Convenience service operators unfazed by lawsuits over biometric data collection

Legal actions against companies collecting biometric data from customers have caught the attention of companies already using biometric technology to identify customers in unattended retail environments. 

When this website informed several operators about a pair of lawsuits filed against Compass Group USA by plaintiffs who claimed the company's vending machines improperly collected their biometric data, several of the operators said they are confident that the biometric technologies they are using comply with current consumer protection laws.

As noted in the first segment of this three-part series, the suits claim Compass Group USA violated the Illinois Biometric Privacy Act, which requires written consent before collecting and storing biometric information. The plaintiffs in both cases claimed the company did not seek their written consent to collect their biometric data. One plaintiff further claimed the company did not advise them of the purpose or length of time for which the defendant collected or used their biometrics.

Operator: Micro markets already comply

Rod Nester, owner of Smith Vending Corp./Canteen, a canteen franchise in Clarinda, Iowa, operates self-serve micro market kiosks that allow customers to pay using fingerprint readers.

"It ties your fingerprint to your market card," he said.

Nester doesn't envision any problems since the micro market kiosks he uses from Avanti Markets and 365 Retail Markets require customer consent before having an individual's fingerprint copied.

"There's a user agreement that comes up," Nester said. "They (the customers) sign off on that. I don't personally have any concerns. Over half of our customers enroll with the fingerprint."

Nester was one of several vending operators interviewed who expressed full confidence in their micro market kiosks.

Both the Avanti Markets and 365 Retail Markets kiosks require customer consent to have their fingerprints scanned and comply with BIPA, according to officials from the two companies.

Illinois law the most stringent

"Illinois is the most comprehensive plan out there," said Greg Wilson, vice president of customer success at Avanti Markets. "It's state by state regulation. We look at each one of those and make sure we are in full compliance with each."

Wilson does not hold a negative view of the law. 

"I see it as more of an adaptation as our industry continues to evolve," he said." "Technology evolves. You have to adapt. That's just a side effect of the growing market trend of technology. If the laws are out there for a certain reason, all companies that use that technology should maneuver their back-end systems or their technology to make sure that they're in full compliance."

Ryan McWhirter, vice president of product management at 365 Retail Markets, held a similar view.

"We have to get the confirmation from the users first," said McWhirter. "If they (the customer) say 'no,' it's deleted when prompted to accept the updated terms and conditions that include the new privacy language." 

European regulators set a standard

Being in compliance with the General Data Protection Regulation in Europe allowed 365 Retail Markets self-serve kiosks to comply with the Illinois law as well as other state laws, McWhirter said.

"We're always watching these regulations and making sure we're in compliance," he said. "We've been getting ahead of all these things proactively so that we're ready to help our (operator) customers comply. The fingerprint reader is still the fastest way to check out."

He said that the reader proves particularly helpful in locations with a large number of employees with limited break time. The fingerprint reader can be removed from the kiosk if the client does not want to have it, he said, adding that some government locations have opted to remove the fingerprint reader.

"There's a fine line between added convenience and onerous paperwork," McWhirter said. "With every regulation that comes out, it's more difficult to offer additional biometric identification in an easy-to-understand way to the consumer, so we've hesitated to offer any other form of biometric identification, because it's really not needed right now."

Facial recognition complies

Caliburger, a restaurant chain that uses facial recognition on its self-serve kiosks, also requires customer consent, said John Miller, company CEO.

"It (the facial recognition) was built to be in compliance," Miller said, specifically referring to BIPA. "The stuff that's not in compliance is when you do biometrics with people without their consent. As long as your getting people to register and opt in to it, then you don't really have a problem."

Caliburger in 2017 was the first of several restaurants to use the PopID facial recognition software. All eight U.S. Caliburgers are using PopID, which is partially owned by Cali Group, Caliburger's parent company.

Miller said the technology allows people to order faster. The platform recognizes customers' repeat orders. In addition, the transaction processing cost is lower than a credit card payment, he said.

"It's just easier to push a button and have your face scanned than to pull out your phone and open up an app and make a connection," Miller said.

Jeff LeBlanc, director of user experience at Advanced Kiosks, which is exploring biometric technology, also spoke up on the issue.

"To be compliant with existing U.S. and EU laws, any system using facial detection must inform the user that it is happening, allow them to make an informed decision to opt in and allow it, and also to later opt out if they change their mind," LeBlanc said. "Biometric data is extremely sensitive and all care must be taken for storage, transmission and deletion of that data."