Wendy's
A sign is posted in front of a Wendy's restaurant in Daly City, California, on Aug. 10, 2016. Getty Images/Justin Sullivan

A lawsuit has been filed against Wendy's in Illinois, which claimed the fast food restaurant stored fingerprint data of its employees and used biometric scanners to keep track of its staff without their knowledge — something that is illegal according to the state’s law.

"While there are tremendous benefits to using biometric time clocks in the workplace, there are also serious risks. Unlike key fobs or identification cards--which can be changed or replaced if stolen or compromised--fingerprints are unique, permanent biometric identifiers associated with the employee," the plaintiffs said in the complaint, a copy of which was obtained by ZD Net. "This exposes employees to serious and irreversible privacy risks."

The lawsuit was filed by plaintiffs, represented by former Wendy's employees Martinique Owens and Amelia Garcia, on Sept. 11, in a Cook County court, Illinois.

It claimed Wendy’s uses biometric time clocks to record the punching in and leaving times of its employees, including when and by whom the Point-Of-Sale (POS) and cash register systems are being used without informing the staff what their fingerprint data was being used for and for how long the data will be stored by the company, both of which was required by the Illinois Biometric Information Privacy Act (BIPA).

According to BIPA, “No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first, informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored” and “of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used.”

The law also mandates the entity collecting the data first get a “written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative.”

According to the complaint, Wendy’s failed to meet all of the specified conditions while collecting, storing and using biometric data from its staff.

Apart from failing to disclose the purpose for which their data was collected by the company, the lawsuit alleged that Wendy’s didn't even explicitly inform its employees of the time frame till when their fingerprints will be stored in the company’s database. As a result, there was no way of knowing if the company was retaining the biometric data of employees who had left the company or had been fired.

If this is indeed the case, it also stands in violation of Section 15A of BIPA, which states that “A private entity in possession of biometric identifiers or biometric information must develop… a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the private entity, whichever occurs first.”

Although Discovery NCR Corporation, a software provider that supplies Wendy's with the biometric clocks and POS and cash register access systems used in restaurants, wasn’t named in the lawsuit, plaintiffs believe the former might be holding records of the biometric data collected from the employees too.

The complaint demanded Wendy’s disclose if it "sold, leased, traded, or otherwise profited from Plaintiffs' and the Class's biometric identifiers or biometric information," and that the company be liable for paying equitable relief, litigation expenses, and attorneys' fees. The amount of damages sought by the plaintiffs was not mentioned.

Wendy’s closed at $17.17 Friday on NASDAQ, down by 1.77 percent.