October 19, 2019

October 18, 2019

Subscribe to Latest Legal News and Analysis

October 17, 2019

Subscribe to Latest Legal News and Analysis

October 16, 2019

Subscribe to Latest Legal News and Analysis

Lawsuit Under Illinois Biometric Law Does Not Require Harm

In a unanimous decision, the Illinois Supreme Court found that a Six Flags pass holder had a valid claim as an “aggrieved person” under the Illinois Biometric Privacy Act of 2008 (“BIPA”), hence having the right to bring an action for damage under BIPA for actual or liquidated damages, whichever amount is greater, despite not alleging actual harm. The case originally arose out of Six Flags collection of the thumbprints of the plaintiff’s son after he purchased a season pass for the theme park on a school field trip.

BIPA is the most stringent statute in the nation regulating biometric information and applies to the collection, use, safeguarding, handling, storage, retention and destruction of biometric identifiers and biometric information. BIPA creates a private right of action for a person aggrieved by a violation of the statute, with damages ranging from liquidated damages of $1,000 or actual damages for a negligent violation (whichever is greater), to liquidated damages of $5,000 or actual damages for an intentional or reckless violation (whichever is greater). Attorney’s fees and litigation costs or other relief, including an injunction, are also permitted under the statute. The law was enacted in response to the growing use of biometrics in the business and security screening sectors, and in recognition of the fact that biometrics are unlike other unique identifiers used to access finances or other sensitive information. 

The plaintiff, in this case, did not allege that the thumbprints were stolen or misused as a result of their collection by Six Flags. Rather, the complaint alleged Six Flags violated BIPA by:

  1. Collecting and storing biometric data from the plaintiff’s son without informing her or her son in writing that the information was being collected or stored.

  2. Failing to inform the plaintiff or her son of the purpose for which the information was collected or length of time it would be kept or used.

  3. Failing to obtain a written release executed by the plaintiff or her son before collecting the information.

Six Flags argued that the plaintiff did not have a claim under BIPA because plaintiff did not allege that any harm resulted from the collection of her son’s thumbprints, so was not an “aggrieved person” under BIPA with standing to bring the action. In support, the defendant relied on the  Illinois Appellate Court’s holding at the appellate level, 2017 IL App (2d) 170317, that indicated a defendant’s technical violation of the statute was not enough for a plaintiff to pursue damages as an aggrieved person under the act. At the appellate level, the court held that an injury or adverse effect must be alleged, and that it need not be pecuniary but must be more than a “technical violation of the Act.” 

The court found that an “aggrieved person” under BIPA need not have “sustained actual damage beyond violation of his or her rights under the Act in order to bring an action under it.” The court reasoned that this definition of aggrieved is consistent with definitions of aggrieved in the dictionary, as well as other Illinois court decisions.

The court also looked to the intent of BIPA, stating that the intent of the legislature was to “try to head off such problems before they occur,” by safeguarding privacy rights in biometric information before they can be compromised, as well as subjecting those who do not comply with the law’s requirements to liability. The court reasoned, “[w]hen private entities face liability for failure to comply with the law’s requirements without requiring affected individuals or customers to show some injury beyond violation of their statutory rights, those entities have the strongest possible incentive to conform to the law and prevent problems before they occur and cannot be undone.“ Requiring individuals to sustain injury before they can seek relief “would be completely antithetical to the Act’s preventative and deterrent purposes.” 

This decision will likely have far-reaching implications for companies collecting biometric data from a variety of individuals and in a number of contexts. An increasing number of companies are electing to utilize biometric data in a variety of new ways to create efficiencies, such as for timekeeping purposes for employees to clock in and out. The Six Flags case serves as a reminder to ensure strict compliance with BIPA.  Included in these requirements is obtaining consent from individuals, establishing a retention schedule and guidelines for destroying biometric identifiers, and informing individuals not only of the collection, but also what it is being used for and how it is being retained (including the length of time that biometric data is being stored). Companies are also required to develop a written policy that establishes guidelines for the collection and destruction of biometric data under BIPA’s requirement.

