Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Advanced Search Go
Free Newsletter Sign Up

White Castle Biometric Privacy Case to Shape Litigation Landscape

Sept. 7, 2021, 9:00 AM

A Seventh Circuit case heading to oral argument will clarify when claims accrue under the oft-cited Biometric Information Privacy Act, impacting that type of litigation in Illinois and beyond.

At the heart of the case, Cothron v. White Castle Sys. Inc., is whether BIPA claims accrue each time a company violates the law or if only the first instance of violation constitutes a claim. The U.S. Court of Appeals for the Seventh Circuit’s decision will likely have wide-reaching implications, since additional claims mean greater damages, and a series of violations as opposed to just one stretches the law’s statute of limitations, attorneys and advocates say.

The plaintiff, Latrina Cothron, sued her employer, the fast food chain White Castle, accusing the company of using her fingerprints as part of its timekeeping system without first obtaining written consent. Employees in sectors ranging from restaurants to retail have levied class action lawsuits under the law, creating headaches for businesses trying to guard against legal liability.

A ruling from the Seventh Circuit on the BIPA issues presented by this appeal is likely to be dispositive, said Kristin Bryan, a Cleveland-based senior associate at Squire Patton Boggs. The court is scheduled to hear argument Sept. 14.

“Potentially billions of dollars hang on the line for this Seventh Circuit appeal,” Bryan said. “It’s going to have a huge impact on current and future litigation.”

Case History

Cothron sued White Castle in December 2018 in Illinois state court, accusing the Columbus, Ohio-based fast food chain of violating BIPA. She began working at the company in 2004, and said White Castle began collecting her fingerprints about three years later.

She was a manager when she sued the chain in 2018, but her attorneys didn’t respond to a request for comment confirming whether she still works there.

The case was removed to the Northern District of Illinois in January 2019, and in August 2020 Judge John J. Tharp Jr. ruled that Cothron had alleged multiple timely violations of BIPA.

Such a reading—that each collection point or disclosure could constitute a separate violation—is absurd, businesses argued. But Tharp in his ruling wrote he was bound by the “clear text” of the statute.

“If the Illinois legislature agrees that this reading of BIPA is absurd, it is of course free to modify the statute to make its intention pellucid,” Tharp wrote. “But it is not the role of a court—particularly a federal court—to rewrite a state statute to avoid a construction that may penalize violations severely.”

BIPA provides $1,000 in liquidated damages per negligent violation and $5,000 in liquidated damages per intentional or reckless violation.

Attorneys representing Cothron declined to comment about the upcoming argument, and attorneys representing White Castle didn’t respond to a request for comment.

Illustration: Jonathan Hurtarte/Bloomberg Law

What’s at Stake

Though BIPA was passed in 2008, it’s still largely considered a new and untested statute, said Kristin Madigan, a San Francisco-based partner at Crowell & Moring LLP focused on privacy, cybersecurity, and litigation.

“These are not deep merits questions that are being dealt with,” Madigan said. “We’re still at the initial pleading and gating questions—who has standing? Which statute of limitations applies?”

The Seventh Circuit may choose to adopt the district court’s reading, reverse it, or certify the question to the Illinois Supreme Court to answer, she said.

Because of its status as one of the most frequently litigated data privacy statutes, any development within BIPA case law is important in its own right, Bryan said.

The case also has broad implications for similarly situated laws that provide for liquidated damages, including the California Consumer Privacy Act, Bryan added.

“Any ruling from the 7th Circuit Court of Appeals will be a persuasive authority to other courts when confronted with data privacy class actions,” she said.

The White Castle case is significant because it tackles a thorny “threshold” question, said Quyen Truong, a partner at Stroock & Stroock & Lavan LLP in Washington and former assistant director at the Consumer Financial Protection Bureau.

When claims accrue—whether only at the first instance or each subsequent instance—can have broad-ranging implications for the law’s statute of limitations, she said.

“The Seventh Circuit’s ruling could greatly clarify whether a case could be brought at all in some circumstances and whether the liability exposure could increase exponentially,” Truong said.

Friends of the Court

The Electronic Privacy Information Center, a technology advocacy group, filed an amicus brief urging the Seventh Circuit to rule that an individual suffers legal injury under BIPA each time a regulated entity violates that person’s statutory rights.

Ruling contrary to that would “gut” a statute that’s effective and well-designed, said John Davisson, senior counsel at the organization.

“It’s about incentivizing companies to correct their errors or their mishandling of personal and biometric data in particular,” Davisson said. “It’s also about compensating individuals whose data has been misused and to ensure that they’re not given a small fraction of the remedies to which they’re entitled.”

Companies could be less inclined to follow the law and may abuse workers’ biometric data if the ability to issue penalties is curtailed, Davisson added.

But counting each biometric collection as a separate violation would have “catastrophic” impacts on businesses, said Meredith Slawe, the Philadelphia-based co-chair of Cozen O’Connor’s class actions practice and chair of its retail group.

That’s because damages could rapidly multiply for employees who, for example, have to scan their fingerprint dozens of times per day to use a computer terminal at a restaurant, said Slawe, who filed an amicus brief on behalf of the Retail Litigation Center Inc. and the Restaurant Law Center.

Those potential damages would be compounded by a would-be class action with dozens or hundreds of class members, she added.

Biometric timekeeping or security systems are beneficial because they reduce friction, prevent time theft or “buddy punching,” increase productivity, and ensure accurate wage payments, Slawe said.

But some businesses are already treating timekeeping technologies differently in their Illinois operations for fear of litigation, and others may abandon such technology altogether for traditional punch cards if the court decides each separate instance is a separate violation of the law, she said.

“It could transform a statute that already has a robust statutory damages element into something that’s crushing and disproportionate,” Slawe said. “You’re potentially instituting catastrophic liability on businesses operating in good faith.”

Stephan Zouras LLP represents Cothron. Shook, Hardy & Bacon LLP represents White Castle.

The case is Cothron v. White Castle Sys. Inc., 7th Cir., No. 20-3202.

To contact the reporter on this story: Jake Holland in Washington at

To contact the editors responsible for this story: Kibkabe Araya at; Keith Perine at