In the US last week, the company responded to a class-action lawsuit by offering to settle for $677,000. The lawsuit was brought by an employee of the company who claimed the popular chain required employees to use fingerprints to sign in to their shift for timekeeping.
The suit was brought in an Illinois Court where the plaintiffs alleged that the company broke the Illinois Biometric Information Privacy Act (BIPA) when they fingerprinted employees without:
Complying to the statute’s informed consent regime, or adhering to a publicly-available policy governing the retention and destruction of this highly-sensitive data.
I found this a strange situation because, in most cases, biometric systems for timekeeping don’t store the fingerprint. Instead, the way they work is that an algorithm calculates a unique number based on the person’s original fingerprint and then stores the number, but never the fingerprint. However, as described, the company, in this case, had been capturing biometric data and then not having appropriate retention and destruction procedures in place.
The employee, who brought the case based on her employment between 2018 and 2019, says the company did not make employees sufficiently aware of how they would manage their data, nor get the appropriate consents.
Companies Data Protection Officers sometimes struggle to apply US privacy law, which is fragmented, has different implementations at a state level, and has no overarching federal law. So I could understand if Pret had made a slight mistake, but failure to communicate something as fundamental as fingerprint scanning would be a breach of pretty much every privacy law, under what is called the transparency principle.
Furthermore, as described in the method above, there is simply no need to store the actual fingerprints to meet the requirements of their stated purpose.
In other words, they should have known better, and it sounds like the company did not give enough consideration to the subject. The offer to settle is probably an acknowledgement of this.
That is disappointing news for a company that has held itself up as an example of how to treat employees.