Burgers, Biometrics and…Billions…

27 February 2023 | Applicable law: US | 5 minute read

llinois Supreme Court Determines Every Biometric Scan or Transmission is a Separate BIPA Violation, Leading to an Estimated Maximum $17 Billion Fine.

Key Takeaways

Failure to comply with the requirements of BIPA could lead to potentially devastating fines and give class action lawyers significant leverage in forcing high-value settlements. It remains vital for companies to:

  • Review if and how biometric information is collected 
  • Update policies and procedures to comply with BIPA and other biometric laws
  • Ensure that appropriate retention periods are set and disclosed
  • Obtain informed consent for collection and processing of biometric information
  • Evaluate disclosure of biometric information to service providers and other third parties

On February 17, 2023, the Illinois Supreme Court issued a ruling in Latrina Cothron v. White Castle System, Inc., holding that a separate violation occurs – and separate claim accrues – every time biometric information or a biometric identifier is scanned or transmitted in violation of the Illinois Biometric Information Privacy Act (BIPA). The case arose from White Castle Systems, Inc. (White Castle), beginning before BIPA came into effect in 2008, requiring its employees to scan their fingerprints to access their pay stubs and computers; a third-party vendor (who was ultimately dismissed from the case), then verified each scan and authorized the employees' access. 

BIPA requires that companies obtain informed consent for the collection, storage, and use of biometric data.  The law also requires disclosure of the retention period for the information and the specific purpose for the information's collection, storage, and use. 

In a 9,000-person class action lawsuit, the named plaintiff, a manager at White Castle, alleged improper collection of her biometric information based on the absence of the consent required by BIPA. White Castle moved for judgment on the pleadings, arguing that the action was untimely since the claim accrued in 2008 when White Castle first obtained the plaintiff's biometric data. The plaintiff argued that a new claim accrued each time she scanned her fingerprints and White Castle sent the data to the third-party authenticator, rendering the action timely.

In a 4-3 decision, the court found that each time an employee scanned their fingerprint, a new collection violation occurred, and a new disclosure violation occurred each time that collected data was transmitted to the third-party vendor. Since there were ongoing violations, it meant the suit was timely. The decision also meant that with statutory damages of up to $1,000 for each negligent violation and $5,000 for each willful violation, the violations by White Castle could lead to statutory damages up to approximately $17 billion. However, it is also important to note that the amount of the fine is discretionary, and the courts could impose significantly lower amounts.

This decision serves as a strong reminder to make sure that if you're collecting biometric information, BIPA fines aren't also on the menu. The plaintiff's team is likely congratulating themselves on a well-done job, while White Castle may be feeling rather steamed.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.


Related experience

As a full-service law firm, we are able to provide advice and information about a wide range of other issues. Here are some related areas.

Join the club

We have lots more news and information that you'll find informative and useful. Let us know what you're interested in and we'll keep you up to date on the issues that matter to you.