Individuals Need Not Allege Actual Injury to Sue for Damages Under the Illinois Biometric Information Privacy Act
On January 25, 2019, a unanimous Illinois Supreme Court held that, under that state’s Biometric Information Privacy Act (BIPA), a person need not suffer actual injury or adverse effect in order to bring suit under the statute. In its decision in Rosenbach v. Six Flags Entertainment Corp., the Court determined that a minor child whose thumbprint was scanned as part of an amusement park’s season pass-holder program, allegedly without proper notice or consent, was an “aggrieved person” who could maintain a claim under BIPA.
BIPA imposes restrictions on how private entities collect, retain, disclose and destroy biometric identifiers, including fingerprints and other biometric information. An entity may not collect or otherwise obtain a person’s biometric identifier or information unless it: (1) informs the subject (or their legally authorized representative), in writing, that such information is being collected or stored; (2) informs the subject or their representative, in writing, of the specific purpose and length of term for which the biometric information is being collected, stored, and used; and (3) receives a written release executed by the subject or authorized representative. BIPA—the country’s only biometric privacy law with a private right of action—allows any person “aggrieved” by a violation of its provisions to bring an action against an “offending party” and to recover, for each violation, liquidated damages of $1,000 or actual damages (if greater), reasonable attorneys’ fees and costs, and any other relief that the court deems appropriate.
This lawsuit was brought by a mother on behalf of her 14-year-old son, who had visited a Six Flags amusement park on a school field trip. In anticipation of that visit, the mother had purchased a season pass online, but the son had to complete the sign-up process in person at the park. The son went to a security checkpoint where he was asked to scan his thumb into the company’s biometric data capture system. He was then provided a season pass card. The card and his thumbprint, used together, enabled him to gain access to the park.
Upon returning home, the son told his mother what he had done to obtain his season pass. According to the complaint, this was the first time the mother learned that her son’s thumbprint was used as part of Six Flag’s season pass system. Allegedly, neither the son nor the mother were informed of the purpose and length of term for which his fingerprint had been collected, nor had they signed any written release regarding taking of the print. Further, neither of them consented in writing to Six Flag’s collection, storage, or use of the son’s thumbprint or other biometric information. The complaint also alleges that Six Flags has retained the son’s biometric information, and has not publicly disclosed what was done with it or how long it will be kept.
The lawsuit seeks redress on the son’s behalf and on behalf of a class of similarly situated individuals, based solely on Six Flags’ failure to comply with BIPA’s requirements. The central issue was whether a person qualifies as an “aggrieved” person under BIPA and can seek damages, even if they have not alleged some actual injury or adverse effect beyond violation of their rights under the law. The Illinois Supreme Court held that they could, finding that when an entity fails to comply with BIPA’s requirements, the violation constitutes an invasion or denial of the statutory rights of the person affected such that the individual would be “aggrieved” within the meaning of BIPA and entitled to seek damages.
In reaching its decision, the Court noted that BIPA’s procedural protections of requiring notice and consent “are particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual’s unique biometric identifiers—identifiers that cannot be changed if compromised or misused.” When a private entity fails to adhere to BIPA’s procedures, “the right of the individual to maintain [his or] her biometric privacy vanishes into thin air. . . .The injury is real and significant.” The Court further noted that the threat of litigation for noncompliance with the law’s requirements creates the “strongest possible incentive” for companies to protect user data, stating: “Compliance should not be difficult; whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded.”
Widely viewed as a win for consumers, the Illinois Supreme Court’s decision will likely encourage even more litigation under BIPA, which has already sparked hundreds of lawsuits. To prevail, however, plaintiffs need to prove each element of their claim, and many other issues under BIPA have not yet been addressed by the courts.