Biometric data privacy allegations are getting intense. Just ask White Castle and Amazon

Two new proposed take-downs of the most prominent state-level biometric privacy law in the United States have been launched.

The law is Illinois’ Biometric Information Privacy Act, and the aggrieved parties are regional hamburger chain White Castle and the increasingly testy Amazon Web Services.

Lawyers for White Castle went before the Illinois Supreme Court this week to argue that if each use of biometrics constitutes a separate violation of BIPA, businesses could be driven to bankruptcy because the law allows damages of $1,000 to $5,000 per violation.

White Castle has used fingerprint biometric systems to verify clock-in and -out of hourly employees, including long-time employee and Illinois resident Latrina Cothron.

Cothron sued in 2019 because, contrary to BIPA provisions, the chain did not get her explicit consent to collect her biometric identifiers. The law had been in effect since 2008. White Castle argues that the allegation describes only one “injury” under the law, when Cothron’s biometrics were initially collected, stored and used.

Privacy advocates say the punishment fits the offense because unlike every other kind of identifier, biometrics are forever unique and cannot be changed if they are stolen and misused. Theft could be a major, lifelong problem.

Analyzing the stakes, legal news publisher Law360 says employers have basic questions about the law. Do they have to get express consent each time they require a biometric identifier and share it with an algorithm provider?

According to White Castle, accruing penalties is wrong because employees can refuse to comply, “and that power can be lost only once.”

While that plays out, Amazon Web Services has moved to dismiss and strike a plaintiff’s class action, which its lawyers say is a “brazen attempt” to expand liabilities under BIPA, according to trade publication Law Street.

Amazon allegedly collects biometric data from users of the company’s facial recognition service, Rekognition.

Filed in the last year, this case involves a student using ProctorU, software that monitors remote test takers for suspicious behaviors. Plaintiff Jacinda Dorian claims that her uploaded image ultimately was stored in Amazon Web Services’ servers without her consent.

Amazon all but labels Dorian a gold digger, for suing moneyed Amazon and not her university, which required her to biometrically register. (ProctorU was sued separately in 2021 for biometrics violation after its databases were breached.)

And it goes farther, citing the Dormant Commerce Clause of the U.S. Constitution, which, according to Law Street, would not allow legal action based on Amazon’s “wholly out-of-state conduct.”

Article Topics

Amazon  |  biometric data  |  biometric identifiers  |  biometrics  |  BIPA  |  data privacy  |  data protection  |  lawsuits  |  remote proctoring  |  time and attendance