This week Marriott Hotel Services was hit with a class action lawsuit for alleged violations of the Illinois’ Biometrics Information Privacy Act (BIPA). The lawsuit alleges that the hotel violated BIPA by requiring workers to scan their fingerprints as a means to clock in at work without proper notice or consent.

BIPA prohibits businesses from:

  • Collecting biometric data without written consent;
  • Collecting biometric data without informing the person in writing of the purpose and length of time the data will be used; and
  • Selling or profiting from consumers’ biometric information.

The complaint states that the fingerprint scanner is connected to the timekeeping and payroll system and then stored on a third-party platform (Kronos, Inc.). The plaintiff alleges that Marriott did not inform employees of the system or how long the data would be retained. The proposed class includes all employees who worked for Marriott in Illinois since 2019.

BIPA permits plaintiffs to seek statutory damages between $1,000 and $5,000 per violation.

Illinois is not the only state with this type of biometric privacy law: the states of Texas and Washington also have regulations that address the collection and use of biometric data. Other states have narrower biometric regulations, such as industry-specific laws and certain provisions under state consumer privacy rights statutes (e.g., California, Colorado, Connecticut, Utah, and Virginia). Additionally, many other states have introduced biometric privacy laws, such as Massachusetts and Missouri. Companies should be on the lookout for new laws and regulations in this space and confirm that their actions related to biometric data collection and use are in compliance with applicable laws.