An employee for an Illinois Popeyes restaurant failed to show that the chain had control over a franchisee’s workplace policy that entailed collecting and retaining her fingerprints and those of other employees, the U.S. District Court for the Northern District of Illinois held March 26.
The plaintiff in Jones v. Diamond Jubilee Enterprises, Inc. scanned her thumbprint to clock in and out of work as well as log into the restaurant’s point of sale system. She alleged violations of Illinois’ Biometric Information Privacy Act, namely that she never provided written authorization to capture or disclosure of her thumbprint; that Diamond Jubilee Enterprises never informed her of the purpose or length of time for which the thumbprint would be captured; and that it failed to make publicly available a biometric data-retention policy and inform the plaintiff if it would delete her thumbprint.
The plaintiff further claimed that Popeyes was jointly responsible for the alleged violations because the company was a joint employer together with Diamond Jubilee Enterprises, the franchisee that operated the store at which she worked.
Popeyes, meanwhile, argued that it did not control the franchisee’s employment policies or practices and therefore could not be held liable under Illinois law.
The court held that the plaintiff had not shown evidence that Popeyes specifically implemented, oversaw or was otherwise involved in the thumbprint collection.
It also found that the plaintiff impliedly alleged that Popeyes was her joint employer, but the court determined that she “alleges only conclusions, without any supporting facts, which is insufficient to state a BIPA claim against Popeyes.”
The court granted Popeyes’ motion to dismiss but also granted the plaintiff leave to file an amended complaint. It also determined that “there is some legal basis” for the plaintiff’s BIPA claims and rejected Popeyes’ motion for sanctions against the plaintiff and her attorneys.
Attorneys who previously spoke to HR Dive said that BIPA has spawned a wave of litigation against Illinois employers over the collection of biometric data, with fingerprint and finger scans becoming an oft-cited contention. In 2021, for example, Topgolf agreed to a BIPA settlement with former employees totaling more than $2.6 million over claims that the company unlawfully collected and disclosed data collected via a finger-scan timekeeping system.
The law, enacted in 2008, requires employers to take a number of steps to safeguard biometric information, such as developing publicly available policies around retention and permanent destruction of biometric identifiers and information.
BIPA also requires entities to inform individuals about a collection, the purpose of the collection and the length of time that biometric information is being stored, and the entity must receive a written release by the individual consenting to the collection.