Monday, June 5, 2023 | Back issues
Courthouse News Service Courthouse News Service

Illinois justices rule against White Castle in landmark biometric privacy decision

The ruling opens the door for employers to face massive fines for violating Illinois workers’ biometric privacy rights.

CHICAGO (CN) — The Illinois Supreme Court handed hourly workers a win Friday morning, when its majority ruled 4-3 that a violation of the state’s Biometric Information Privacy Act occurs every time an employer collects their employees’ biometric data without consent. 

The case before the state high court, initially filed in Cook County Circuit Court in 2018, is a class action brought by Illinois resident Latrina Cothron against her employer White Castle. Cothron, who has worked for the Ohio-based fast food chain since 2004, said in her complaint that she has been scanning her fingerprint to clock in to work since she started. In all those years, she said, White Castle never got her consent to collect her fingerprint data. 

The company also transmitted her fingerprints to the third-party vendor Cross Match Technologies, which manages White Castle’s database of employee biometrics. Cothron said this too was done without her consent.

In 2008, the Illinois Legislature passed the Biometric Information Privacy Act to prohibit just that kind of behavior in employers. The law requires businesses to get their employees’ written consent before collecting and transmitting any kind of biometric data. Despite the statute, allegations that Illinois employers violate the 2008 law remain extremely common. Upwards of a dozen BIPA complaints are filed each week in Cook County alone. 

Cothron alleged that White Castle is one such violator, continuing to collect and transmit her and other employees’ fingerprint data for more than a decade after BIPA took effect. The case was moved from state to federal court in 2019, where White Castle tried to have it thrown out on the grounds that Cothron’s claims accrued in 2008 and were thus time-barred. Cothron’s attorneys from the BIPA-specialist Chicago law firm Stephan Zouras countered that a distinct BIPA violation occurred not just the first time the company made her scan her fingerprints, but with every subsequent scan since then. 

U.S. District Judge John Tharp Jr., a Barack Obama appointee, sided with Cothron in August 2020 and denied White Castle’s attempt to toss the case. The question of whether Cothron’s finger scans constituted a single alleged BIPA violation or multiple then went before the Seventh Circuit in September 2021, which in turn decided it was a question best left for the Illinois Supreme Court. 

On Friday, the state's top court decided in Cothron’s favor. 

“We hold that a separate claim accrues under the Act each time a private entity scans or transmits an individual’s biometric identifier or information in violation of [BIPA],” Justice Elizabeth Rochford wrote in the 15-page majority opinion. She was joined in that opinion by Justices Joy Cunningham, Mary O’Brien and P. Scott Neville Jr.

The high court majority noted that White Castle’s argument relied on the logic that biometric privacy, once lost, cannot be regained - and thus, cannot be violated more than once. Rochford disagreed with this logic, citing Tharp’s own decision from 2020. 

“We agree with the federal district court that ‘[a] party violates [BIPA] when it collects, captures, or otherwise obtains a person’s biometric information without prior informed consent. This is true the first time an entity scans a fingerprint or otherwise collects biometric information, but it is no less true with each subsequent scan or collection,’” Rochford wrote. 

The majority opinion does not win Cothron’s case for her outright. It must first return to the U.S. District Court of Northern Illinois and proceed with the Illinois Supreme Court’s opinion taken into consideration. But more broadly, the ruling sets a precedent establishing BIPA not just as a remedial statute but a punitive one, and opens the door for companies who violate the Act to face steep penalties - between $1,000 and $5,000 per offense. 

White Castle itself, should Cothron’s suit against it ultimately succeed, may be on the line for more than $17 billion. That’s magnitudes more than even what Facebook paid Illinois users in 2021 to settle its own BIPA class action. In that case, Facebook’s owner Meta Platforms agreed to shell out about $650 million over its clandestine use of facial recognition software. 

The high fines employers may now face under the ruling is cited in the minority dissent, penned by Justice David Overstreet and joined by Justice Lisa Holder White and Chief Justice Mary Jane Theis. Overstreet wrote that the majority opinion would impose “ruinous liability” on offending businesses, and potentially leave those companies who unintentionally but repeatedly violate BIPA facing steeper fines than those who willingly violate it only once. 

“The majority’s interpretation would lead to the absurd result that an entity that commits what most people would probably consider the worst type of violation of the Act— intentionally selling their biometric information to a third party with no knowledge of what the third party intended to do with it—would be subject to liquidated damages of $5,000, while an employer with no ill intent that used that same person’s fingerprint as an authentication method to allow access to his or her computer could be subject to damages hundreds or thousands of times that amount,” Overstreet wrote. 

The majority opinion voiced this concern as well, stating “there is no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business.” 

But Rochford also pointed out that the threat of financial consequences was always a part of the statute’s intent. She urged the Legislature to review BIPA to ensure its penalties are commensurate with an offense and do not kill all businesses that violate it.

“Ultimately… we continue to believe that policy-based concerns about potentially excessive damage awards under the Act are best addressed by the legislature,” Rochford wrote. “We respectfully suggest that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act.”

Cothron’s attorneys at Stephan Zouras did not return a request for comment.  

Categories: Appeals Business Civil Rights Employment Technology

Read the Top 8

Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.