Illinois Supreme Court Declares “Aggrieved” Under BIPA Includes Those with No Injury
As we previously reported, since 2017 employees have filed dozens of employment class actions claiming violations of Illinois’ 2008 Biometric Information Privacy Act (“BIPA”). In short, BIPA protects the privacy rights of employees, customers, and others in Illinois against the improper collection, usage, storage, transmission, and destruction of biometric information, including biometric identifiers, such as retina or iris scans, fingerprints, voiceprints, and scans of face or hand geometry. Before collecting such biometric information, BIPA requires an entity to: (1) provide written notice to each individual of the collection; (2) obtain a signed release from each individual for the collection of biometric data; and (3) make available a policy that contains a retention schedule and guidelines for the permanent destruction of the biometric data.
One of the unresolved legal issues was whether an entity’s failure to comply with BIPA’s requirements, absent an actual injury, was sufficient to sustain a claim under that law. On January 25, 2019, the Illinois Supreme Court weighed in on this issue in Rosenbach v. Six Flags Entertainment Corp., holding that mere collection of an individual’s biometric information may be enough to state a claim under BIPA.
In Rosenbach, a parent sued on behalf of her child after he was fingerprinted entering a Six Flags theme park. Neither the parent nor the child signed a release, Six Flags did not provide a written notice provided to the child or the parent, and Six Flags did not have a publicly available policy regarding the retention or destruction of the biometric information. Nonetheless, there have been no known data breaches on Six Flags systems, and the complaint did not allege any other harm to the parent or her son.
The Illinois Supreme Court found that the legislative intent behind BIPA dictated that a technical violation of the law, such as failure to provide notice or obtain a release, is sufficient to state a claim under the Act. Under BIPA, an “aggrieved” party is similar to the concept of the injury-in-fact requirement for standing in federal court. There, the Court found that the “injury is real and significant.”
In light of the Rosenbach decision, it is even more important that employers with operations in Illinois consider taking the following action:
(1) First, determine if your company collects, uses, stores, or transmits any employee’s (or other individual’s) biometric information or identifiers that may be covered by BIPA (e.g., using fingerprint recognition technology for time keeping purposes or to access a company-issued property or devices).
(2) If your company does collect, use, store, or transmit biometric data/identifiers, you should:
(a) develop or review existing, written policies concerning the collection, storage, use, transmission, and destruction of that information, consistent with industry standards;
(b) implement policies concerning proper notice to employees (and other affected individuals) about the company’s use, storage, etc., of such data and obtain written and signed consent forms from all affected persons; and
(c) establish practices to protect individuals’ privacy against improper disclosure of biometric data/identifiers, using the methods and standard of care that they would apply to other material deemed confidential and sensitive.
Importantly, providing proper notice includes identifying the specific reason for the collection, storage, and use of the biometric data, as well as how long the employer will use or retain such data. 740 Ill. Comp. Stat. 14/15(a), (b); 14/10.