23 February 2023

As White Castle Faces $17 Billion Fine For Privacy Violations, Other Employers Should Beware

Shipman & Goodwin LLP


Shipman & Goodwin’s value lies in our commitment -- to our clients, to the profession and to the community. We have one goal: to help our clients achieve their goals. How we accomplish it is simple: we devote our considerable experience and depth of knowledge to understand each client’s unique needs, business and industry, and then we develop solutions to meet those needs. Clients turn to us when they need a trusted advisor. With our invaluable awareness of each client’s challenges, we can counsel them at every step -- to keep their operations running smoothly, help them navigate complex business transactions, position them for future growth, or resolve business disputes. The success of our clients is of primary importance to us and our attorneys invest meaningful time getting to know the client's business and are skilled in the practice areas and industry sectors critical to that success. With more than 175 attorneys in offices throughout Connecticut, New York and in Washington, DC, we serve the needs of
As employers explore new ways to store and process biometric employee information, a new decision by the Illinois Supreme Court should cause them to exercise...
United States Privacy
To print this article, all you need is to be registered or login on

As employers explore new ways to store and process biometric employee information, a new decision by the Illinois Supreme Court should cause them to exercise extreme caution when doing so.

The case, Cothron v. White Castle, relates to a federal class action law suit raising issues under the Illinois Biometric Information Privacy Act ("BIPA"). Among other things, BIPA requires any private entity that uses, collects or retains biometric information to provide the individual with a specific form of notice about the collection and use of their biometric information, and obtain their written acknowledgement and consent before collecting or using it.

Latrina Cothron, the plaintiff, sued her employer, White Castle, accusing White Castle of violating BIPA by requiring employees to scan their fingerprint in order to access pay stubs, and then disclosing the fingerprint images to an external vendor responsible for managing the fingerprint scanning system.

The plaintiff argued that each time her fingerprint was scanned or transmitted without her consent, a separate BIPA violation occurred – subject to separate statutory penalties between $1,000 and $5,000 each.

White Castle argued there should be only one statutory penalty per person, regardless of how many times that person's biometric information was scanned or transmitted.

The federal court asked the Illinois Supreme Court to resolve the question of whether BIPA claims accrue each time a private entity scans a person's biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission.

Recognizing the significant consequences of their decision, and the potential $17 billion liability of White Castle, the Illinois Supreme Court held that the statutory language of BIPA was clear in favor the Plaintiff's position and must be given effect.

The Court referred the policy concerns over excessive damages and their destructive effects on companies to the legislature and suggested it clarify its intent under BIPA.

Although this decision only impacts White Castle directly for now, it serves as a stark warning to those who collect or process biometric information to take their obligations seriously under applicable data privacy laws.

BIPA was one of the first state laws to protect biometric information used in business, but many other states, including Connecticut, have followed along.

Connecticut's Act Concerning Personal Data Privacy and Online Monitoring (the "CTDPA"), which takes effect on July 1, 2023, requires the individual's consent before collecting or processing sensitive data (including biometric information) in addition to a privacy notice describing how the individual's personal data (including sensitive biometric information) are used and shared with other parties.

Given the prevalence of biometric information used in modern time-keeping, security, and other systems, employers should evaluate their current policies and data protection practices, along with those of their vendors.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More