On Tuesday, Judge John J. Tharp, Jr. of the Northern District of Illinois partially granted dismissal of biometric violations against White Castle. Former employee Latrina Cothron sued the restaurant chain alleging that the company violated Illinois’ Biometric Information Privacy Act (BIPA) by requiring her to use her fingerprint to access her workplace computer without seeking permission to disclose her biometric information to third parties.
White Castle sought to dismiss Cothron’s claims for failure to state a claim. The Northern District found that Cothron lacks standing for claims under section 15(a) of BIPA, but found adequate standing for claims made under sections 15(b) and 15(d) claims, so White Castle’s motion to dismiss these claims are denied.
In 2007, White Castle “introduced a fingerprint-based computer system that required Cothron, as a condition of continued employment, to scan and register her fingerprint in order ‘to access the computer as a manager and access her paystubs as an hourly employee.’” Plaintiff Cothron states that the system “involved transferring the fingerprints to two third-party vendors – Cross Match and Digital Persona – as well as storing the fingerprints at other separately owned and operated data-storage facilities.” Since BIPA was not yet enacted at that time, White Castle did not execute some of the requirements, such as obtaining a written release from employees to collect and transfer fingerprints. White Castle also did not provide information about the purpose of collecting the fingerprints, how long the fingerprints would be stored, and its data retention policy. Once BIPA was enacted, White Castle allegedly did not immediately update its policies. It was nearly ten years later, in 2018, that White Castle provided plaintiff Cothron with a consent form, and posted about its retention schedule and data destruction guidelines.
BIPA has several requirements for entities that utilize biometric data, including fingerprints. Section 15(a) requires “that a private entity ‘in possession of’ biometric data…develop a written, publicly available policy that includes a retention schedule and destruction guidelines…” Meanwhile, Section 15(b) states that before collecting biometrics, “entities must first…inform the person in writing that the information is being collected and stored…” Lastly, Section 15 (d) states that “entities in possession of biometric data may only disclose or ‘otherwise disseminate’ a person’s data upon obtaining the person’s consent or in limited other circumstances…”
The court examined if the plaintiff met standing requiremetns for each of the sections alleged to have been violated. The court found that “Ms. Cothron’s alleged Section 15(b) injury is concrete and particularized…White Castle failed to provide her with substantive, personal information about the collection, storage, and use of her fingerprint data…” The Section 15(a) analysis is new, noting that the failure to have a “written retention and destruction policy” publicly available “was a harm to the public.”
The court rejected claims over the deletion of the plaintiff’s data. because “Ms. Cothron has pleaded facts indicating that no violation occurred.” The court concluded that the plaintiff did not establish standing for claims made under section 15(a). However, the judge did find standing for claims made under sections 15(b) and (d), which concern the “informed-consent” regime of BIPA. The court specifically found that a waiver signed by the plaintiff cited by White Castle did not constitute a waiver of right to sue for past violations. Finally, the court rejected claims that the suit was preempted by the Illinois Worker’s Compensation Act.
Cothron is represented by Stephan Zouras, LLP. White Castle is represented by Shook, Hardy & Bacon.