March 22, 2023

Volume XIII, Number 81


March 22, 2023

Subscribe to Latest Legal News and Analysis

March 21, 2023

Subscribe to Latest Legal News and Analysis

March 20, 2023

Subscribe to Latest Legal News and Analysis

No Damages Required to Sue Under Illinois Biometric Information Privacy Act

Fingerprint scans and facial recognition technology have become commonplace thanks to smartphones, yet this type of biometric information is being used in other places as well. Fingerprints have become a replacement for passwords, allowing a user to log into their social media app to post a photograph, or their bank account to transfer money, all from their phone and all with a fingerprint. Biometric information also is being used as a replacement for time cards, allowing employees to clock in and out of work with ease, or even as a form of admission to enter an entertainment venue. 

Following the rise of the use of biometric information, the Illinois Legislature passed the Biometric Information Privacy Act (BIPA) in 2008 to provide standards of conduct to help regulate how biometric information is collected, stored and used. Examples of a biometric identifier include a retina or iris scan, fingerprint scan, voiceprint, or hand/face-geometry scan. What makes BIPA all the more powerful is that it allows for a private right of action, permitting an individual who has been “aggrieved” to pursue damages or injunctive relief. 

The Illinois Supreme Court gave BIPA even more “punch” in its decision in Stacy Rosenbach, et al. v. Six Flags Entertainment Corporation, released on January 25, 2019, holding that an individual does not need to prove harm to recover; rather, a technical violation of the Act alone is sufficient to constitute standing. Prior to the decision, the Illinois appellate courts had been split on whether an individual had to suffer an actual injury in addition to a BIPA violation to recover under the Act. This new decision will likely pave the way for future lawsuits and allow more individuals to recover for technical violations under BIPA. 


The Rosenbach decision can be traced back to 2014, when14-year-old Alexander visited the amusement park Six Flags on a school field trip. Prior to his visit, Alexander’s mother (Rosenbach) purchased his season pass online. Upon Alexander’s arrival at Six Flags, he had to scan his thumbprint alongside his season pass to serve as his admission into the park. The use of biometric information such as thumbprints makes it easier for individuals to enter the park and provides the park with greater security by preventing patrons from entering the park with someone else’s pass. 

According to the complaint, Rosenbach was unaware when she purchased the season pass that Alexander’s fingerprint would need to be scanned and stored. She filed suit on behalf of her son seeking redress, alleging Six Flags violated the Act because it retained biometric information without obtaining written consent, did not disclose what was done with Alexander’s biometric information and failed to disclose how long the information would be stored. Despite the allegations that Six Flags violated BIPA, Alexander did not suffer an actual injury – causing Six Flags to challenge whether Rosenbach had standing to sue. 

Section 20 of the Act provides that any person “aggrieved” by a BIPA violation shall have a right of action against the offending party and may recover, for each violation:

  • Liquidated damages of $1,000 or actual damages, whichever is greater, against a private entity that negligently violates a provision of the Act
  • Liquidated damages of $5,000 or actual damages, whichever is greater, against a private entity that intentionally or recklessly violates a provision of the Act
  • Reasonable attorneys’ fees and costs, expert witness fees and other litigation expenses
  • Other relief, including an injunction.

The Semantics of “Aggrieved”

The issue central to this case and many other BIPA lawsuits is whether Alexander was “aggrieved” within the meaning of the Act, despite lacking an actual injury. Rosenbach argued that a violation of the Act alone was sufficient to render a party “aggrieved.” Whereas, Six Flags argued that the meaning of “aggrieved” most consistent with the Act requires actual harm or adverse consequences. The Illinois Supreme Court rejected the Six Flags argument and instead found that a technical violation of the Act alone does in fact meet the definition of “aggrieved.” In doing so, the court reversed the appellate court’s decision, which had held the exact opposite: that actual harm or an adverse effect must be alleged in order for an individual to have standing under BIPA. 

