The last thing people think of when White Castle pops into their head is biometric privacy, but that may change after reading this.
The fast food giant clearly violated an Illinois law safeguarding biometric information, but the broader application is that the verdict also specified that a separate claim can accrue each time that data is captured or disseminated without consent. Illinois passed the Biometric Information privacy Act (BIPA) in 2008, regulating the use, storage and collection of biometric data – including fingerprints, retinal scans, or captures of hand or face geometry. BIPA dictates that employers cannot obtain the biometric information of an employee without consent. More importantly, it also states that employers cannot disseminate or distribute the info without consent.
White Castle employees were required to use their fingerprint for computer access and/or accessing pay stubs. The worker would scan their fingerprint, which was then relayed to a third-party vendor called Cross Match Technologies. Cross Match verified each scan, authorizing the employee’s access. White Castle implemented this technology around 2005, and BIPA was passed in 2008. White Castle didn’t request this particular employee’s consent in obtaining the data until 2018.
Legislation on biometric privacy at the federal level isn’t out of the question. A bill was introduced at the height of the COVID-19 pandemic in August 2020 but was put on the backburner in light of more pressing issues. Ten states already have laws protecting biometric data access, and dozens more have something similar moving through the legislative process. If you’d like to read more about this case and its implications, check out this Roetzel & Andress Employer Alert.
Not having operations in states with BIPA laws doesn’t mean your business can’t be impacted by them. The Ohio Bar Association has some great insight on the potential reach of BIPA legislation.