Image: H&M

H&M is being sued – but not on trademark infringement grounds or for using a street artist’s copyright-protected work in an ad campaign without his permission. No, the Swedish fast fashion giant has landed on the receiving end of a lawsuit for allegedly run afoul of the Biometric Information Privacy Act (“BIPA”), an Illinois state law that prohibits the unlawful collection and storing of biometric information, such as fingerprints, retina and iris patterns, voice waves, and DNA.

According to a proposed class action lawsuit filed in the Circuit Court of Cook County late last year (and amended as recently as last month), former H&M employee Kenyetta Slater asserts that in lieu of using employee identification numbers or cards to keep track of an individual’s hours, H&M “requires [its] hourly employees to scan their fingertips in its biometric time clock them they start working a shift, stop for lunch, return from lunch, and finish working a shift.”

H&M undoubtedly “benefited from using a biometric time clock,” Ms. Slater – who worked as a business account representative for H&M from 2012 to 2017 – asserts, including ensuring that “one employee could not clock in for another.” At the same time, she says, there is “equally no question” that the retail giant “placed employees at risk” as a result of such a system.

The risk here, the lawsuit claims, is largely tied to the fact that unlike employee ID numbers, for example, “biologically unique identifiers, like finger prints, can never be changed, [including] when compromised,” thus, such use “subjects a victim of identity theft to heighted risk.”

Slater asserts that the BIPA flatly prohibits a “private entity” – i.e., a non-governmental one – from “capturing or collecting biometric identifiers from an individual unless that private entity first creates a [publicly-available] written policy” governing how it will collect, maintain, and ultimately destroy such identifiers, and also “obtains [each] individual’s written consent.” H&M failed to do either of those things, Slater – who worked as a business account representative for H&M from 2012 to 2017 – alleges.

More than that, though, Slater claims that H&M went a step further and shared the biometric information at issue with a third-party time-keeping vendor.

With this in mind, Slater has asked the court to certify her class action case, thereby enabling other similarly situated current and former employees to join her case, and to force H&M to compensate the class of employees for such “reckless” or “at least negligent” behavior.

In a motion to dismiss, which was filed last week, H&M took issue with Slater’s assertions, claiming that it does, in fact, require employees to consent to such a time-keeping system. As for the workings of the system, itself, the retailer argues that it does not actually store any of its employees’ finger prints.

H&M is not the first company to be sued in connection with the BIPA, which was enacted in 2008. Wow Bao, a restaurant chain owned by Lettuce Entertain You Enterprises Inc., and gas station and convenience store chain Speedway LLC were both accused of running afoul of this relatively obscure statute in 2017.

Wow Bao and Lettuce Entertain You were accused of improperly collecting and storing customers’ facial scans through self-order kiosks, while Speedway allegedly violated the law by collecting employees’ fingerprints without obtaining their written consent. According to independent policy organization, Illinois Policy, “Illinois consumers have [also] sued under the BIPA for alleged violations by companies that use facial recognition technology, such as Facebook, Shutterfly, Google, Snapchat, Take-Two Interactive Software and others.”

*The case is Kenyetta Slater v. H&M, Hennes & Mauritz, LP, 2018-CH-16030 (Cook County Circuit Court).