Burgers and Biometrics: The Illinois Supreme Court Permits Up to $17 Billion in Damages for White Castle’s Privacy Violations
By Jeff Johnston, Briana Falcon, and Warner Scott
The Supreme Court of Illinois recently held that use of a fingerprint system by White Castle, Inc. (“White Castle”) to authenticate employees, without the consent of the employees, entailed multiple violations of the Illinois Biometric Information Privacy Act (the “BIPA”), not a single violation.1 As a result, White Castle faces substantial liability if a class is certified and the plaintiffs’ claims are upheld. White Castle estimates that its damages under the multiple violations theory adopted by the Court could exceed $17 billion.
This ruling emphasizes the importance of obtaining informed consent before implementing biometric authentication systems. Companies using systems of this type should monitor this space closely as they may be liable for substantial damages under the BIPA, and other similar legislation in Texas and Washington.
Illinois Biometric Information Privacy Act
In 2008, the Illinois General Assembly passed the Biometric Information Privacy Act, 740 ICLS 14 (West 2018), to regulate the growing use of biometric identifiers of individuals. In its accompanying legislative findings, the Illinois General Assembly noted that biometrics merit increased protection. Biometrics are different from other unique identifiers, the General Assembly reasoned, in that once compromised, biometrics cannot be changed (in contrast to an account number or a password, which can be changed if compromised). Biometric identifiers regulated by the BIPA include:
- retina or iris scans;
- scans of hands; and
- scans of face geometry.
In addition to other requirements, the BIPA prohibits private entities from collecting biometrics without first obtaining the subject’s informed consent.2 Violators of the BIPA are liable for the greater of $1,000 and actual damages for each negligent violation and the greater of $5,000 and actual damages for each reckless or intentional violation.3 Prevailing parties may also recover reasonable attorneys’ fees.
Cothron v. White Castle
The factual background underlying the White Castle decision is relatively ordinary. Lisa Cothron sued White Castle on behalf of a class of White Castle’s current and former Illinois employees, alleging that White Castle implemented a fingerprint scanning system for employee access to pay stubs and computers without first obtaining employee consent in violation of the BIPA.
White Castle’s fingerprint scanning system involved an initial scan of an employee’s fingerprint for setup purposes. After onboarding, an employee’s fingerprint was scanned each time the system was used and compared to the initial scan for authentication. White Castle argued that the first scan was the only collection, but Cothron claimed each subsequent scan of a fingerprint was a separate collection and thus a separate cognizable violation.
Specifically, the Illinois Supreme Court answered the following: “Do [BIPA] section 15(b) and 15(d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission?”
The Court agreed with Plaintiff Cothron and held that each subsequent scan of an employee’s fingerprint constituted a separate collection or capture of a biometric without prior consent in violation of Section 15(b) of the BIPA. Additionally, the Court held each subsequent scanning authentication to be a disclosure or redisclosure of a biometric indicator without prior consent in violation of Section 15(d) of the BIPA.
White Castle’s class-wide exposure in this case is significant. Plaintiff seeks to represent as many as 9,500 current and former White Castle employees. As White Castle explored in its briefing, assuming Plaintiff worked 5 days per week for 50 weeks per year and accessed the system each day and her pay stub weekly, her total scans would exceed 1,500 over a five-year limitations period. If Plaintiff were to succeed in proving her claims at trial, that would result in damages of $1.8 million for Plaintiff alone. Multiplying $1.8 million by 9,500 class members brings potential class-wide damages to $17.1 billion.
Significantly, the Court noted that damages under the BIPA are not mandatory and that trial courts have discretion when fashioning a damage award in a class action lawsuit that would allow them to “fairly compensate class members” and “deter future violations, without destroying defendant’s business.”
A potential $17 billion liability should get every company’s attention. Companies relying on biometrics should evaluate whether they are compliant with the BIPA and other biometrics protection legislation. In particular, companies should evaluate legacy systems to ensure they are compliant with biometrics legislation that may have been passed after a system was implemented. Companies should also consider obligations related to the use of fingerprint or face scanning authentication on company-provided cell phones and computers. Informed consent is crucial, as is an understanding of how the biometric data is stored and used.
V&E assists clients in identifying, managing, and mitigating data privacy and cybersecurity risks, from early planning and assessment to managing incident response and resulting litigation.
1 Cothron v. White Castle Sys., Inc., 2023 IL 128004 (Feb. 17, 2023).
2 740 ICLS 14/15(b).
3 740 ICLS 14/20.
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.