Illinois Supreme Court Sheds Light on the Importance of Strict Compliance with State’s Biometric Information Privacy Act

On January 25, 2019, in Rosenbach v. Six Flags Entm’t Corp., the Illinois Supreme Court held that an individual is an “aggrieved” party under the Illinois Biometric Information Privacy Act (“BIPA”) and may seek damages absent an allegation of harm beyond a violation of the rights conferred by the statute.

The BIPA

In 2008, Illinois passed the BIPA in order to regulate “the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.”  The BIPA imposes several obligations on entities collecting, retaining, and disclosing biometric data, including the obligation to (1) inform the individual or the individual’s representative in writing that biometric data is being collected or stored, (2) inform the individual or the individual’s representative in writing of the purpose and length of term for which the biometric data is being collected, stored, and used, and (3) receive a written release executed by the subject of the biometric data.  As part of the BIPA’s enforcement mechanism, “aggrieved” parties are granted a private right of action.

The Rosenbach Decision

In Rosenbach, the plaintiff filed a class action complaint against Six Flags Entertainment Corporation (“Six Flags”) asserting violations of the BIPA.  The complaint alleged that in 2014, the plaintiff went online to purchase her 14-year-old son a Six Flags season pass.  The plaintiff paid for the pass online, but her son was required to complete the sign-up process in person.  During a school trip to Six Flags, the plaintiff’s son completed the sign-up process by scanning his thumb into Six Flags’ biometric data capture system and obtaining a pass card, which permitted reentry when used together.

Among other things, the complaint alleged that Six Flags violated the BIPA because (1) the plaintiff was never notified that her son’s fingerprint would be scanned when he completed his sign-up in person, (2) neither the plaintiff nor her son were informed in writing (or in any other way) of the purpose or length of term for which the fingerprint was collected, and (3) neither the plaintiff nor her son signed a written release.

Six Flags sought to dismiss the action by arguing that in order to bring a claim as an “aggrieved” party under the statute, the plaintiff was required to allege an actual injury or harm apart from the statutory violation.  The appellate court agreed with Six Flags and held that “a plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person[.]”

On appeal, the Illinois Supreme Court unanimously reversed the appellate court’s decision, finding that the term “aggrieved” does not require an allegation of harm beyond a violation of the rights conferred by the BIPA.  In reaching its conclusion, the court stated that although the term “aggrieved” is not defined in the BIPA, the understanding of aggrieved—that “‘[a] person is prejudiced or aggrieved, in the legal sense, when a legal right is invaded by the act complained of or his pecuniary interest is directly affected by the decree or judgment[]’”—was embedded in Illinois jurisprudence when the BIPA was adopted and that the court “must presume that the legislature was aware of that precedent . . . .”  Additionally, the court highlighted the fact that a requirement of actual harm has been specifically identified in some statutory schemes but not in others, which led the court to further conclude that if lawmakers intended the BIPA to require an allegation of actual harm, the statute would have explicitly said so.  To illustrate this point, the court likened the BIPA to the AIDS Confidentiality Act, which authorizes relief to “aggrieved” parties and does not require proof of actual damages.  In contrast, the court referenced the Illinois Consumer Fraud and Deceptive Business Practices Act, which permits a private right of action only when the plaintiff alleges “actual” damages.

The court further reasoned that a party need not allege a harm beyond a statutory violation because when an entity violates the BIPA, “the right of the individual to maintain [his or] her biometric privacy vanishes into thin air . . .” and constitutes an injury that is “real and significant.”

Takeaways

The BIPA is already a hotly-litigated statute, however, the Rosenbach decision will likely lead to a significant uptick of BIPA claims; and in light of the availability of the greater of actual damages or statutory damages ranging from $1,000 to $5,000 per violation, companies subject to the BIPA must now, more than ever, ensure strict compliance with the law.

About The Author
Tagged with: , , , , ,
Posted in Legislation, Litigation, Privacy, Regulations
About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Receive Email Updates

Email:

Cozen O’Connor Blogs