(June 2, 2021) - McDonald's use of voice recognition software to identify customers at restaurant drive-thrus is a violation of Illinois' biometric privacy law, according to a lawsuit the fast-food giant has removed to Chicago federal court.

Carpenter v. McDonald's Corp., No. 21-cv-2906, notice of removal filed (N.D. Ill. May 28, 2021).

The lawsuit, originally filed in the Cook County Circuit Court in April, accuses McDonald's Corp. of violating the Illinois Biometric Information Privacy Act, 740 Ill. Comp. Stat. Ann. 14/1, by using voice recognition technology and storing customers' voiceprints without permission.

McDonald's removed the suit to the U.S. District Court for the Northern District of Illinois on May 28.

BIPA, enacted in 2008, seeks to protect sensitive biometric indicators such as voiceprints, fingerprints, face scans and palm prints.

In 2020, McDonald's deployed voice recognition software to restaurants across the nation, including in Illinois. The technology allows customers to place orders without human interaction. It also collects voiceprint biometrics which, combined with license plate scanning technology, can identify repeat customers "to provide a tailored experience," according to the suit.

When a customer places an order at the drive-thru, the system "extracts the customer's voiceprint biometrics to determine such unique features of the customer's voice as pitch, volume, duration, as well as to obtain identifying information such as the customer's age, gender, accent, nationality, and national origin," the suit says.

McDonald's violates BIPA when it fails to notify or get the consent of its customers to collect their voiceprint, according to the suit. The company also does not provide a publicly available data retention policy that describes what the company does with the information or how long it is stored, the suit says.

The suit, filed by Eugene Y. Turin of McGuire Law PC in Chicago, seeks to establish a class that includes everyone within Illinois whose voiceprint biometric information McDonald's collected or stored. In addition to attorney fees and costs, the suit seeks damages of $5,000 for each reckless or willful BIPA violation and $1,000 for each negligent BIPA violation.