August 12, 2020

Volume X, Number 225

August 11, 2020

Subscribe to Latest Legal News and Analysis

August 10, 2020

Subscribe to Latest Legal News and Analysis

Illinois Supreme Court: No 'Actual Harm' Required for Biometric Information Privacy Act Claims

The Illinois Supreme Court held on January 25, 2019, that plaintiffs filing suit under the Biometric Information Privacy Act—which regulates how private entities disclose and discard biometric identifiers—do not need actual damages for standing. The decision has serious implications for companies collecting biometric data from Illinois residents.

The Act provides a private right of action to individuals "aggrieved" by any violation, allowing them to seek, among other remedies, liquidated or actual damages, attorneys' fees, and costs. However, there has been widespread uncertainty as to whether an aggrieved individual asserting a private action under the Act needed to show that he or she suffered an actual injury as a result of an alleged violation, or if a violation of the Act in and of itself conveys standing.

In Rosenbach v. Six Flags Entertainment, Corp., et al., the mother of the 14-year-old plaintiff purchased a season pass to the Six Flags amusement park for her son online. Unknown to the plaintiff's mother at the time, to activate the pass, her son had to visit the park in person and provide Six Flags a scan of his thumbprint. His thumbprint and the pass, together, allowed him expedited access within the park.

When the plaintiff's mother learned that Six Flags had scanned her son's thumbprint, she brought suit, acting on his behalf, alleging—among other things—that Six Flags had violated the Act by collecting and storing biometric data without her consent, failing to inform her of the specific purposes and intended uses of the biometric data, and not getting a written release before obtaining it.

Six Flags moved to dismiss the plaintiff's claims, arguing, in part, that the plaintiff—who did not allege an actual or threatened injury resulting from the violation—lacked standing. Although the trial court initially denied Six Flags' motion, the Illinois Court of Appeals agreed with Six Flags: a "technical violation of the Act" was not enough to confer standing; the aggrieved party must, at a minimum, allege that the violation caused plaintiff to suffer an actual injury or adverse effect.

However, the Illinois Supreme Court issued a ruling overturning the appellate court's decision, holding that "a person need not have sustained actual damage beyond violation of his or her rights under the Act in order to bring an action under it." The court's ruling was driven by the state legislature's stated assessment of the risks posed by collecting biometric data and the difficulty remedying data breaches once they occur. A violation of the Act, therefore, was "no mere 'technicality,'" as posited by the lower court, but rather resulted in "real and significant" injuries to the aggrieved party.

The court's ruling may open the door to many more legal challenges that businesses that collect such data have so far resisted. Indeed, the Act already serves as the basis for claims in federal lawsuits around the country. This recent holding will ensure that plaintiffs in those and forthcoming lawsuits can establish standing with mere technical violations.

Copyright © by Ballard Spahr LLPNational Law Review, Volume IX, Number 28


About this Author

Philip Yannella, Ballard Spahr Law Firm, Philadelphia, Data Security Attorney

As Co-Practice Leader of Ballard’s Privacy and Data Security Group, and Practice Leader of the firm’s E-Discovery and Data Management Group, Philip N. Yannella provides clients with 360-degree advice on the transfer, storage, and use of digital information.

Mr. Yannella regularly advises clients on the Stored Communications Act (SCA), Computer Fraud and Abuse Act (CFAA), EU-US Privacy Shield, General Data Protection Regulation (GDPR), Defense of Trade Secrets Act, PCI-DSS, Telephone Consumer Protection Act (TCPA), New York Department of...

Gregory Szewczyk, Ballard Spahr Law Firm, Denver, Privacy and Litigation Attorney

Greg Szewczyk is a litigator with experience serving as a member of several trial and arbitration teams. His responsibilities include examining witnesses at trial; drafting opening and closing presentations; drafting dispositive, discovery and pretrial motions, as well as appellate briefs; taking and defending depositions; arguing evidentiary and procedural issues; preparing witnesses for testimony; and drafting scripts for direct and cross-examinations. He is also a member of the Denver office’s cybersecurity practice group.

J. Matthew Thornton Cybersecurity Lawyer Ballard

J. Matthew Thornton is an associate in the Litigation Group and a former summer associate at the firm. Matt's practice focuses on commercial litigation, including individual actions and class action defense, as well as privacy and cybersecurity matters. Matt has experience propounding and responding to discovery requests, defending discovery motions, handling third party discovery disputes, arguing substantive motions in court, preparing witnesses to give testimony, defending depositions, negotiating settlements, spearheading mediation, briefing dispositive motions, and...