In analyzing the word “aggrieved,” the court looked to the AIDS Confidentiality Act, another Illinois statute that, like BIPA, has a private right of action for an “aggrieved” person. Similar to BIPA, the AIDS Confidentiality Act does not contain its own definition of the word “aggrieved.” However, in 2002 it was decided that proof of harm was not required for a person to be “aggrieved’ under the AIDS Confidentiality Act. Additionally, in Rosenbach, the court focused on the plain meaning of the word “aggrieved” and found that it meant “having legal rights that are adversely affected.” Therefore, the court reasoned that to require an actual injury in addition to a BIPA violation would depart from the ordinary meaning of the word “aggrieved” and read into the Act conditions that the Illinois legislature did not intend. 


Additionally, the court’s reasoning behind the Rosenbach decision focused heavily on the nature of biometric information, which unlike a social security number or password can’t be changed. Specifically, the court explained that the protections afforded by BIPA “are particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual’s unique biometric identifiers – identifiers that can’t be changed if compromised or misused.” The court further explained that when a BIPA violation occurs, an individual’s injury is already real and significant because that person immediately loses their right to maintain their biometric information. Further, to require that person to wait until he or she sustained an actual injury “would be completely antithetical to the Act’s preventative and deterrent purposes.” 

This decision serves as an important reminder that it is imperative for private entities such as Six Flags to develop written policies that will establish a retention schedule and notify individuals how his or her biometric information will be used and stored. Given how technology evolves at a rapid rate and how quickly biometric information technology has entered everyday use, private entities that employ biometric information technology need to be cognizant of how they are handling individuals’ biometric information to ensure compliance with BIPA. Now that Rosenbach gives an individual the right to pursue damages or injunctive relief on a technical violation alone, businesses must be prepared for the new wave of BIPA litigation.

© 2023 Wilson ElserNational Law Review, Volume IX, Number 52

About this Author

Anjali C. Das, Wilson Elser, professional liability insurance lawyer, shareholder obligations attorney, illinois

With nearly two decades of experience, Anjali Das represents insurers in connection with professional liability insurance coverage matters and claims involving accounting, finance and other complex business issues. She is a coordinating partner for the firm’s Directors & Officers practice and a member of the Diversity Committee.

Anjali represents the interests of U.S., London and Bermuda-based primary and excess insurers in high-exposure claims against directors and officers of public and private companies, non-profit boards, financial...

Brian Dollar, Cybersecurity lawyer, Wilson Elser

Brian Dollar practices in the areas of cybersecurity and privacy breach response, pre- and post-event. He analyzes client compliance with GLBA, COPPA, HIPAA/HITECH, and related state, federal, and international laws. Brian also advises on identifying, evaluating and managing first- and third-party data privacy and security risks. Brian has earned the U.S. Certified Information Privacy Professional (CIPP/US) designation from the International Association of Privacy Professionals. 

Prior to joining Wilson Elser, Brian worked for the City of Chicago, where he managed investigations...

Stefanie L. Ferrari Cybersecurity lawyer Wilson Elser

Stefanie Ferrari focuses her practice primarily in the areas of cybersecurity and privacy breach response, complex tort and general casualty, and toxic tort litigation. Stefanie gained significant experience in a wide variety of practice areas and all facets of the litigation process while serving as a law clerk at Wilson Elser throughout law school. 

While in law school, Stefanie was involved with the Civil Litigation Clinic, where she learned the nuances of preparing clients for every step of the litigation process. She was notes and comments editor and a...


David Potter practices in the areas of cybersecurity and privacy breach response, pre- and post-event. He provides analysis of compliance with the GLBA, COPPA, HIPAA/HITECH, and other related state, federal and international laws and regulations. David advises clients on identifying, evaluating and managing first- and third-party data privacy and security risks and addresses all aspects of the information management life cycle. 

Before joining Wilson Elser, David was a prosecutor in the Cook County State Attorney's Office. Most recently, he was assigned to the...