Listen to this post

As employers explore new ways to store and process biometric employee information, a new decision by the Illinois Supreme Court should cause them to exercise extreme caution when doing so. 

The case, Cothron v. White Castle, relates to a federal class action law suit raising issues under the Illinois Biometric Information Privacy Act (“BIPA”). Among other things, BIPA requires any private entity that uses, collects or retains biometric information to provide the individual with a specific form of notice about the collection and use of their biometric information, and obtain their written acknowledgement and consent before collecting or using it.

Latrina Cothron, the plaintiff, sued her employer, White Castle, accusing White Castle of violating BIPA by requiring employees to scan their fingerprint in order to access pay stubs, and then disclosing the fingerprint images to an external vendor responsible for managing the fingerprint scanning system. 

The plaintiff argued that each time her fingerprint was scanned or transmitted without her consent, a separate BIPA violation occurred – subject to separate statutory penalties between $1,000 and $5,000 each. 

White Castle argued there should be only one statutory penalty per person, regardless of how many times that person’s biometric information was scanned or transmitted.                

The federal court asked the Illinois Supreme Court to resolve the question of whether BIPA claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission. 

Recognizing the significant consequences of their decision, and the potential $17 billion liability of White Castle, the Illinois Supreme Court held that the statutory language of BIPA was clear in favor the Plaintiff’s position and must be given effect. 

The Court referred the policy concerns over excessive damages and their destructive effects on companies to the legislature and suggested it clarify its intent under BIPA.

Although this decision only impacts White Castle directly for now, it serves as a stark warning to those who collect or process biometric information to take their obligations seriously under applicable data privacy laws. 

BIPA was one of the first state laws to protect biometric information used in business, but many other states, including Connecticut, have followed along. 

Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring (the “CTDPA”), which takes effect on July 1, 2023, requires the individual’s consent before collecting or processing sensitive data (including biometric information) in addition to a privacy notice describing how the individual’s personal data (including sensitive biometric information) are used and shared with other parties. 

Given the prevalence of biometric information used in modern time-keeping, security, and other systems, employers should evaluate their current policies and data protection practices, along with those of their vendors.