White Castle Employee Claims Burger Vendor Violated Biometric Privacy Law for a Decade
The manager of an Illinois White Castle restaurant is seeking enforcement of the state's biometric data privacy law on behalf of all the chain's employees for what she claims is a decade of violations. The proposed class-action lawsuit against the fast-food chain alleges that fingerprint scans used to access restaurant computer systems violate the Illinois Biometric Information Privacy Act (BIPA).
The term "biometric data" covers a variety of identifiers, including fingerprints, retinal scans, voice patterns, signatures, and facial recognition. The plaintiff and restaurant manager, Latrina Cothron, claims that White Castle implemented a fingerprint scanning system to access pay stubs and work computers around 2004. But the company didn't obtain employees' consent to collect and store their biometric data until 2018. BIPA took effect in 2008, leaving a ten-year gap where it seems White Castle may have improperly collected employee data.
But does a BIPA claim accrue each time a person's biometric identifier is scanned and transmitted, or only the first time? On appeal in December 2021, the Seventh Circuit Court of Appeals certified this question to the Illinois Supreme Court for review.
Read the Seventh Circuit's opinion and thousands more with a free trial of Westlaw Edge.
White Castle Could Be On the Hook for Millions
Under BIPA, a private company cannot "collect, capture, purchase, receive through trade, or otherwise obtain" a person's biometric data without providing notice to that person and obtaining their consent.
White Castle argues that the state statute of limitations precludes Cothron's case, based on the theory that her claim only accrued the first time she scanned her fingerprint into the system after BIPA was passed in 2008—more than a decade before she sued. But Cothron argues that every unauthorized fingerprint scan is a separate violation of the statute. Since Cathron, among other White Castle employees, continued to be required to scan their fingerprints regularly in the subsequent decade, this theory would allow her to bring a claim based on later instances that fell within the statute of limitations.
BIPA provides for statutory damages of up to $1,000 per negligent violation and up to $5,000 for reckless or intentional violations, so acceptance of Cothron's argument could have dire consequences for White Castle. But this wouldn't be the first big-time payout for a biometric privacy case. In 2021, TikTok's parent company, ByteDance, agreed to hand over $92 million to settle a class-action BIPA lawsuit.
A Novel Question
The district court rejected White Castle's theory of the case, but thought the question merited analysis by the Seventh Circuit. In its opinion, the Circuit court discusses Illinois claim accrual and the elements of a BIPA claim in an effort to decide what rules should apply.
The Illinois Supreme Court has held that the statute of limitations clock begins to tick "when facts exist that authorize one party to maintain an action against another." Meanwhile, Section 20 of BIPA lays out the statute's private cause of action, giving anyone "aggrieved by a violation" the right to "recover for each violation."
In defending its stance, White Castle compared the unlawful disclosure of employee biometric data to "publication" under defamation and other privacy torts. Therefore, White Castle argued that Illinois' single-publication rule, which states that "[n]o person shall have more than one cause of action...founded on any single publication or exhibition or utterance," makes Cothron's claim untimely.
But the Seventh Circuit held that "there are reasons to doubt" that the single-publication rule should be applied to Cothron's case. By its terms, the Uniform Single Publication Act (adopted by Illinois) covers defamation and other traditional privacy torts in published media such as newspapers, television, and radio. But, the ordinary meaning of the word "disclosure" could lead a fact-finder to conclude that only the first transmission of a biometric identifier is actionable.
Since the Illinois Supreme Court has not yet had a chance to decide whether BIPA claims accrue repeatedly, the Seventh Circuit granted Cothron's request to certify the question to the state supreme court. In January 2022, the Illinois Supreme Court granted White Castle more time to file briefs, extending the deadline to March 3.
Related Resources:
- Podcast: Why You Should Care About Biometric Data Privacy Laws - FindLaw's Don't Judge Me
- Blog Post: Texas Sues Meta for Violating State Biometric Privacy Law - FindLaw's Practice of Law
- Blog Post: Biometric Privacy Lawsuits Are On the Rise - FindLaw's In House
- Blog Post: Can Your Company Avoid Biometric Privacy Lawsuits? - FindLaw's Law and Daily Life