BIPA Lawsuit Causes Massive Fine for White Castle

The Illinois Biometric Protection Act is considered one of the gold standards in privacy security. The act safeguards the biometrics of Illinois citizens from being used without their consent. This has led to much scrutiny and litigation in the state and beyond including one involving the fast-food chain White Castle.

Biometrics is anything that is biological in nature that is unique to each person. From eyes, to fingerprints to hair, every person has their own unique biometric signature. In recent years, many companies have started to use these as another way to secure their data. But many jurisdictions have limited or no protections against the collection of this data. Illinois’ BIPA, which passed in 2008 is one of the first and the most stringent.

BIPA establishes standards for how companies must handle Illinois consumers’ biometric information. In addition to its notice and consent requirement, the law prohibits any company from selling or otherwise profiting from consumers’ biometric information. BIPA continues to stand as the most protective biometric privacy law in the nation, with the only one of its kind to offer consumers protection by allowing them to take a company who violates the law to court. (1)

In White Castles case, their potential exposure could result in their bankruptcy as the law applies to any company that operates in the state. In Cothorn v White Castle, a manager sued the fast-food giant over their biometric practices. The plaintiff alleges that when they put biometric identification to allow access into their server, they had done this without informing they would be collecting the data as this was after the Act went into effect. When they found out, they sued for each instance of collected data. At up to $5000 per collection, it amounted to over $17 billion fine that White castle argued they were putting an undue burden on them.(2)

In February 2023, the Illinois Supreme Court ruled 4-3, that White Castle still had an obligation to inform and protect their employees Biometric data. “Under Section 15(b) and 15(d), respectively, companies are prohibited from collecting or disclosing a person’s or a customer’s biometric identifier or biometric information “unless it first” obtains informed consent (emphasis added).[1] Relying on the common definitions of “collect” and “disclose,” the majority determined White Castle’s process of collection clearly fell within the scope of the statute: White Castle obtained its employee’s initial fingerprint scan and stored it for authentication purposes. Thereafter, when the employee needed to access company computers, for instance, a second fingerprint scan was then obtained and sent to a third-party vendor to compare both fingerprints and verify the employee’s identity. In the majority’s view, White Castle failed “to explain how such a system could work without collecting or capturing the fingerprint every time the employee needs to access his or her computer.”(3)

White Castle appealed this decision to the Court of Appeals, but the 7th Court affirmed Illinois Court decision. Barring the Supreme Court stepping in, the ruling is final. The decision now puts a burden on companies operating in the state. If they must use biometric data, they must be able to prove they can protect it otherwise they will be looking at massive fines and or other