Collecting Biometric Data Without Consent is Sufficient Harm to Base an Action
Illinois, the only state with a statute allowing private actions for unconsented collection of biometric readings, has made plaintiff recovery significantly easier, and defending such cases significantly harder.
On January 25, 2019, the Illinois Supreme Court found that where a plaintiff shows evidence of a violation of biometric privacy, the plaintiff need not show special harm to hold the defendant legally accountable. This decision makes compliance with Illinois’s Biometric Information Privacy Act (“BIPA”) all the more important to reduce exposure to litigation.
In 2008, Illinois was the first state to enact a specific biometric privacy law when it enacted BIPA to address the emergence of biometric identification technology, such as retina scans, fingerprint identification and facial recognition technology. Under BIPA, individuals have a private right of action to sue. While BIPA litigation is not new (now over 10 years since the law’s enactment), we will likely see more lawsuits alleging BIPA violations in the wake of this decision.
BIPA requires Illinois businesses that use biometric identifiers and information to inform the subject in writing that a biometric identifier or information is being collected or stored, along with the purpose and length of time for which it is being collected or stored. Regulated businesses must also obtain a written release from the subject.
Non-compliance comes with significant penalties, which vary based on the nature of the violation. For negligent violations, private entities may be liable for $1,000 per violation or the amount of actual damages, whichever is greater. And for willful or reckless violations, penalties may be up to $5,000 per violation or actual damages. Private entities may also liable for reasonable attorneys’ fees, costs and experts’ fees.
In Rosenbach v. Six Flags Entertainment Corporation, the mother of a fourteen-year-old boy sued Six Flags Entertainment Corporation under BIPA. The plaintiff claimed that her son’s fingerprint was obtained by Six Flags in violation of BIPA, and specifically without written consent and proper disclosure of Six Flag’s business practices relating to the collection, use, and retention of the fingerprint data.
The plaintiff identified three types of harm flowing from the collection of an individual’s fingerprints without their consent: harm to their personal privacy interest, harm to their property right in their biometrics, and an informational injury from being deprived of the opportunity to make an informed decision. The Illinois Supreme Court unanimously found such injuries to be both “real and significant.” As a result, to have standing in a BIPA private right of action case, a plaintiff does not need to have sustained actual damage beyond violation of his or her rights under BIPA. Further, the court did not show sympathy to businesses and their compliance efforts, stating “[c]ompliance should not be difficult; whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded.”