This week Marriott Hotel Services was hit with a class action lawsuit for alleged violations of the Illinois’ Biometrics Information Privacy Act (BIPA). The lawsuit alleges that the hotel violated BIPA by requiring workers to scan their fingerprints as a means to clock in at work without proper notice or consent.

BIPA prohibits businesses from:

  • Collecting biometric data without written consent;
  • Collecting biometric data without informing the person in writing of the purpose and length of time the data will be used; and
  • Selling or profiting from consumers’ biometric information.

The complaint states that the fingerprint scanner is connected to the timekeeping and payroll system and then stored on a third-party platform (Kronos, Inc.). The plaintiff alleges that Marriott did not inform employees of the system or how long the data would be retained. The proposed class includes all employees who worked for Marriott in Illinois since 2019.

BIPA permits plaintiffs to seek statutory damages between $1,000 and $5,000 per violation.

Illinois is not the only state with this type of biometric privacy law: the states of Texas and Washington also have regulations that address the collection and use of biometric data. Other states have narrower biometric regulations, such as industry-specific laws and certain provisions under state consumer privacy rights statutes (e.g., California, Colorado, Connecticut, Utah, and Virginia). Additionally, many other states have introduced biometric privacy laws, such as Massachusetts and Missouri. Companies should be on the lookout for new laws and regulations in this space and confirm that their actions related to biometric data collection and use are in compliance with applicable laws.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.