The Fight Over Standing Under the Biometric Information Privacy Act Continues in Illinois High Court
On November 20, 2018, the Illinois Supreme Court heard oral arguments in Rosenbach v. Six Flags Entertainment Corp. and Great America LLC to decide whether a technical violation of Illinois’ Biometric Information Privacy Act (BIPA), 740 ILCS 14 et seq., without some additional injury, is enough to give an individual standing to sue under the Act.
As explained in further detail here, BIPA establishes certain notice-and-consent requirements that private entities must follow if they are going to collect, store, and use biometric identifiers and information, such as fingerprints. BIPA also creates a private right of action for individuals who are “aggrieved” by a violation of the act. In recent years, there has been a huge upswing in the number of cases filed under BIPA. The main issue these cases encounter early on is whether a company’s mere technical violation of the notice-and-consent requirements is enough to make a plaintiff “aggrieved,” and therefore have standing to sue, or if additional injury is required.
Last year, the Second District decided in Rosenbach that a person is “aggrieved” only if he or she has alleged some actual injury or adverse effect resulting from the violation. A mere technical violation of BIPA’s notice-and-consent requirements, without more, is not enough to give an individual a right to sue. The plaintiff appealed this decision to the Illinois Supreme Court.
However, this fall, the First District appellate court in Illinois parted ways with Rosenbach, creating a definitive district split. The First District decided in Sekura v. Krishna Schaumburg Tan, Inc. that a violation of BIPA is enough to make an individual “aggrieved” and have statutory standing to sue, even if the individual has not alleged additional harm.
The recent Sekura decision played a significant role in the Rosenbach parties’ oral arguments before the Illinois Supreme Court on November 20. During arguments, Rosenbach’s counsel relied on the First District’s opinion that BIPA’s statutory language “does not state that a person aggrieved by a violation of this act—plus some additional harm—may sue.”
Rosenbach’s counsel also echoed the First District’s Sekura decision in arguing BIPA’s legislative intent supports a reading of the term “aggrieved” that requires nothing more than a violation of the Act. He argued the statute was enacted because “people were afraid of participating in biometrics collection because they didn’t know what would happen in the future and wouldn’t have control over their own biometrics. One of the problems with the Second District’s opinion is that it undermines this intent of empowering people to make their own decisions about what happens to their biometrics and whether to participate.”
The legislature could have written the statute differently, he argued, if it had intended “aggrieved” to require some additional harm.
For their part, Six Flags/Great America’s counsel was careful to remind the court of the narrow, certified questions before it: whether a person is “aggrieved” under the Act “when the only injury he alleges is a violation of Section 15(b) of the Act. That is the Act’s collection provision.” Six Flags/Great America’s counsel urged the court to find that “aggrieved by a violation” means a person has been “injured by a violation.”
Justice Thomas in particular was actively engaged during Six Flags/Great America’s argument, and appeared to share the Sekura court’s concern that waiting for actual harm to occur would be “too late”. “If we were to…agree with your position on this case,” Justice Thomas asked, “wouldn’t that remove the incentive and urgency for entities to secure data?”
Six Flags/Great America’s counsel answered no, because BIPA’s provision of liquidated damages and attorney’s fees provide incentives for private entities to comply with the Act. And, she argued, the harm need not be pecuniary; it can be severe emotional harm, which Rosenbach had not alleged. Six Flags/Great America distinguished their argument from the Sekura defendant’s, explaining “the [Sekura] court understood the argument that there needs to be some additional harm, there needs to be two kinds of harm. That’s not what we’re arguing at all. The argument is simply that there needs to be some harm in the first place.”
Six Flags/Great America’s counsel, like Rosenbach’s counsel, went back to the plain language of the statute to support their argument. “[The legislature] could have chosen any number of different formulations if they wanted to create a more expansive right. They could have said ‘Any person shall have a right of action.’ It would have been crystal clear. They could have said ‘Any person may pursue alleged violations of the act.’ That’s not what Section 20, the right of action, says.”
Six Flags/Great America’s counsel also argued the statute does not create a substantive right, contrasting it with another statute, the Right of Publicity Act, where the legislature explicitly created an individual right of publicity.
On rebuttal, Rosenbach’s counsel identified three types of harm flowing from the collection of an individual’s fingerprints without their consent: harm to their personal privacy interest, harm to their property right in their biometrics, and an informational injury that occurs “when the statute requires that somebody be provided information so they can make their own choice before something happens, and they’re deprived of that.”
These harms, he said, make someone “aggrieved” by a violation of BIPA’s collection provision. Additional injuries, such as data compromise, can be remedied through other statutes. “It doesn’t make any sense to say that ‘aggrieved’ means this statute or that statute can’t be enforced, when the defendant does exactly what is prohibited.”
The Illinois Supreme Court took the case under advisement, and will make a final decision at a later date. In the meantime, plaintiffs will likely continue to file BIPA lawsuits based solely on technical violations of the Act. As such, it is important that private entities who collect, store, and use biometric identifiers and information comply with BIPA’s notice-and-consent requirements so as to avoid exposure.