A former Illinois-based employee of PetSmart has filed a putative class action against the pet goods retailer, accusing the company of violating the state’s Biometric Information Privacy Act (BIPA) by collecting employees’ voiceprints in ways that could leave them open to identity theft.
According to the 2008 Illinois BIPA law, the “collection, use, safeguarding and storage of biometrics” — such as voiceprints — by a private entity must be regulated due to the access they afford to sensitive personal and financial information, including genetic markers and testing information, accounts, PIN codes, driver’s licenses and social security numbers.
The case of Steven Stegmann v. PetSmart LLC alleges that Stegmann and other employees were not provided written notice prior to using the technology, nor were they afforded the opportunity to sign a written release. Stegmann also alleges that PetSmart did not provide a written policy outlining a retention schedule of guidelines for permanently destroying the biometric information.
It is alleged that PetSmart required more than 700 employees to use technology over the course of five years that preceded the filing. While technology that collects biometric information can include fingerprinting, facial recognition and eye scans, the system used by PetSmart relies on collecting voiceprints of users. The lawsuit notes that through a headset worn by the employee, workers received orders from a central worker management computer. Tasks would be completed by the employee through interacting with the voice-recognition software.
The individual voice template is added to the employee’s data file, which connects the voiceprint to the worker’s identifying information such as name and employee number. By not being informed of the entire process, in addition to storage and disposal of the data, the Stegmann lawsuit argues that employees were unknowingly made vulnerable to cyber threats.
The law requires entities that utilize biometric identifiers to develop a written policy regarding intentions of usage, a retention schedule and how the information will be destroyed. Prior to collecting biometric identifiers, subjects must be informed by the entity gathering the information regarding its collection; how it will be used, collected and stored; and the purpose of the collection. Entities must also receive a written release from subjects.
“The Illinois Biometric Information Privacy Act is a very important law,” said David Fish of Fish, Potter Bolaños P.C., an employment legal firm representing the plaintiff, in an email to Retail TouchPoints. “We look forward to litigating this cutting edge and important case in court.”
Parties that violate the law could be responsible for damages of up to $1,000 for negligent infractions and $5,000 per violation for incidents that are found to be intentional, in addition to attorney’s fees. The plaintiff’s proposed class includes “[a]ll persons, within the applicable statute of limitations, who had their voiceprint collected, captured, received, otherwise obtained, or disclosed by Defendant in Illinois, without their consent, and/or who failed to have their voiceprint timely deleted.”
PetSmart responded to Retail TouchPoints’ request for comment regarding the filing by noting, “Out of respect for all parties involved, as a practice, we do not comment on pending litigation.”
The original Jan. 20, 2022, filing of the lawsuit was made through the LaSalle County Circuit Court. It was removed to the Illinois Northern District Court on March 4, 2022.