One Manager, One Fingerprint, One Decade of Violations

Latrina Cothron has worked at a White Castle restaurant in Illinois since 2004. Shortly after she was hired, her employer installed a system requiring workers to scan their fingerprints every time they needed to access a work computer or view their own pay stub. A third-party company verified each scan. No consent was ever requested. That situation continued for over a decade.

• Illinois’s Biometric Information Privacy Act took effect on October 3, 2008. From that date forward, every fingerprint scan performed without prior written consent and written notice was a violation of state law. White Castle kept scanning.
• White Castle did not attempt to obtain worker consent until 2018, roughly ten years after BIPA’s effective date. The gap between the law taking effect and the company seeking consent represents the entire window of alleged illegal conduct.
• Every scan fed into a database held by a third-party vendor. Under BIPA section 15(d), transmitting biometric data to any outside party without consent is its own separate category of violation, distinct from the collection violation under section 15(b).
• Cothron filed her lawsuit as a proposed class action in Cook County Circuit Court on behalf of all Illinois White Castle employees. The case was moved to federal court under the Class Action Fairness Act. She eventually dismissed the third-party vendor from the suit and proceeded solely against White Castle.
• The central legal question the courts had to answer: does a new violation occur every time a fingerprint is scanned, or only the very first time? The answer determines whether White Castle owes billions or millions.

“White Castle did not seek her consent to acquire her fingerprint biometric data until 2018, more than a decade after the Act took effect.”

What BIPA Actually Says — And Why White Castle Ignored It

Illinois’s Biometric Information Privacy Act is one of the strongest biometric privacy laws in the United States. It requires companies to take specific, documented steps before touching a worker’s fingerprints, face scan, retinal data, or any other biological identifier.

• Section 15(b) of BIPA prohibits any private company from collecting, capturing, or obtaining a person’s biometric data unless it first: (1) gives written notice that biometric data is being collected; (2) explains in writing the specific purpose and length of time the data will be kept; and (3) gets a written release signed by the person.
• Section 15(d) is a separate requirement. Even after data is collected, a company cannot disclose, re-disclose, or otherwise share that biometric data with any third party without the person’s separate consent.
• A “biometric identifier” under BIPA explicitly includes fingerprints. “Biometric information” covers any data derived from those identifiers used to identify someone. White Castle’s system used both categories.
• BIPA creates a private right of action under section 20. A person harmed by any violation can sue directly. Statutory damages are $1,000 per negligent violation and $5,000 per intentional or reckless violation. These amounts do not require proof of actual monetary harm.
• White Castle’s system sent each fingerprint scan to a third-party vendor for verification before granting access. That transmission to an outside company triggered section 15(d) independently of section 15(b), meaning every single scan carried two categories of potential liability simultaneously.

White Castle’s Defense: “The First Scan Should Be the Only One That Counts”

White Castle’s legal team built its entire defense around one argument: the harm happens once, when a worker first loses control of their biometric data. Every scan after that is just using data the company already had. The court rejected this argument entirely.

• White Castle argued the phrase “unless it first” in BIPA section 15(b) means consent must happen before the very first collection, implying there is only one moment of legal obligation. The court found this reading wrong on its face: “unless it first” modifies the company’s obligation to get consent, not the number of times the collection can happen.
• White Castle claimed that verbs like “collect,” “capture,” and “obtain” in section 15(b) each describe gaining control of something, and you can only gain control of something once. The court disagreed: if you have to scan a fingerprint every time an employee uses the system, you are capturing that fingerprint every single time, not just the first time.
• For the section 15(d) disclosure argument, White Castle said “disclose” means a new revelation to someone who does not already have the information, so repeated transmissions to the same third-party vendor cannot count as new disclosures. The court found that section 15(d) also prohibits entities from “otherwise disseminating” biometric data, and a fingerprint exposed to a verification system on each access is disseminated on each access.
• White Castle cited earlier Illinois Supreme Court rulings holding that BIPA protects a “secrecy interest” — the right to keep your fingerprints private. It argued that once secrecy is lost, it cannot be lost again, so only one claim can exist. The court answered that the “injury” under BIPA is the statutory violation itself, not a separate, measurable invasion of secrecy that must be proven fresh each time.
• White Castle and over a dozen business lobby groups filed briefs warning the court that a per-scan ruling would result in “astronomical” and “annihilative” damages that the legislature never intended and that could be unconstitutional. The majority acknowledged the concern and deferred it entirely to the legislature.

What It Actually Feels Like to Have Your Body Logged Without Permission

Strip away the court filings and the billion-dollar damage estimates, and what you have is this: a fast food company decided it was easier to install a fingerprint scanner than to explain to its workers what they were signing up for. And then it kept doing that, every single day, for over a decade.

