop and comply with a written policy – made available to the public – establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting such identifiers or information has been satisfied or within three years of the individual’s last interaction with the private entity, whichever occurs first.
Finally, BIPA provides for statutory damages of $5,000 for each willful and/or reckless violation of BIPA or, in the alternative, statutory damages of $1,000 for each negligent violation.
Our firm is at the forefront of BIPA litigation to protect people’s biometric data and privacy. We have brought cases against employers and other retail business who have collected individual’s biometric data without properly safeguarding it.
If you wish to be a part of this case or would like more information regarding your rights, please contact us.