Cothron v. White Castle: A Closer Look at One of the Most Important Data Privacy Litigations of 2021
Earlier this year we identified Cothron v. White Castle as a must-watch data privacy case this year and industry experts agree. No. 20-3202 (7th Cir.) (For our prior coverage of the case, you can go here, here and here). The litigation concerns application of the Illinois Biometric Information Privacy Act (“BIPA”) and is up before the Seventh Circuit. Because any ruling from the Seventh Circuit will likely impact data privacy litigations more broadly, we’re giving you a breakdown of the issues involved in advance of oral argument on the case TOMORROW.
First, a recap of the facts of the dispute. After Plaintiff started working at a White Castle in Illinois in 2004, White Castle began using an optional, consent-based finger-scan system for employees to sign documents and access their paystubs and computers. Plaintiff consented in 2007 to the collection of her biometric data and then 11 years later—in 2018—filed suit against White Castle for purported violation of BIPA.
Plaintiff alleged that White Castle did not obtain consent to collect or disclose her fingerprints at the first instance the collection occurred under BIPA because BIPA did not exist in 2007. Plaintiff asserted that she was “required” to scan her finger each time she accessed her work computer and weekly paystubs with White Castle and that her prior consent to the collection of biometric data did not satisfy BIPA’s requirements. According to Plaintiff, White Castle violated BIPA Sections 15(b) and 15(d) by collecting, then “systematically and automatically” disclosing her biometric information without adhering to BIPA’s requirements (she claimed she did not consent under BIPA to the collection of her information until 2018). She sought statutory damages for “each” violation on behalf of herself and a putative class.
White Castle moved to dismiss Plaintiff’s claims, citing in support of dismissal Plaintiff’s 2004 and 2018 consents. The district court denied the motion, holding that White Castle did not obtain a BIPA-compliant written release from Ms. Cothron before her first scan “because BIPA did not exist yet,” and concluding the subsequently executed 2018 consent could not serve as a waiver of Plaintiff’s BIPA claims for her prior scans.
Undeterred, White Castle then moved for judgment on the pleadings on the basis that Plaintiff’s Section 15(b) and 15(d) BIPA claims are time barred because they accrued in 2008, with the first scan of Plaintiff after BIPA’s enactment. Yet again, the district court sided with Plaintiff. The court held that “[o]n the facts set forth in the pleadings, White Castle violated Section 15(b) when it first scanned [Plaintiff’s] fingerprint and violated Section 15(d) when it first disclosed her biometric information to a third party.” The court also held that under Section 20 of BIPA, Plaintiff could recover for “each violation.” The court rejected White Castle’s argument that this was an absurd interpretation of the statute not in keeping with legislative intent, commenting that “[i]f the Illinois legislature agrees that this reading of BIPA is absurd, it is of course free to modify the statue” but “it is not the role of a court—particularly a federal court—to rewrite a state statute to avoid a construction that may penalize violations severely.”
White Castle filed an appeal of the district court’s ruling with the Seventh Circuit. As presented by White Castle, the issue before the Seventh Circuit is “[w]hether, when conduct that allegedly violates BIPA is repeated, that conduct gives rise to a single claim under Sections 15(b) and 15(d) of BIPA, or multiple claims.”
Oral argument is scheduled before the Seventh Circuit Tuesday, September 14 at 10:30 am EST.
Because other biometric and privacy laws have consent requirements and liquidated damages available through a private right of action that are similar to BIPA, a ruling in this case is likely to have widespread implications. And in any event, nearly 1,000 BIPA cases have been filed in the past five years, many of which are putative actions brought against employers such as White Castle that utilize biometric technology. If the district court’s decision stands, there will likely be a reassessment of whether the benefits of using such technology are outweighed by the risk of punitive damages under BIPA of $1,000 or $5,000 for each scan (which can occur every time an employee clocks in and clocks out of work, for example).