Employees of Peacock Foods, an Illinois-based food product manufacturer, recently filed a lawsuit against their employer for alleged violations of Illinois’ Biometric Information Privacy Act. Under BIPA, companies that collect biometric information must inter alia have a written retention policy (that they follow). As part of the policy, the law states that they must delete biometric information after they no long need it, or three years after the last transaction with the individual. Companies also need consent to collect the information under the Illinois law, cannot sell information, and if shared must get consent for such sharing.

According to the plaintiff-employees, Peacock Foods used their fingerprints for a time tracking system without explaining in writing how the saved fingerprints would be used, or if they would be shared with third parties. According to the employees, this violated BIPA’s requirement for explaining -in the consent request- how information would be used and how long it would be kept. The employees also alleged that Peacock Foods did not have a retention schedule and program in place for deleting biometric data. The employees are currently seeking class certification.

Putting it Into Practice: This case is a reminder that plaintiffs’ class action lawyers are looking at BIPA and possible complaints that can be brought under the law. To address the Illinois law – and similar ones in Texas and Washington – companies should look at the notice and consent process they have in place.