A federal court in Illinois denied Subway’s motion to dismiss a claim that it violated the Illinois Biometric Information Privacy Act (BIPA) by failing to obtain a franchisee’s employee’s consent for the collection and possession of the employee’s fingerprints. Ronquillo v. Doctor’s Assocs., LLC, 2022 WL 1016600 (N.D. Ill. Apr. 4, 2022). Subway requires its franchises to use a proprietary POS system, which includes a biometric fingerprint scanner and is manufactured by HP. The POS system collects, stores, and uses fingerprint information to identify individuals using the system. Ronquillo alleged that the system and its scanner were never explained to her. She sued Subway and HP for violating the BIPA by collecting and using her biometric information without her consent. Subway and HP moved to dismiss her claim, arguing that Ronquillo failed to plead how they “actively” collected her biometrics. Further, they argued that, in this context, BIPA does not extend to third parties who do not employ the plaintiff.
The court rejected these arguments. It acknowledged that there is no BIPA violation unless a defendant has taken “active steps” to collect biometric information. However, the court held Ronquillo’s allegations of Subway’s use and exclusive control over the system and HP’s storage of the biometric information met this standard. The court further held that nothing in BIPA’s text supports limiting its reach to employers, so it therefore would not dismiss the complaint on that basis either.