White Castle Lawsuit Shows Future of Biometric Data Privacy

James Grieco
James Grieco
Mar 9, 2023
min read
White Castle Lawsuit Shows Future of Biometric Data Privacy

Fast food chain White Castle has found itself in a world of trouble after running afoul of Illinois’s Biometric Information Privacy Act (BIPA). The Illinois Supreme Court ruled in a 4-3 decision several weeks ago that the chain is legally responsible for each instance where it scanned employee fingerprints over a nearly decade-long span. 

With BIPA fines sitting at $1000 per violation and $5000 for reckless and/or intentional violations, White Castle representatives claim the decision could cost the chain up to $17 billion.

The law, which came into effect in 2008 and requires companies to receive permission before collecting or processing an individual’s biometric data, is one of the most unique data privacy regulations in the United States. 

Illinois is one of just 5 states–alongside New York, Texas, Vermont, and Washington–with a law regulating the use of biometric data, and it is the only one that features a private right of action for individuals. 

While the EU’s GDPR regulates biometric information, the current state-level patchwork of data regulations in the U.S. means no such protections exist. Even among comprehensive state regulations, only California’s CCPA both covers biometric data and allows for individuals to bring lawsuits. 

However, the private right of action is limited as it only applies to cases where biometric data was exposed or leaked due to negligent data privacy practices, and not applicable to misuse itself in collecting or processing said data, as is the case in Illinois’s BIPA.

This is why BIPA stands as one of the fiercest laws in the country, as evidenced by the $650 million settlement Facebook reached over the use of facial recognition software without consent back in 2020. 

Now White Castle stands as the most recent corporation to be hit with a 9-figure fine for violating BIPA. The case, Cothron v. White Castle, is the second meaningful judicial decision on the law this year, as the Illinois Supreme Court had previously ruled in Tims v. Black Horse Carriers that the biometric privacy law is subject to a five-year statute of limitations, rather than the year-long statute businesses have been arguing for. 

As White Castle did not receive consent from employees to use their fingerprints until 2018, thus well within the 5-year statute, the entire 10-year period is applicable to fines. Over that decade, White Castle scanned the fingerprints of over 9500 employees without consent as a requirement to use company computers to do things such as view pay stubs and other work-related matters.

(Considering employees are scanning fingerprints for what can be argued are work-related necessities, even the consent the company has obtained post-2018 can be viewed as questionable, but that is a discussion for another day.)

White Castle knows and has acknowledged the company committed these violations, as the Illinois Supreme Court case was not over whether violations had occurred, but rather how many. 

The company argued a violation only occurred the first time an employee’s fingerprints were scanned, which would bring the fine to a total of around $9.5 million. The court ruled against that interpretation, opting to back BIPA by declaring that each separate time an employee’s fingerprints were scanned, a violation occurred. 

While the combination of these two court decisions will be seen as being unfriendly to business, they are a welcome step forward for data privacy and protection in America. 

Employee data has had lackluster protection up until this year with the CPRA amendments finally extending previous data rights to employees as well as users, but with the lack of serious data regulations in the U.S., Illinois’s Biometric privacy law is one of the few to force companies into properly handling employee data.

Nearly a dozen states have introduced some form of biometric data protection over the past two years, with the majority featuring some kind of protections for employees (since many drafts have been modeled off the Illinois law), showing a real sense of urgency to catch up on data protection issues. 

The White Castle ruling could spur forward momentum for many of those proposals, as it has seen both a corporation acknowledge wrong-doing and will likely result in a considerable settlement that acts as a public deterrent to other businesses committing egregious violations. 

With the rapid development of “deepfake” technologies mimicking facial scans and voiceprints, it is paramount that data privacy laws begin regulating biometric data as strictly, if not moreso, than PII. 

For BIPA to win another landmark decision means the law can serve as a champion and guide for other biometric privacy laws, a telling sign that regulation might be up for the greater battle on data protection. 

That’s a welcome development for consumers, even if it leaves White Castle as the sacrificial lamb.