A group of Wingstop restaurant employees have filed suit against point-of-sale tech maker NCR under Illinois' stringent biometrics privacy law, claiming the company should pay for allegedly repeatedly scanning and storing their fingerprints at work without their consent.
The suit was filed by plaintiffs Wendy Turner, Olivia Thompson and Aiden Nunez, identified as Illinois residents who each worked at different Wingstop restaurants in Chicago since at least 2016.
The lawsuit centers on NCR's Aloha point of sale system for restaurants which provides "kitchen solutions, digital ordering, reporting and analytics, and management tools, including tracking and managing workers’ time and attendance," says the suit, filed in Chicago federal court.
According to the lawsuit, NCR provided those technical services to employers, including the Wingstop restaurants where the plaintiffs worked.
"Each NCR POS terminal model is configured for use in conjunction with a biometric fingerprint scanner, which requires each worker to scan his or her fingerprint or thumbprint at the biometric-enabled NCR POS system in order to access the terminal, whether to clock in or clock out, or to input a food order," the lawsuit states.
NCR discloses the employee biometric information to third parties, the suit alleges.
"NCR failed to sufficiently inform Plaintiffs that it discloses or disclosed their biometric data to other, currently unknown, third parties, which host the biometric data in their data centers," the suit states. "NCR failed to obtain Plaintiffs’ consent before collecting, obtaining, disclosing
and/or disseminating their biometric data to third parties."
The employees are at risk of having their biometric information stolen, says the suit.
"If a fingerprint database is hacked, breached, or otherwise exposed, employees have no means by which to prevent identity theft and unauthorized tracking," the lawsuit states. "If a database containing fingerprints or other sensitive, proprietary biometric data is hacked, breached,
or otherwise exposed, employees have no means by which to prevent identity theft, unauthorized tracking or other unlawful or improper use of this highly personal and private information."
The lawsuit is not a class action on behalf of anyone else besides the three named plaintiffs.
NCR is in the process of defending against a class action lawsuit over similar accusations of violating Illinois' BIPA law and all three plaintiffs in the new lawsuit would be included in that class action and any potential settlement. But according to a footnote in their complaint, Turner, Thompson and Nunez each intend to petition the court overseeing that case to allow them to be excluded from any settlement, enabling them to pursue their own individual claims for damages.
The lawsuit seeks $5,000 for each " willful and/or reckless" violation of the Illinois law, and $1,000 for each negligent violation, plus attorney fees. The Illinois Supreme Court has interpreted the BIPA law to define individual violations as each time a company scans someone biometric identifier, allegedly without their consent or without providing certain notices required by the BIPA law. The state Supreme Court also has ruled such claims can cover the preceding five years. When multiplied over multiple scans per day, over five years of employment, the amount could quickly climb into the millions of dollars per employee, should the plaintiffs win before a jury.
The plaintiffs are represented by attorneys Adam J. Feuer, Majdi Hijazin and Nick Wooten of DC Law PLLC, of Chicago and Austin, Texas.
Turner v. NCR Corporation, U.S. District Court for the Northern District of Illinois, 1:23-cv-14709.