Each time Latrina Cothron, a manager at a local White Castle restaurant near Chicago, Illinois, wanted to access workplace computers or see her pay stubs, she had to provide her fingerprint. She sued her employer, alleging that the company had violated her rights under the Illinois Biometric Information Privacy Act by collecting her biometric data without her permission. 

Now White Castle could be on the hook for upward of $17 billion. 

On February 17, the Illinois Supreme Court made a decision on Cothron’s case that sent the state’s business community reeling. According to the court, every time a company collects an individual’s biometric data without getting informed written consent, it counts as a separate BIPA violation with potential damages from $1,000 to $5,000. In the past, courts interpreted the law to mean one violation per person. Now, if an employee uses their fingerprint to sign into work, or every time they clock in and out for shifts or breaks, the number of infractions rack up quickly, and so does the amount of money to be paid out in damages. 

“So now six times a day, 340 days a year for five years, one person is potentially a $1 million risk,” said Jason Stiehl, an attorney who works on litigation, technology and brand protection for Crowell & Moring LLP in Chicago.