A former employee of PetSmart has filed a putative class action suit alleging that PetSmart broke Illinois law when it used a voiceprint employee identification system. Illinois has a law–the Biometric Information Privacy Act (BIPA)–that regulates the use of biometric data. Texas has a similar law, and similar laws are being proposed in Maryland, New York, and California.
Did PetSmart Violate the Law?
The former employee, Steven Stegmann, alleges in the suit that “While Plaintiff and the Class members were required to provide their voiceprints or voice templates for PetSmart’s voice/speaker recognition technology, they were never first asked for their consent, nor were they ever provided with a written policy regarding the use of their biometric identifiers as required under BIPA.” What’s more, the suit alleges that the plaintiffs “were never told whether their voiceprints would be deleted from the Defendant’s systems or when they would be deleted.”
BIPA provides penalties of $1,000 per negligent violation and $5,000 per intentional violation, along with attorney’s fees. If additional plaintiffs join the suit and they win, PetSmart could be looking at a substantial penalty. BIPA identifies biometric data as a retina or iris scan, fingerprint, voiceprint, or a scan of hand or facial geometry. Biometric data does not include writing or written signature samples, photographs, or height, weight, hair color, or eye color. Furthermore, BIPA states that
A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual’s last interaction with the private entity, whichever occurs first.
Allegedly PetSmart did not issue a written policy or make provisions for the deletion of its biometric data within three years of the last interaction or when the purpose of gathering the data has been satisfied, as BIPA requires. BIPA also requires that anyone from whom biometric data is to be gathered is to provide a “written release.” PetSmart allegedly did not obtain written permission from its employees to gather biometric data. Furthermore, BIPA prohibits the sharing of biometric data by one entity with another without the written consent of the person whose biometric data is to be shared. The suit does not claim that PetSmart shared data with another entity. Enacted in 2008, BIPA is intended to serve the public welfare, security, and safety “by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.” Its provisions are clear regarding requiring written permission, deletion, and a public policy statement regarding the use of biometric data.
PetSmart’s Use of Voiceprints
Stegmann worked in a distribution center or warehouse, where employees were required to wear headsets that were linked to a computer network. Employees would receive instructions to retrieve items through their headsets, and acknowledge these instructions through the microphone on the headsets. Computers would keep track of the employees by recognizing their voices. On starting employment, employees would read a long set of vocabulary words into a microphone connected to a computer’s voice recognition system until the computer learned to recognize the employee’s particular voice patterns.
According to the lawsuit,
Defendant uses a version of Honeywell’s Vocollect Solutions. Vocollect is a voiceenabled, voice technology system, used often in warehouses, which allows warehouse workers to engage in real-time communications with the Vocollect software. The Vocollect software recognizes the individualized patterns of a worker’s voice, and his peculiar behavioral patterns by breaking down his voice into small samples, which the software then analyzes and
compares to the template on which it has been trained.
Honeywell is not named as a defendant in the suit. Honeywell’s system is used by other businesses, however, which in Illinois should comply with BIPA.
Misuse of Biometric Data
The lawsuit points out that “In the event that PetSmart’s systems are breached or hacked, a hacker could have access to the operator data profiles, including an operator’s name and his associated voiceprint or voice templates, from which it could manipulate those personalized voiceprints for its own wrongdoing and misuse.” The lawsuit further states that “Plaintiff has continuously and repeatedly been exposed to the risks and harmful conditions created by Defendant’s violations of BIPA alleged herein, including the risk that Plaintiffs voiceprint or voice template will be obtained by hackers who could then misuse it to, among other things, steal his identity and commit identity theft.”
While the use of biometric data–especially fingerprints–is limited in identity theft, biometric data is permanently linked to its subject. As the use of biometric data expands, so does the potential for misuse. A voiceprint can be used to say yes to a credit card charge over the phone, for example, or it can be used to imitate the subject in a criminal act.
Putative Class Action
The lawsuit filed by Stegmann is a putative class action, in that it intends to add to the list of plaintiffs “All persons, within the applicable statute of limitations, who had their voiceprint collected, captured, received, otherwise obtained, or disclosed by Defendant in Illinois, without their consent, and/or who failed to have their voiceprint timely deleted.” Lawsuits do not become class actions until an actual class has been certified by the court. The court has yet to certify anyone but Stegmann as a plaintiff. If, however, several hundred people are added to the lawsuit, PetSmart could face substantial fines, especially if the plaintiff can show that PetSmart violated the law deliberately. According to the lawsuit, “Defendant has collected, captured, received, or otherwise obtained biometric identifiers from over 100 workers who fall into the definition of the Class. Ultimately, the Class members will be easily identified through Defendant’s records.”
Employers in Illinois and Texas should make sure they comply with those states’ biometric data laws. Employers in Maryland, New York, and California should be aware that biometric data bills may soon become law, and stay informed accordingly. The use of voiceprints in warehouses falls under Illinois’s biometric data law, so Illinois businesses using voiceprints should obtain written permission to use voiceprints, issue a public policy regarding the use of voiceprints, and delete voiceprints of employees who have left employment.