Latrina Cothron was a restaurant manager. She clocked in, she clocked out, she accessed her schedule, she pulled up her pay stub. Every single one of those actions required her to press her finger against a scanner. And every single time, her employer sent a copy of that scan to a company she had never heard of, Cross Match Technologies, without telling her. She had no idea this was happening. That is not a technicality. That is the entire point.

Your fingerprint is not recoverable. If a company leaks your email address, you change your email address. If a company leaks your social security number, that process is painful and slow but there is a number to change. If a company leaks your fingerprint, there is no equivalent. The Illinois legislature understood this and wrote it directly into the law: “Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse.” You carry that risk forever.

White Castle’s workers were not tech professionals who read privacy agreements before installing apps. They were restaurant workers, line cooks, shift managers making minimum wage or close to it, people who needed the job and therefore pressed their finger on the scanner because that was what the job required. There was no moment where someone handed them a form and said: here is what we are doing with your fingerprint, here is who we are sharing it with, here is how long we are keeping it, and here is how to say no if you want to. That moment never came. For ten years.

The dissenting justices argued repeatedly that no one’s data was actually breached. No identity theft occurred. No one’s fingerprint ended up for sale. This is presented as evidence that no real harm was done. But the harm BIPA was designed to address is not just the breach. The harm is the decision being taken away from you. The harm is a corporation deciding that the inconvenience of asking for your consent is not worth the time, while scanning your biological data hundreds of times. The law says you get to choose. White Castle decided that was optional.

Imagine you found out that your employer had been photographing your face every time you walked through the door for the past ten years, sending those photos to a company you had never consented to deal with, and storing them in a database without telling you where or for how long. That is not a hypothetical situation. That is precisely the factual template of this case, translated into fingerprints. The workers at White Castle did not know. They never had the chance to say no. The law exists specifically because that chance matters, and because the biological data on your body belongs to you.

“Once compromised, the individual has no recourse.” That sentence is in the law. White Castle scanned anyway.

Verbatim: What the Court Actually Said — In Their Own Words

These are direct quotes from the Illinois Supreme Court’s opinion in 2023 IL 128004. Nothing paraphrased. Nothing softened.

“White Castle estimates that if plaintiff is successful and allowed to bring her claims on behalf of as many as 9500 current and former White Castle employees, class-wide damages in her action may exceed $17 billion.” ¶ 40, Majority Opinion, Justice Rochford — 2023 IL 128004

• This figure comes from White Castle’s own estimate, not the plaintiff’s. The company that caused the violations calculated that its violations could cost it $17 billion. The court included that number in its opinion and still ruled against White Castle.
• The $17 billion figure is not a fine. It represents statutory damages at the BIPA rate of $1,000 to $5,000 per violation, multiplied across 9,500 workers and the total number of scans performed without consent over the compliance gap period.

“We have found, however, that the statutory language clearly supports plaintiff’s position. As the district court observed, this court has repeatedly held that, where statutory language is clear, it must be given effect, ‘even though the consequences may be harsh, unjust, absurd or unwise.'” ¶ 40, Majority Opinion — 2023 IL 128004 (quoting Peterson v. Wallach, 198 Ill. 2d 439, 447 (2002))

• The court is admitting in plain language that the result could be considered harsh, unjust, absurd, or unwise, and ruling that way anyway. This is the court applying the law as written, not as White Castle wished it had been written.
• This quote is significant because it directly answers the dissent’s argument that courts must avoid absurd outcomes. The majority says the outcome only seems absurd if you ignore what the legislature intended: maximum liability as the maximum deterrent.

“The purpose in doing so was to give private entities ‘the strongest possible incentive to conform to the law and prevent problems before they occur.’ As the Seventh Circuit noted, private entities would have ‘little incentive to course correct and comply if subsequent violations carry no legal consequences.'” ¶ 41, Majority Opinion — 2023 IL 128004 (quoting Rosenbach, 2019 IL 123186, ¶ 37 and Cothron, 20 F.4th at 1165)

• The court is explicitly stating that massive potential liability is a feature of BIPA, not a bug. The legislature designed it that way to force compliance. If the first violation is all that ever counts, companies have no financial reason to fix anything.
• This directly dismantles White Castle’s argument that the damages are disproportionate. The statute’s escalating, per-violation structure is the mechanism the legislature chose to protect workers.

