Cothron v. White Castle

Whether a person can sue only for the first time their data is collected or disclosed without consent in violation of the Biometric Information Privacy Act ("BIPA").
  • EPIC Tells Court Not to Weaken Enforcement of Illinois Biometric Privacy Law: EPIC has filed an amicus brief in Cothron v. White Castle, a case about when violations of Illinois's Biometric Information Privacy Act ("BIPA") can be vindicated in court. Cothron alleges that White Castle collected and disclosed her fingerprints for a decade in violation of BIPA. White Castle is trying to scuttle the case, claiming that an individual is only able to sue the first time a company violates their BIPA rights because it is only then that an individual "loses control" of their biometric data and suffers a legal injury. White Castle argues that, even if the company continued to violate BIPA to this day, they shouldn't be held liable because the first violation was long enough ago that it falls outside the statute of limitations. But the Illinois Supreme Court held in Rosenbach v. Six Flags that every violation of BIPA confers the right to sue. The district court accordingly rejected White Castle's argument, but certified the question to a federal appeals court. EPIC filed an amicus brief in the appeals court and argued that White Castle's proposed rule would effectively "overrule the Illinois Supreme Court on a question of state law" by attempting "to import arguments about Article III standing into the BIPA statutory injury analysis." EPIC also argued that White Castle is "mistaken about the underlying purpose of BIPA" and that White Castle's rule "would in fact undermine BIPA’s purposes" because it "would remove the key incentive for companies who previously violated BIPA to come into compliance, adopt responsible biometric data practices, and seek informed consent." EPIC has filed amicus briefs in other BIPA cases, including Rosenbach v. Six Flags and Patel v. Facebook, and regularly participates as amicus in cases concerning the right to sue for privacy violations. (Jun. 7, 2021)
  • More top news »
  • EPIC to Maryland Legislators: Enact Biometric Privacy Law » (Jan. 27, 2021)

    EPIC Senior Counsel Jeramie Scott testified today to Senate and House Committees of the Maryland General Assembly in support of legislation protecting biometric information privacy. HB218 and SB16 are modeled after the Illinois Biometric Information Privacy Act (BIPA). Passed in 2008, BIPA has been referred to as one of the most effective and important privacy laws in America. "Unlike a password or account number, a person’s biometrics cannot be changed if they are compromised," EPIC told the Committees. EPIC stressed the importance of strong enforcement measures in privacy laws, particularly a private right of action. EPIC also submitted a recent case study on the Illinois law written by EPIC Advisory Board member Woody Hartzog. EPIC previously filed an amicus brief in Rosenbach v. Six Flags, where the Illinois Supreme Court unanimously decided that consumers can sue companies that violate the state's biometric privacy law. [Watch the hearing]


The Illinois Biometric Information Privacy Act was enacted to protect against unique risks involved in collecting, storing, using, and disclosing biometric data. The Illinois Supreme Court in Rosenbach v. Six Flags declared that individuals can sue whenever their BIPA rights are violated. But White Castle, which faces a class action lawsuit from longtime employees who allege that the company collected and disclosed their biometric data for over a decade without the BIPA-required consents, has turned to the U.S. Circuit Court for the Seventh Circuit to essentially overrule Rosenbach and instead limit BIPA suits to the first time an individual's biometrics are collected or disclosed without consent. This rule contradicts the very clear directives of the Illinois Supreme Court, purposely confuses a matter of state law (statutory injury) with a federal standard (Article III injury), and would let longtime BIPA offenders off the hook simply because they started (but didn't stop) violating the law years ago. The result would be a perverse incentive structure that would discourage companies from complying with BIPA if they violate the law once and institute the same penalties for companies that repeatedly violate the law and those that have a one-time lapse in compliance.


Factual Background

Latrina Cothron has worked as a manager at White Castle since 2004. About three years into her employment, White Castle required her to submit her fingerprint to access computers and her paystub at work. Cothron alleges that White Castle did not receive BIPA-required consent to collect or disclose her fingerprints at first because BIPA did not exist. BIPA was passed in 2008, but White Castle continued to collect and disclose Cothron's fingerprint without consent until October 2018, when the company finally provided the necessary disclosures and sought consent. Cothron filed a lawsuit against White Castle two months later in December 2018.

Legal Background

BIPA is an Illinois statute that protects against unlimited collection, retention, use, and disclosure of biometric information. Companies that wish to use biometrics must disclose the term and purpose for which they plan to collect, store, and use an individual's biometric data and obtain consent from the individual. Companies must also obtain consent to disclose biometrics it collects to a third party.

In Rosenbach v. Six Flags, the Illinois Supreme Court declared that individuals can sue whenever a company violates their BIPA rights—they need not allege any additional harm, like identity theft. Determining when and for what violations an individual can sue is thus simple: if the terms of the statute are violated, an individual has a legal claim and can sue.

Federal courts interpreting Spokeo v. Robins often use a different test to determine whether a federal court can hear a lawsuit under Article III of the constitution. Under this test, courts look beyond the plain language of the statute to the purposes underlying the statute to determine whether the law protects a concrete legal interest (and, sometimes, whether the specific violation actually caused harm to this legal interest).

The statute of limitations on a claim begin to run when an individual suffers a legal injury. Statutes of limitations are supposed to encourage those whose legal rights have been violated to bring claims while the factual record is most likely to be intact, and to prevent potential defendants from being dragged into court for stale allegations. The applicable statute of limitations for BIPA claims is currently being litigated in Illinois state court.

Procedural History

Cothron filed a lawsuit against White Castle in 2008. The case wound up in federal court. White Castle then filed a motion for judgment on the pleadings, arguing that individuals are only injured by a BIPA violation the first time a company collects or discloses their biometric data without consent. White Castle argued that the BIPA provisions protect individuals from "loss of control" of their biometric data. Because an individual "loses control" of their biometrics the first time they are collected or disclosed without consent, individuals can only sue for the first violation of BIPA. Because the first time White Castle violated BIPA was immediately after it was enacted in 2008, the statute of limitations has run, and Cothron (nor anyone else in her position) can sue for White Castle's violation of their BIPA rights—even though White Castle continued to collect and disclose their biometrics without consent for ten years after BIPA was passed.

The district court denied White Castle's motion. The district court read Rosenbach to recognize that an individual is injured anytime their BIPA rights are violated, and by the plain language of the statute White Castle is alleged to have collected and disclosed Cothron's fingerprints thousands of time in over a decade. The district court nevertheless certified the question to the U.S. District Court for the Seventh Circuit, which will now either hear the case or certify the question to the Illinois Supreme Court.

EPIC's Interest

EPIC has participated as amicus in several BIPA cases in the past, including Rosenbach v. Six Flags and Patel v. Facebook, both of which concerned when an individual can sue for violation of their BIPA rights. EPIC routinely participates as amicus in cases concerning the right to sue for violations of privacy statutes, such as Spokeo v. Robins, Gubala v. Time Warner, Attias v. Carefirst, Eichenberger v. ESPN, and Transunion v. Ramirez.

Legal Documents

U.S. Court of Appeals for the Seventh Circuit (No. 20-3202)

U.S. District Court for the Eastern District of Illinois (No. 19-CV-00382)

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security