Consumer Electronics Daily was a Warren News publication.
'Serious Risks'

Employees Sue Kroger-Owned Stores for Time Clock BIPA Violations

Food 4 Less, part of the Ralphs and Kroger supermarket chains, unlawfully collects, uses and retains personal biometric identifiers of employees in violation of the Illinois Biometric Information Privacy Act (BIPA), alleged a complaint (docket 1:23-cv-15345) Thursday in U.S. District Court for Northern Illinois in Chicago.

The 10 plaintiffs in the lawsuit are or were employed at an Illinois Food 4 Less location and were required to enroll in a biometric timekeeping system using a scan of their unique fingerprint for time tracking and employee authentication, said the complaint. The stores’ policies required employees to clock in and clock out by scanning their fingerprints at the beginning and end of each shift and for meal breaks, it said. Plaintiffs’ data collected in the biometric timekeeping system by Food 4 Less was disclosed to at least one third party for payroll purposes, and data collected by the system was disclosed to Kroger, the complaint said.

Biometric time clocks have benefits but also present “serious risks,” said the complaint. Unlike key fobs or identification cards, which “can be changed or replaced if stolen or compromised,” fingerprint scans “are unique, permanent biometric identifiers associated with the employee” that expose them to “irreversible privacy risks,” it said. If a fingerprint database is hacked or otherwise exposed, “employees have no means by which to prevent identity theft and unauthorized tracking,” the complaint said.

As in recent data breaches at Yahoo, eBay, Equifax, Uber, Whole Foods, Chipotle, Omni Hotels & Resorts and Trump Hotels, “employees have no means by which to prevent identity theft, unauthorized tracking or other unlawful or improper use of this highly personal and private information,” the complaint said. Hackers and identity thieves have targeted Aadhaar, the largest biometric database in the world, which contains the personal and biometric data -- including fingerprints, iris scans, and facial photographs of over a billion Indian citizens, it noted.

Food 4 Less in summer 2023 discontinued using a biometric time clock system at the Melrose Park store where plaintiff Desmond Garmon worked, said the complaint. From February 2022 until summer 2023, Garmon was required to scan his fingerprint each time he clocked into and out of the system, it said. Other plaintiffs were also required to use the biometric time clocks until summer 2023, it said.

Another BIPA case against the defendants, the Maetean Johnson v. Ralphs Grocery Company d/b/a Food 4 Less Midwest, and The Kroger Co. class action, was filed March 25, 2022, in Cook County Circuit Court and removed (docket 1:22-cv-02409) to the Northern District of Illinois May 6, 2022. After the Johnson class action was filed, defendants “recklessly and intentionally continued to utilize the biometric time clock system and until approximately midsummer 2023,” requiring plaintiffs to scan their fingerprints each time they began and ended their workdays and for breaks, it said. Plaintiff Antwon Cherry, employed at a Dolton, Illinois store, also had to scan his fingerprint each time he had to override punches for co-workers, it said.

The defendants didn’t inform plaintiffs of the “specific limited purposes or length of time” for which they collected, stored, or used plaintiffs’ biometric identifier or biometric information, said the complaint. Nor did they inform plaintiffs of a biometric data retention policy it developed, or whether they will ever permanently delete their biometric information, the complaint said. Plaintiffs never signed a written release allowing either defendant “to collect, capture, or otherwise obtain their biometric information,” it said.

Defendants knew, or were “reckless” in not knowing, that the biometric timekeeping systems that they used would be subject to the provisions of BIPA, a law in effect since 2008, said the complaint. They “wholly failed to comply with the statute,” it said. When the Johnson class action was filed in March 2022, the defendants knew that the biometric time clocks they used would be subject to BIPA provisions, “yet recklessly and intentionally continued to utilize the biometric timekeeping systems until approximately mid-summer 2023, requiring employees to use their fingerprint to clock in and clock out at the beginning and end of each working day, as well as each time they clocked in and out for breaks,” the complaint said. Plaintiffs used the biometric time clock system hundreds, and in some cases, thousands of times, it said.

Plaintiff Bennie Reed was employed at the Oak Forest Food 4 Less in April 2022, after the Johnson class action was filed, but defendants still required her to enroll in the biometric time clock system using her fingerprint scan and to scan her print when she began and ended work each day and for clocking in and out of breaks, the complaint said.

Plaintiffs seek liquidated damages of $1,000 for each negligent violation of Section 15(d) of BIPA for transmission of biometric data without consent and $5,000 for each intentional or reckless violation, plus reasonable attorneys’ fees and costs. The lawsuit constitutes plaintiffs’ “one and only chance at compensation for Defendants’ violations of BIPA,” said the complaint. “Depending on how technology evolves years into the future, losing control of and ownership over very personal identifiers could have untold harmful consequences,” it said. If the pending Johnson class action achieves certification and settles, any plaintiff in this case who is a putative member of Johnson “will timely and properly request to be excluded,” said the complaint. Defendants didn't comment Friday.