Illinois Supreme Court scans BIPA menu, orders big fines

Illinois employers who use employees’ fingerprints, face scans, or other biometric identifiers to enable workers to access timekeeping, payroll, IT, or other systems have long been on notice that the Illinois Biometric Information Privacy Act (BIPA) imposes an obligation to obtain an employee’s informed consent before collecting, storing, and using such information.

A recent decision from the Illinois Supreme Court, which may lead to catastrophic damage awards, means that those who fail to address BIPA compliance may find their castle in ruins.

Queen of the castle

Starting in 2004, Latrina Cothron worked as a manager of a White Castle restaurant in Illinois. Shortly after she began her employment, White Castle introduced a system that required employees to scan their fingerprints to access their pay stubs and computers. A third-party vendor, Cross Match Technologies, then verified each scan and authorized the employee’s access.

In late 2018, Cothron sued White Castle on behalf of Illinois employees of the fast-food restaurant chain, alleging that the company had violated BIPA because it failed to seek employees’ consent to acquire, store, and use their fingerprints.

After some procedural skirmishes that are not pertinent here, the case made its way to federal court in Chicago, where White Castle argued that Cothron’s suit was untimely. The company claimed that Cothron waited too long to file the suit after White Castle first obtained her biometric data after BIPA’s effective date in 2008.

Original slider