Popeyes dodges fingerprint lawsuit, but biometric clock-in risk remains

A Richton Park Popeyes thumbprint system became the latest reminder that a routine clock-in can turn into a privacy lawsuit. Brunettea Jones alleged that the restaurant used her fingerprint to clock in and out and to log into the point-of-sale system, putting Popeyes Louisiana Kitchen, Inc. in the middle of Illinois’ biometric privacy fight.

U.S. District Judge Edmond E. Chang dismissed the Popeyes claims without prejudice on March 26, 2026, in the Northern District of Illinois case Jones v. Popeyes Louisiana Kitchen, Inc. He also denied the defendants’ sanctions request, signaling that the court saw at least some legal basis for the claim. Jones was given until April 13, 2026, to file a second amended complaint, leaving the door open for the case to continue.

The dispute sits inside Illinois’ Biometric Information Privacy Act, which took effect on October 3, 2008. The law requires private companies to publish a written retention schedule and destruction guidelines for biometric data, then destroy biometric identifiers once the original purpose has been met or within three years of the person’s last interaction with the company, whichever comes first. The Illinois General Assembly said in the law’s findings that biometrics were spreading in business and security screening, with major corporations piloting fingerprint systems in Illinois locations such as grocery stores, gas stations and school cafeterias.

That history matters for restaurants because fingerprint clocks are common tools for tracking attendance and discouraging time theft. They also put hourly workers’ personal data into a compliance system many crews never see until something goes wrong. In a restaurant setting, that can affect line cooks, servers, bartenders, hosts and managers who swipe in every shift, especially in operations already juggling turnover, staffing shortages and pay disputes across front and back of house.

Illinois courts have made the risk even steeper. In Cothron v. White Castle System, Inc., the Illinois Supreme Court held on February 17, 2023, that each unlawful scan or transmission can create a separate BIPA claim. White Castle said the exposure in that case could have reached about $17 billion for roughly 9,500 employees, a figure that showed how quickly fingerprint time-clock cases can escalate.

Illinois later amended BIPA on August 2, 2024, limiting damages to a single recovery for repeated collection using the same method and recognizing electronic signatures for written releases. That change lowered some risk, but it did not erase the need for strong notice, consent, retention and destruction policies. Restaurants that treat biometric clocks like ordinary labor software can still find themselves defending a privacy case, as White Castle and Wendy’s have already learned. Wendy’s settled an Illinois employee fingerprint case for $18.2 million, underscoring that biometric timekeeping remains a real legal exposure, not a theoretical one.