© Polsinelli PC, Polsinelli LLP in California


About this Author

Lisa J. Acevedo, Polsinelli, HIPAA Compliance Lawyer, Health Privacy Matters Attorney

Lisa Acevedo provides strategic counsel in the areas of federal health privacy laws, including HIPAA, as amended by the HITECH Act, FERPA, the Confidentiality of Alcohol and Drug Abuse Treatment Records Regulation, as well as state laws governing the confidentiality of health information, medical records, mental health records, and records containing other highly sensitive information. She has assisted clients through security breaches and the notification process, both at the federal and state levels.   

She guides clients through the...

Lindsay Dailey Health Care Privacy Attorney

Lindsay Dailey serves clients at the intersection of healthcare regulatory and privacy/data security compliance. Prior to joining the firm, Lindsay worked with the American Medical Association, American Dental Association, and Rehabilitation Institute of Chicago. This in-house experience in corporate compliance and regulatory issues serves her practice and her clients well - in fact, she spent over a year in-house secunded to the Privacy Office of a firm client, a national retail pharmacy chain. 

Lindsay graduated law school with a certificate in Health Law, and she was formerly a legal extern with the Illinois Office of Health Information Technology. She now serves on Polsinelli’s Privacy & Data Security team, leveraging her in-house and privacy experience to assist clients with a variety of healthcare regulatory compliance issues, particularly in the healthcare technology industry. Her experience in counseling clients on HIPAA, HITECH, and related federal and state privacy laws, combined with her focus in healthcare technology, allows her to provide unique insight to clients implementing or expanding data systems, utilizing mobile applications, and storing/transmitting PHI or other data via the cloud.  

Lindsay has represented public, private, and non-profit companies in the health care, medical device, technology, telecommunications, banking, and retail industries in various matters, including assisting clients with: 

  • Drafting privacy, security and online privacy policies to comply with federal and state privacy laws 

  • Advising on domestic and international data privacy and security compliance 

  • Breach and security counseling, including audit response, risk analysis and risk management strategy, and mitigation

  • Negotiating business associate agreements for covered entities, business associates and subcontractors/vendors 

  • Drafting privacy and confidentiality language in cloud service, data center, and software agreements  

  • Medical device product development and design, contract negotiations, and management of vendor relationships 

  • Developing contract templates, model language and internal policies to create business efficiencies

Areas of Focus

  • Health Care Industry

  • Health Care Services

  • HIPAA/Health Information Privacy and Security

  • Health Care Technology & Innovation

  • Privacy and Cybersecurity


  • J.D., Loyola University Chicago School of Law, 2012, Annals of Health Law Journal,  CALI Award; Phi Alpha Delta Legal Fraternity; Dean's List
  • B.A., University of Illinois at Urbana-Champaign, 2009, Honors;

Bar Jurisdictions

  • Illinois, 2012
Mary Buckley Tobin Health Care Attorney

Mary Buckley Tobin is an associate in the Health Care Operations practice group. Her practice focuses on regulatory issues affecting health care providers, including reimbursement, fraud and abuse and clinical research.

Mary advises health care providers and practitioners on a variety of complex regulatory and compliance issues, including:

• Licensing rules

• Telehealth reimbursement rules

• Fraud and abuse laws, including Stark Law, Anti-kickback statues and False Claims Act


Mary Kathryn Curry, labor and employment lawyer, polsinelli, law firm

Mary Curry is dedicated to helping clients efficiently and effectively address their litigation needs. As a member of the firm's Labor and Employment practice, Mary represents employers across a variety of industries. She has extensive experience working on employment related cases, from wage and hour matters, discrimination and harassment claims, as well as E.R.I.S.A. and administrative actions. Her experience litigating employment-related cases in federal and state courts, as well as administrative agencies has sharpened her ability to provide effective, accurate...