December 9, 2018

December 07, 2018

Subscribe to Latest Legal News and Analysis

Illinois Supreme Court to Decide Statutory Standing Requirements Under the Illinois Biometric Information Privacy Act

On November 20, 2018, the Illinois Supreme Court heard oral arguments in Rosenbach v. Six Flags Entertainment Corporation et al., a case arising under the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”).  BIPA provides a private right of action for persons “aggrieved by a violation of [the] Act.”  The crux of the issue presented to the Illinois Supreme Court is the meaning of “aggrieved by” under BIPA–in other words, what harm is sufficient to satisfy statutory standing requirements underlying BIPA’s private right of action?

Stacy Rosenbach purchased a Six Flags season pass online for her minor son to use during a school field trip to the amusement park.  Upon arriving at the amusement park, her son’s thumbprint was scanned and stored as part of the season pass redemption process.  Rosenbach argues that Six Flags’ actions violated Section 15(b) of BIPA, which requires private entities to (i) inform individuals that “a biometric identifier or biometric information is being collected or stored,” (ii) inform individuals of “the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used,” and (iii) receive “a written release” from the individual whose biometrics are collected.

Six Flags does not dispute the facts underlying Rosenbach’s claim.  Rather, it argues that Rosenbach does not meet the statutorily mandated “aggrieved by” standard to bring an action under BIPA, because neither she nor her son suffered injury from Six Flags’ actions.  The Illinois Supreme Court will be reviewing the Second District’s ruling in favor of Six Flags, which stated that BIPA’s “aggrieved by” standard requires allegations of “some actual harm.”  Rosenbach, 2017 IL App (2d) 170317, ¶ 1.

The oral arguments focused on the meaning of the term “aggrieved” and defining what constitutes “harm” under BIPA.  Both parties made arguments invoking legislative intent and statutory interpretation.  Rosenbach argued that violation of BIPA itself satisfied statutory standing requirements.  In contrast, Six Flags urged the court to understand the term “aggrieved” as requiring an independent question about harm to be answered subsequent to establishing a violation of BIPA.  The court questioned Rosenbach on identifying the legal right she was asserting within BIPA’s statutory language, while Six Flags was questioned about the available remedies for parties alleging violations of BIPA in the absence of harm.

In addition to resolving the dispute presented in Rosenbach, the case presents the Illinois Supreme Court with the opportunity to resolve an inter-district split that arose with the Illinois First District’s September decision in Sekura v. Krishna Schaumburg Tan, Inc., 2018 IL App (1st) 180175.  In Sekura, the First District ruled that BIPA does not require actual harm–instead, violation of the Act itself sufficiently confers a plaintiff with the right to sue because BIPA creates and protects an individual’s legal right to privacy in personal, biometric data.  A Petition for Leave to Appeal was recently filed in Sekura, so if the court chooses to rule narrowly in Rosenbach, it may yet have an opportunity to address the sufficiency of harm needed to bring suit under BIPA in the future.

Although Washington and Texas have also enacted biometric privacy legislation, Illinois is the only state that provides a private right of action.  BIPA litigation has increased steadily over the past three years, so much so that the Illinois legislature is considering amending the Act.  For all of these reasons, the Illinois Supreme Court’s Rosenbach decision will be one to watch.  A decision in this case is expected in early 2019.

© 2018 Covington & Burling LLP

TRENDING LEGAL ANALYSIS


About this Author

Repeatedly ranked as having one of the best privacy practices in the world, Covington combines exceptional substantive expertise with an unrivaled understanding of the IT industry, and of e-commerce and digital media business models in particular.  Our practice provides exceptional coverage of all of the substantive areas of privacy, including IT/technology, data security, financial privacy, health privacy, employment privacy, litigation and transactions.  One of our core strengths is the ability to advise clients on relevant privacy and data security rules worldwide,...

202.662.5519