Biometrics & Privacy; Don’t Fall Foul of the Law

The US has some of the strictest privacy laws. Organizations who breach them do so at their peril – often at great cost.

A bad taste

When personal data is collected by a business, the general consensus is that it needs to be for reasonable and legitimate reasons. But it’s not always as straightforward as that, as one Illinois food outlet chain discovered. Illinois has some of the toughest privacy laws in the country and is the only state which allows people to sue organizations for the improper collection of biometric data. Only Texas, Washington State and New York City also have biometric-specific laws – but not with the same reach.
White Castle, a burger chain, had been using finger scans to track employee clock-in and clock-out times. Biometric measures, like finger scans or facial recognition software, provide incontrovertible evidence when monitoring all aspects of access control.


However, White Castle fell foul of the Illinois Supreme Court in February 2023. The court ruled that every time an individual’s biometric data was collected, the Biometric Information Privacy Act (BIPA) was violated. The burger chain is looking at a penalty of up to $17bn in potential damages.

The implications for other businesses are worrying. So, what happens from here? The high court indicated that the Illinois General Assembly consider the issue and explore changes to the system.

White Castle follows several high-profile cases relating to facial recognition in Illinois in 2022. These include Samsara Inc, which developed a dashboard camera to extract biometric images of drivers’ faces to monitor them for potential fatigue and distractions. The Illinois courts also had to consider class actions against several higher education institutions and a software company, Respondus, which used webcams to capture students’ biometric data. 


The White Castle case will impact other organizations using biometrics in Illinois. Mindful of potential far-reaching repercussions, several business groups filed ‘friends of the court’ briefs supporting White Castle – who maintain that employees need only be asked once for permission to collect biometric data, rather than every time. Business groups, in conjunction with other professional bodies, want to see changes to BIPA, including:

–        Proof that genuine harm has been caused by the data collection before a fine is imposed

–        Reversing a recent court decision that determined every instance in one organization or relating to one complainant be treated as a separate violation

–        The ability for businesses to address issues where there had been no harm under the premise of ‘notice and cure’

The group also argues that businesses be allowed to use biometrics for a range of human resources-related functions.


It is highly unlikely that White Castle’s experience will be a one-off. Other businesses in Illinois will need to prepare themselves for possible litigation.

But the effect reaches further afield. Businesses outside Illinois that use biometric data may not have to face legal proceedings and potentially crippling fines, but they may face other problematic issues around trust – with employees, customers and visitors.

The collection of biometric data divides opinion. There’s a ‘can’t see what harm it does if you’ve done nothing wrong’ perspective and those who feel it violates individuals’ privacy.

Businesses must convince employees and others (customers, site visitors, etc) that they are collecting biometric data:

–        For appropriate and justified reasons

–        Responsibly and storing it securely

–        And retaining it only for an appropriate length of time

–        Complying with all state and federal regulations in the process

Getting it right – with expert advice and support

GT Clocks is an industry leader in human capital management (HCM) solutions, serving states throughout the US. Continuous innovation sees the organization stay ahead of the curve with technological advances that not only streamline processes but maintain stringent compliance.

When personally Identifiable Information (PII) is collected by a business, it needs to be subject to robust encryption right from the get-go. Through GT Connect, GT Clocks ensures that all ‘people data’ is secure from the moment it is collected right through to the time it is erased.

Every anticipation has been accounted for to provide complete compliance with legislation so C-Suites can put total trust in their systems. 

And for those who are concerned about the use of facial recognition or other biometric measures, it’s important to highlight the benefits of such measures. With security so highly prized, tightly controlled access provides everyone with a greater sense of safety.

What people need to know is that only essential data is collected, that it remains secure and that it can be erased when requested. These steps, while sounding simple, require systems that can ensure the required level of compliance without adding significantly to the workload of administrators. That’s where GT Clocks, alongside GT Connect, offers seamless peace of mind.

Sharing Your Duty

GT Clocks can alleviate some of the burden of data management and security by providing solutions that strictly adhere to the relevant legislation in your locality. Our teams are well-versed in compliance and will recommend systems that ensure you don’t fall foul of costly lawsuits. Get in touch to find out more.