A nearly 10-year-old Illinois privacy law that has sparked class action lawsuits against familiar tech companies such as Google, Facebook and Shutterfly has moved into the franchise industry.

Following in the footsteps of claims under the Americans with Disabilities Act and the Telephone Consumer Protection Act, class action lawyers are now filing lawsuits under Illinois’ Biometric Information Privacy Act (BIPA) alleging that companies are unlawfully collecting biometric information from customers and employees through devices such as fingerprint scanners. Plaintiffs are suing both franchisors and franchisees. Franchisors are being sued for collecting the information themselves for their own employees and also for the actions of their franchisees on theories of joint and several liability, vicarious liability, agency and alter ego. A recently filed case alleges that a franchisor mandates and controls virtually every aspect of its franchise locations, including the use of certain equipment that collects biometric information to track employees’ time and attendance and to monitor cash register systems for fraud. Other cases allege that franchisors and franchisees are using it to track health and fitness information and authenticate customers’ transactions.

Biometric information is information based on an individual’s biometric identifier, such as eye, hand, face or fingerprint scans. Generally, BIPA prohibits private companies and individuals from obtaining biometric information unless they obtain prior, informed written consent. BIPA also requires companies to publish publicly-available written retention schedules and guidelines for permanently destroying biometric information. Potential damages are steep: liquidated damages of $5,000 for each intentional or reckless violation or $1,000 for each negligent violation, or actual damages, whichever is greater, plus attorneys’ fees and costs. The first reported settlement of a class action under BIPA was $1.5 million against a tan company franchise in December 2016 that involved a class of people who provided their fingerprints to access Illinois tan franchise salons for a nearly three-year period. The plaintiff alleged that the company obtained customers’ fingerprints without obtaining their informed written consent.

Thus, businesses that use fingerprint scans or facial-recognition technology to identify and track customers or employees may find themselves the subject of a costly class action lawsuit. In addition, storing this type of information can subject companies to litigation risk if a breach occurs. BIPA notes that, unlike a Social Security number, for example, a person has no recourse if their biometric data is compromised. BIPA also prohibits companies from selling or otherwise profiting from a person’s biometric data, which may come into play in the sale or transfer of ownership interests in a franchise or franchise system.

The big tech companies have challenged these lawsuits, with mixed results. Legal arguments at the motion to dismiss stage have included lack of personal jurisdiction over defendants, their actions fall outside the scope of the law, and plaintiffs’ failure to allege that they had suffered any harm other than mere procedural violations, although a court concluded recently that alleging an invasion of privacy was sufficient at the early stages of the lawsuit.

Although the biometric privacy compliance and litigation focus has been in Illinois, other states are enacting laws to address these issues. Texas regulates the collection and use of biometric data but does not allow a person to sue, instead giving the state attorney general the power to recover civil penalties up to $25,000 for each violation. Washington recently passed a law that appears more limited than BIPA. New Hampshire is currently considering a biometrics law. Other states have considered similar laws this year, so others will likely follow.

The takeaway: Franchisors should be careful about mandating franchisee use of biometric procedures and devices without first checking applicable law and also making sure that their own policies and procedures are in compliance with those laws.