Fast food chain White Castle can’t slide away from a class action ordered up by a former worker claiming the restaurant group violated an Illinois state biometrics privacy law in the way it required workers to scan fingerprints when punching in and out of work shifts.
On June 16, U.S. District Judge John J. Tharp Jr. declined to dismiss many of the claims brought in the class action lawsuit against White Castle, accusing it of not abiding by the requirements of the Illinois Biometric Information Privacy Act.
The decision by Tharp largely stuck to the lines drawn out by a decision earlier this spring delivered by a federal appeals court in a case that dealt with the same questions presented in the class action against White Castle.
In short, Judge Tharp ruled some of the claims against White Castle under BIPA don’t belong in federal court – but others do. And the judge said those claims are not cut short by an appeal to Illinois’ state worker’s compensation law.
In early 2019, attorneys with the law firm of Stephan Zouras LLP, of Chicago, filed suit against White Castle in Cook County Circuit Court in Chicago. The putative class action lawsuit was filed on behalf of named plaintiff Latrina Cothron. According to the complaint, Cothron had worked for White Castle since 2004, and still works as a manager at one of the burger chain’s restaurants.
According to the complaint, Cothron and other workers have been required since at least 2007 to scan their fingerprints to verify their identities when either punching the clock to begin or end work shifts, or when accessing store management software on company computers.
However, the complaint asserted White Castle required those fingerprint scans without first obtaining consent from Cothron and other workers, or without providing them a series of notices concerning how the data would be stored, used, shared and ultimately destroyed.
The lawsuit also accused White Castle of not posting a publicly available written policy concerning its employee biometric data retention policies.
The lawsuit asserts these alleged missteps by White Castle violate separate provisions within the Illinois BIPA law. The requirements owed to individuals concerning notice and consent, and concerning how biometric data is stored and shared, are in the provisions known as Sections 15(b) and 15(d).
The requirement concerning the publicly available written policy are in Section 15(a) of the law.
After White Castle removed the case from Cook County court to federal court, the restaurant chain also moved to dismiss the action.
The risk posed to White Castle from the lawsuit is not slight. Under BIPA, plaintiffs can demand damages of $1,000-$5,000 per violation. And a violation in such cases can be defined under the law as each time an employee in Illinois scans their fingerprint on a company device. This could leave White Castle on the hook for many millions of dollars in damages.
The restaurant chain leveled two primary defenses.
First, they asserted Cothron waived her rights to bring this lawsuit, because she had been employed by White Castle and had begun scanning her fingerprints before BIPA was enacted in 2008.
The company also claimed, to the extent she and other workers may have been harmed, their claims should be considered a worker’s compensation claim under Illinois law, which would have removed the possibility of a class action claim in any court.
Judge Tharp largely rejected White Castle’s contentions.
Addressing concerns over the length of Cothron’s tenure with the burger chain, Tharp noted White Castle provided Cothron in 2018 with a consent form to sign, giving permission to the company to scan and store her fingerprint data. Cothron signed the document at that time.
The judge noted in 2008, when Illinois enacted the BIPA law, “the legal landscape changed but White Castle’s practices did not – at least for roughly ten years.”
“Nothing in Ms. Cothron’s complaint or in the 2018 form indicates that Ms. Cothron knew she was waiving her right to bring suit against White Castle for past violations of BIPA,” the judge wrote.
“… White Castle could not have relied on Ms. Cothron’s 2018 consent form in implementing its 2007 fingerprint-based computer system or in failing to update its policies after the 2008 passage of BIPA.”
Tharp also doused White Castle’s claims that Cothron’s claims belong in the state’s worker’s comp system.
Tharp said “numerous trial courts in Illinois” have all found the kinds of privacy injuries alleged in Cothron’s class action are separate from the kinds of injuries that are covered by the worker’s comp law.
Therefore, Tharp ruled claims under BIPA are “not preempted” by the Illinois worker’s comp law.
The judge dismissed Cothron’s claims under Section 15(a).
The judge pointed to the recent ruling by the U.S. Seventh Circuit Court of Appeals, in the case known as Bryant v Compass Group. In that case, plaintiffs had argued Compass Group, which operates vending machine kiosks accessed by a customer’s fingerprint, had violated BIPA in much the same way as Cothron has accused White Castle.
In the Compass Group case, the appeals judges had differentiated between the claims under the various provisions within the BIPA law. They said claims under Section 15(a) concerning the public posting of a data retention policy cannot be considered an injury against any particular individual, but against the public in general. However, they said claims under the other BIPA sections, concerning consent and notice to individuals, and concerning the actual treatment of data, can be considered to have harmed people.
And those people are then eligible to sue in federal court under BIPA, the court ruled.
Tharp similarly ruled Cothron’s Section 15(a) claims can’t continue, but White Castle must continue to defend itself against her additional allegations under Sections 15(b) and 15(d).
White Castle is represented in the action by attorneys with the firm of Shook Hardy & Bacon, of Chicago.