BIPA ALERT: An Opening of the Litigation Floodgates?
No Actual Harm Necessary to Assert Biometric Privacy Claims in Illinois
Today the Illinois Supreme Court held that an individual does not need to allege actual harm in order to seek liquidated damages and injunctive relief under the Illinois Biometric Information Privacy Act (BIPA or the Act) 740 ILCS 14/1 et seq. In Rosenbach v. Six Flags Entertainment Corp., the Court unanimously found that a plaintiff need only allege a technical violation of BIPA in order to be sufficiently “aggrieved” under the Act. The Court’s holding today is likely to embolden potential plaintiffs and increase the already considerable number of BIPA-related cases throughout Illinois and the country.
The Rosenbach v. Six Flags Entertainment Corp. Decision
The plaintiff, Stacy Rosenbach, sued Six Flags Great America in January 2016, alleging that Six Flags violated BIPA when the theme park took her son’s thumbprint as part of the purchase of a season pass. The plaintiff did not allege that she or her son suffered any actual harm from Six Flags’ actions. Instead, the plaintiff sought monetary and injunctive relief based solely upon allegations of technical violations of BIPA. In turn, Six Flags sought to dismiss the complaint, arguing that the plaintiff must allege actual harm in order to be deemed “aggrieved by a violation” of BIPA, as required by the Act in order to state a private cause of action. See 740 ILCS 14/20.
The Illinois Supreme Court rejected defendants’ contention that “redress under the Act should be limited to those who can plead and prove that they sustained some actual injury or damage beyond infringement of the rights afforded them under the law.” In so ruling, the Court found that such an argument “would require that we disregard the commonly understood and accepted meaning of the term ‘aggrieved,’ depart from the plain and, we believe, unambiguous language of the law, read into the statute conditions or limitations the Legislature did not express, and interpret the law in a way that is inconsistent with the objectives and purposes the Legislature sought to achieve.” As a result, the Court determined that “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act.”
BIPA’s Technical Requirements
The Rosenbach ruling places an increased emphasis on the technical requirements of BIPA. Notably, BIPA applies to biometric identifiers, such as fingerprints, voiceprints, retinal scans, and facial geometry, as well as other biometric information based on those identifiers to the extent used to identify an individual. 740 ILCS 14/10. BIPA places both restrictions and affirmative obligations on private entities related to biometric identifiers and biometric information, including the following:
- Private entities in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for destroying the information. 740 ILCS 14/15(a).
- Private entities which collect, capture, purchase, receive or otherwise obtain biometrics must inform the subject of that fact in writing, as well as the specific purpose and length of time for which the information will be retained, and obtain a written release executed by the subject. 740 ILCS 14/15(b).
- Private entities are prohibited from selling or disclosing biometric identifiers or biometric information. 740 ILCS 14/15(c) & (d).
The Illinois Supreme Court’s decision in Rosenbach now allows any individual who can allege a violation of these technical requirements to seek recovery of the greater of actual damages or statutory damages of $1,000 (for a negligent violation) or $5,000 (for an intentional or reckless violation). BIPA also provides for the recovery of plaintiffs’ attorneys’ fees and costs. 740 ILCS 14/20.
The Rosenbach Ruling’s Impact on Your Business.
The Rosenbach decision now eliminates what some courts, defendants, and commentators asserted was a prerequisite for any BIPA claim—an actual injury. The Illinois Supreme Court’s decision does not address other pertinent issues that relate to BIPA—namely, the extent to which an individual’s personal information may be defined as biometric identifiers or biometric information, the applicable statute of limitations, what constitutes sufficient disclosure and consent, what it means to “possess” or “obtain” biometric identifiers or biometric information, and whether BIPA applies to vendors who provide hardware or software services for biometrics.
Nevertheless, in light of the Rosenbach ruling, the number of BIPA lawsuits is only likely to increase, as more plaintiffs attempt to assert claims based purely on technical violations of the Act. Ultimately, this ruling underscores the need for a critical analysis of any business practice involving biometrics (including employee timekeeping, identification procedures or security protocols). The failure to fully comply with BIPA, even when such failure results in no actual injury to an individual, may now lead to significant liability.