The lawsuit claims that White Castle violated state law when it collected thousands of employees’ biometric information without first obtaining their consent.
The Illinois Supreme Court found that White Castle System Inc. must face a lawsuit alleging that it repeatedly scanned the fingerprints of about 9,500 employees without their consent.
According to Reuters, the state’s Biometric Information Privacy Act, or BIPA, imposes penalties of $1,000 per violation and $5,000 per reckless or intentional violations.
Under BIPA, companies must typically obtain a worker’s permission before collecting employees’ fingerprints, retinal scans, and other biometric information.
The same law also protects Illinois consumers.
In total, White Castle could face penalties of up to $17 billion.
Attorneys for the popular fast food chain said that it should only be liable for the initial collection of each employee’s fingerprint—not every time the fingerprint was later scanned to access a company computer system or other feature.
Perhaps not surprisingly, White Castle’s position is supported by a number of business groups, including the U.S. Chamber of Commerce.
In a statement released last year, the Chamber said that, if claims against White Castle are upheld, other businesses could face similar, financially devastating lawsuits.
The Chicago Tribune notes that, in its majority opinion, the Supreme Court said that, while the Illinois legislature clearly intended to use “substantial potential liability” to protect residents’ biometric information, “there is no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business.”
“Ultimately, however, we continue to believe that policy-based concerns about potentially excessive damage awards under the Act are best addressed by the legislature,” Justice Elizabeth Rochford wrote in the majority opinion. “We respectfully suggest that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act.”
Nevertheless, in a Friday ruling, the Illinois Supreme Court said that the Biometric Information Privacy Act broadly prohibits “collecting” or “capturing” biometric information without consent—and that White Castle collected its workers’ fingerprints every time they used its internal computer system.
James Zouras, an attorney for the named plaintiff in the lawsuit, told Reuters that the Supreme Court’s decision means that companies cannot avoid their legal obligations to safeguard corporate information.
“Hopefully, today’s decision will encourage employers and other biometric data collectors to finally start taking the law seriously,” Zouras said.
The Chicago Tribune notes that three justices dissented, with Justice David Overstreet saying that liability should be limited to initial violations.
“There is only one loss of control or privacy, and this happens when the information is first obtained,” Overstreet wrote. “Imposing punitive, crippling liability on businesses could not have been a goal of this Act.”
The Supreme Court’s decision will return the case to federal trial court, which will determine whether the lawsuit can be certified as a class action.