“Plaintiff alleges that she scanned her finger each time she accessed a work computer and each time she accessed her weekly pay stub. Assuming plaintiff worked 5 days per week for 50 weeks per year and accessed the computer each day and her pay stub weekly, her total scans would exceed 1500 over a five-year limitations period, which may result in damages exceeding $7 million for this single employee despite the fact that plaintiff has not alleged a data breach or any costs or other damages associated with identity theft or compromised data.” ¶ 74, Justice Overstreet Dissent upon Denial of Rehearing — 2023 IL 128004

• The dissent is doing the math: one worker, normal working patterns, five years, $7 million. This is what the per-scan ruling means at the individual level. Multiply by 9,500 workers and the $17 billion estimate becomes concrete and comprehensible.
• The dissent’s argument here is that no data breach occurred and therefore the damages are wildly out of proportion. The majority’s counter is that BIPA’s entire design is to protect the right to consent, not only to compensate breach victims.

“In the more than 1700 cases filed since 2019, no case involved a plaintiff alleging that his or her biometric data has been subject to a data breach or led to identity theft. Thus, the potential astronomical damages awards under the majority’s construction of the Act would be grossly disproportionate to the alleged harm the Act seeks to redress.” ¶ 80, Justice Overstreet Dissent upon Denial of Rehearing — 2023 IL 128004

• The dissent acknowledges over 1,700 BIPA cases filed since 2019, none involving a documented data breach. This cuts both ways: it means workers were not harmed through data theft, but it also means companies were violating the consent law thousands of times and no one was stopping them.
• The dissent frames no breach as evidence of disproportionate punishment. The majority frames it as evidence that BIPA’s consent requirements are the protection, not the breach notification requirement.

“Cases alleging violations of the Act reportedly jumped 65% in Illinois circuit courts in the two months since this court’s ruling.” ¶ 77, Justice Overstreet Dissent upon Denial of Rehearing — 2023 IL 128004 (citing Bloomberg Law, May 2, 2023)

• This figure documents the immediate, measurable impact of the ruling. Other employers who had been quietly collecting biometric data without consent suddenly faced the same exposure White Castle did. The litigation surge shows how widespread the practice was.
• The dissent frames this as a negative consequence. The majority’s logic holds that it is exactly the intended consequence: every company that was ignoring BIPA now faces a reckoning.

“A trial court presiding over a class action would certainly possess the discretion to fashion a damage award that fairly compensated claiming class members and included an amount designed to deter future violations, without destroying defendant’s business.”

The Corporate Web: Who Had Your Fingerprint and Why

This Is Bigger Than One Burger Chain

Public Health

Biometric privacy is a public health issue. The body’s identifying markers, when collected and stored without consent, create risks that extend far beyond one employer’s database.

• Biometric data, once compromised in a breach, cannot be reset or replaced. Workers whose fingerprints were stored across White Castle’s systems and Cross Match Technologies’ authentication infrastructure had no way to revoke that data, no password to change, and no way to know if the data was later exposed in a third-party breach of either company’s systems.
• The dissent itself acknowledged that BIPA’s legislative findings state plainly: “Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse.” Workers in low-wage jobs, who cannot afford legal representation and who depend on the employer for income, are least equipped to discover or challenge a compromise of their biometric data.
• Workers were required to press their fingers against shared scanners as a condition of accessing their pay stubs and computers. The power imbalance between employer and employee made meaningful refusal effectively impossible, making the consent requirement not a formality but a structural safeguard against coercion.
• The dissent noted that over 1,700 BIPA cases filed since 2019 involved zero documented data breaches. This is not evidence that the risk is zero. It reflects that biometric data breaches are difficult to detect and that workers in this situation have limited means to trace identity theft back to a specific employer’s database.

Economic Inequality

The workers affected by White Castle’s decade of non-compliance are predominantly low-wage earners. The economic dynamics of this case reveal how companies in the service industry systematically externalize risk onto their most financially vulnerable employees.

• White Castle deployed fingerprint-scanning technology to control access to computers and pay stubs. This efficiency gain accrued to the company. The risk from storing and transmitting that biometric data without consent accrued to the workers. The workers received no compensation for that risk transfer.
• Workers who could not access their computers or pay stubs without scanning their fingerprints had no practical way to refuse. Refusing would mean not being able to do their job. The consent framework exists precisely because this kind of coercive dynamic makes “voluntary” collection meaningless without legal protection.
• White Castle estimated the class at up to 9,500 current and former employees. These are service industry workers, a population with high turnover, limited savings, and limited access to legal counsel. They were bearing biometric risk for over a decade with no knowledge of it, while White Castle used their biometrics to run its access control infrastructure.
• The dissent’s concern that the ruling could “destroy” White Castle’s business stands in contrast to the ten years those workers absorbed risk without any compensation, disclosure, or option to refuse. The economic framing in the dissent centers entirely on corporate survival, with no equivalent weight placed on the workers’ unconsented bearing of biometric risk.
• Companies that did comply with BIPA incurred costs for written notices, consent forms, and legal review. White Castle avoided those costs for a decade. The per-scan damages model is the mechanism by which non-compliant companies are prevented from profiting by undercutting compliant competitors on compliance costs.

