August 22, 2019

August 21, 2019

Subscribe to Latest Legal News and Analysis

August 20, 2019

Subscribe to Latest Legal News and Analysis

August 19, 2019

Subscribe to Latest Legal News and Analysis

No Harm, Still a Foul: Illinois Supreme Court Rules on the Collection of Biometric Data

Leaving its fingerprints all over the privacy debate, the Illinois Supreme Court handed down a ruling that will significantly impact litigation under the state’s unique Biometric Information Privacy Act (“BIPA” or “Act”), creating a potential boon for plaintiffs. In its January 25 opinion in Stacy Rosenbach v. Six Flags Entertainment Corp., the court unanimously sided with the plaintiff, ruling that actual harm is not a requirement to establish standing under BIPA. Specifically, the court addressed the threshold issue of who can be considered an “aggrieved” person under the Act, finding that a Six Flags season pass holder can claim that the theme park breached BIPA by collecting her son's thumbprint without prior consent, even though no consequential, real-world harm occurred from the data collection. In a roller coaster ride for defendant Six Flags Entertainment Corporation, the Illinois Supreme Court reversed the state appellate court’s December 2017 decision.

More than 100 businesses accused of violating BIPA have closely watched the case, and it is likely the ruling may embolden plaintiffs’ attorneys to add to the over 200 BIPA cases brought in Illinois state courts. Many of these cases were stayed in anticipation of the Rosenbach decision.

BIPA requires companies that capture individuals' biometric information, including fingerprints, retina scans, or voice samples, to obtain written consent and disclose how they use, store, and destroy that data. Notably, it is the nation’s only biometric privacy law with a private right of action. The Rosenbach ruling increases exposure and risk for companies collecting biometric data for commercial and employment purposes, and may prompt companies to strengthen their disclosures or scale back their offerings to try to avoid statutory penalties of over $1,000 for each negligent violation and $5,000 per intentional or reckless violation. For more information on BIPA, see Mintz’s past blog: The Law of Unintended Consequences: BIPA and the Effects of the Illinois Class Action Epidemic on Employers.

BIPA cases are still far from a slam-dunk for plaintiff’s attorneys, however, as many issues surrounding interpretation of BIPA remain unresolved. Although the Illinois Supreme Court has settled the meaning of an “aggrieved” party, future cases are likely to examine what constitutes a “biometric identifier,” whether a defendants' business practices actually violate BIPA, the role of implied notice and consent in cases where employees voluntarily submitted their biometric information for purposes such as clocking in and out of work, class certification, and other legal issues. Additionally, Federal BIPA suits will need to distinguish their case from the Supreme Court’s 2016 ruling in Spokeo v. Robins, which held that plaintiffs cannot rely on mere statutory violations but must allege a concrete harm to establish Article III standing. The Rosenbach ruling also sets up a potential conflict with the Seventh Circuit’s holdings that the term “aggrieved” requires a cognizable injury.

The ruling may also set up a clash between businesses and privacy advocates on the legislative front, with businesses urging legislators to amend the law to reduce liability risk. As the first, and arguably most stringent, state biometric privacy law, BIPA has served as a model for states looking to pass similar laws in the future.  To date, