BIPA is a frequently litigated data privacy statute, and as readers of CPW know, we’ve been covering BIPA litigations for some time (for some of our prior coverage, check out here, here and here).  Often these claims are brought in the context of a preexisting employee-employer relationship, where employees allege that their employer improperly collected their data in violation of BIPA for timekeeping purposes.  A recent BIPA lawsuit against McDonalds filed on behalf of customers alleging that the fast food chain utilized drive-thru voice assistants in Illinois which captured and stored customers’ biometric voiceprint identifiers without their written consent breaks with this trend.  Carpenter v. McDonald’s Corporation, Case No. 1:21-cv-02906 (N.D. Ill.).  Read on to learn more.

First, a quick recap. The Illinois Biometric Information Privacy Act (“BIPA”) was enacted in 2008 and has standards regarding  the retaining and handling of the biometric data of Illinois residents.  At its core, BIPA protects the “biometric information” of Illinois residents, which is any information based on “biometric identifiers” that identifies a specific person—regardless of how it is captured, converted, stored, or shared.  740 ILCS 14/10.  Biometric identifiers are, “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”  Id. (collectively, with “biometric information,” “biometric data”).

The Carpenter complaint, which was initially filed in Illinois state court, alleges that “[i]n an effort to reduce costs and staff, beginning sometime in 2020 McDonald’s implemented an artificial intelligence (AI) voice assistant in the drive through of various McDonald’s restaurants across the nation, including in Illinois.”  Compl. ¶ 6.  The crux of Plaintiff’s claim is that “McDonald’s AI voice assistant’s voice recognition technology collects customers’ voiceprint biometrics in order to be able to correctly interpret customer orders and to identify repeat customers to provide a tailored experience.”  However, “McDonald’s has failed to comply with BIPA’s regulations and does not notify its customers that when they interact with McDonald’s AI voice assistant their voiceprint biometric information is used and collected, nor does McDonald’s obtain their consent to do so.”  Compl. ¶¶ 8-9.

Plaintiffs proposed class includes “[a]ll individuals whose voiceprint biometric identifiers or biometric information were collected, captured, stored, transmitted, disseminated, or otherwise used by or on behalf of Defendant within the state of Illinois any time within the applicable limitations period and for whom Defendant did not have any written record of consent to do so.”

While disputing Plaintiff’s allegations, McDonald’s had the case removed to federal court last week under the federal Class Action Fairness Act (“CAFA”).  There, the court will address whether Plaintiff’s Complaint should make it past the pleading stage and enter discovery, assuming McDonald’s moves to dismiss.  Ultimate questions of liability will depend largely on McDonald’s business practices, and whether it was simply collecting voiceprints to understand customers’ orders or alternatively if it was “connecting the dots” to ascertain customers’ exact identities.

For instance, the Complaint alleges that, “McDonald’s AI voice assistant goes beyond real-time voiceprint analysis and recognition and also incorporates ‘machine-learning routines’, that utilize voiceprint recognition in combination with license plate scanning technology to identify unique customers regardless of which location they visit and present them certain menu items based on their past visits.”  Of course, whether that allegation is well-founded based upon McDonald’s actual practices remains to be seen.

For more on this litigation, stay tuned.  As more states continue to enact biometric laws with a private right of action, more entities will find themselves named in similar litigation.  CPW will be there to keep you in the loop.  Stay tuned.