White Castle’s Implicit Claims vs. What the Court Found

Putting the Numbers in Human Terms

Who to Watch, Who to Pressure, and What to Do

The Illinois Supreme Court did its job. Now the question is whether the legislature guts BIPA in response to corporate lobbying, and whether workers in every state with a biometric scanner in their workplace know they have rights.

Leadership and Entities Responsible

• White Castle System, Inc. (Defendant): The private, family-owned burger chain that ran an unconsented fingerprint collection program for over a decade. As a private company, White Castle does not have publicly traded stock, but it operates over 370 locations primarily in the Midwest and Southeast.
• Cross Match Technologies (Third-Party Vendor, dismissed): The company that received every fingerprint scan from White Castle’s workers without those workers’ knowledge or consent. Dismissed from this action by the plaintiff but not exonerated on the merits.
• Illinois General Assembly: The court explicitly called on the legislature to review and clarify BIPA’s damages provisions. Corporate lobby groups are already pushing for amendments to cap per-scan liability. Watch for bills that quietly defang the law.
• Business Lobby Coalition (Amici): The Illinois Chamber of Commerce, U.S. Chamber of Commerce, National Retail Federation, Restaurant Law Center, Illinois Manufacturers’ Association, National Association of Manufacturers, Illinois Health and Hospital Association, Illinois Retail Merchants Association, Chemical Industry Council of Illinois, Illinois Trucking Association, Mid-West Truckers Association, Chicagoland Chamber of Commerce, American Trucking Associations, and American Property Casualty Insurance Association all filed briefs supporting White Castle’s position. These organizations represent the industries fighting hardest to weaken BIPA.

Watchlist: Regulatory Bodies

• Illinois Attorney General’s Office: Primary state-level enforcer of Illinois privacy statutes. Workers experiencing BIPA violations can file complaints here.
• Federal Trade Commission (FTC): Has jurisdiction over unfair or deceptive practices involving consumer data. Biometric data collection without consent can fall within the FTC’s remit at the federal level.
• U.S. Department of Labor (DOL): Relevant to the extent that biometric timeclock systems, which were the specific mechanism at issue in related cases like BNSF, are used as wage and hour enforcement tools. Employer misuse of those systems implicates DOL’s oversight.
• National Labor Relations Board (NLRB): Surveillance technology deployed by employers, including biometric systems, is increasingly a subject of collective bargaining and NLRB policy. Workers have the right to organize against invasive employer surveillance.
• State Legislatures in All 50 States: Only Illinois (BIPA), Texas (CUBI), and Washington (H.B. 1493) have substantive biometric privacy laws. Every other state’s workers are currently unprotected. Track biometric privacy bill progress in your state.

What You Can Do

• Know your state’s law. If you work in Illinois and your employer uses a fingerprint scanner, timeclock, facial recognition, or retinal scanner without giving you written notice and a signed consent form, you have a legal right to sue under BIPA. Consult an employment attorney or contact the Illinois Attorney General.
• Demand consent documentation at your workplace. Ask your employer directly: what biometric data do you collect, who do you share it with, how long do you keep it, and where is my written consent form? Document the answer in writing.
• Support state-level BIPA expansion campaigns. Organizations like the Electronic Privacy Information Center (EPIC), Raise the Floor Alliance, and NELA/Illinois are actively working to extend biometric privacy protections. Their contact information is public. Show up to legislative hearings when BIPA amendments are on the agenda.
• Join or form a workplace privacy committee. If your workplace uses biometric technology, organize with your coworkers to collectively demand transparency, retention policies, and deletion timelines. Collective action is significantly harder for employers to ignore than individual complaints.
• Oppose any BIPA amendment that caps per-scan liability. The legislature is under pressure from the same lobby coalition that supported White Castle in this case. Any bill that converts per-scan damages into a one-time per-employee cap eliminates the deterrent. Contact your Illinois state representative and senator now if you are an Illinois resident.
• Support mutual aid funds for workers in ongoing BIPA litigation. Workers in active class actions often face years of waiting for resolution. Legal defense funds and worker centers in Illinois are supporting plaintiffs navigating this system. Find local Chicago-area worker centers through the Raise the Floor Alliance network.