Biometrics & Privacy; Don’t Fall Foul of the Law

The US has some of the strictest privacy laws. Organisations who breach them do so at their peril – often at great cost.

Paul Smith

Head of Quality & Compliance

The US has some of the strictest privacy laws. Organizations who breach them do so at their peril – often at great cost.

A bad taste for White Castle

When personal data is collected by a business, the general consensus is that it needs to be for reasonable and legitimate reasons. But it’s not always as straightforward as that, as one Illinois food outlet chain discovered. Illinois has some of the toughest privacy laws in the country and is the only state that allows people to sue organizations for the improper collection of biometric data. Only Texas, Washington State, and New York City also have biometric-specific laws – but not with the same reach.

White Castle, a burger chain, had been using finger scans to track employee clock-in and clock-out times. Biometric measures, like finger scans or facial recognition software, provide incontrovertible evidence when monitoring all aspects of access control.


However, White Castle faced legal challenges from the Illinois Supreme Court in February 2023. The court determined that collecting an individual’s biometric data constituted a violation of the Biometric Information Privacy Act (BIPA) each time it occurred. The popular burger chain now faces potential damages of up to $17 billion.

The repercussions for other businesses are concerning. So, what comes next? The high court has suggested that the Illinois General Assembly address the matter and explore potential changes to the current system.

White Castle’s situation adds to a series of notable cases related to facial recognition in Illinois in 2022. These cases involve Samsara Inc., which developed a dashboard camera to extract biometric images of drivers’ faces for monitoring potential fatigue and distractions. The Illinois courts also dealt with class actions against various higher education institutions and a software company, Respondus, which utilized webcams to capture students’ biometric data.


The White Castle case is poised to broadly impact other organizations utilizing biometrics in Illinois. Recognizing the potential wide-ranging consequences, various business groups have submitted ‘friends of the court’ briefs in support of White Castle. The stance maintained by White Castle, advocating that employees should grant permission for biometric data collection only once rather than each time, has gained backing from these business groups.

These groups, collaborating with other professional bodies, are advocating for changes to the Biometric Information Privacy Act (BIPA). Their proposed amendments include:

  • Establishing proof of genuine harm caused by data collection before imposing fines.
  • Reversing a recent court decision that treats each instance within one organization or related to one complainant as a separate violation.
  • Granting businesses the ability to address issues where no harm has occurred under the premise of ‘notice and cure.’

Furthermore, the group contends that businesses should be permitted to use biometrics for a variety of human resources-related functions.


White Castle’s experience is unlikely to be an isolated incident. Other businesses in Illinois should brace themselves for potential legal challenges.

However, the impact extends beyond the borders of Illinois. Businesses outside the state utilizing biometric data may not be subject to legal proceedings and significant fines, but they could face challenges related to trust—among employees, customers, and visitors.

The collection of biometric data sparks varying opinions. Some adopt a ‘can’t see what harm it does if you’ve done nothing wrong’ perspective, while others believe it infringes upon individuals’ privacy.

To navigate these complexities, businesses must assure employees and others (customers, site visitors, etc.) that they are collecting biometric data:

  • For legitimate and justified reasons.
  • Responsibly and securely storing it.
  • Retaining it only for an appropriate duration.
  • Complying with all relevant state and federal regulations throughout the process.

Getting it right – with expert advice and support

GT Clocks stands as a leading force in Human Capital Management (HCM) solutions, catering to states across the United States. The company’s commitment to continuous innovation positions it at the forefront of technological advancements, streamlining processes while upholding rigorous compliance standards.

In the realm of Personally Identifiable Information (PII) collection, robust encryption is paramount from the outset. Through the sophisticated GT Connect platform, GT Clocks guarantees the security of all ‘people data’ from the moment of collection until its eventual erasure.

Every conceivable detail has been considered to ensure full compliance with legislation, providing C-Suites the confidence to place unwavering trust in their systems.

For those expressing concerns about facial recognition or other biometric measures, it’s crucial to underscore the advantages of such measures. In a landscape where security is highly valued, tightly controlled access fosters a heightened sense of safety for everyone involved.

Individuals need to understand that only essential data is collected, remains secure, and can be erased upon request. While these steps may sound simple, implementing systems that guarantee the requisite level of compliance without unduly burdening administrators is no small feat. This is where GT Clocks, in tandem with GT Connect, delivers seamless peace of mind.

Sharing Your Duty

GT Clocks is poised to ease the challenges associated with data management and security by offering solutions that strictly adhere to the pertinent legislation in your area. Our teams possess a deep understanding of compliance requirements and will suggest systems that safeguard you from potentially expensive legal complications. Contact us to learn more about how we can assist you.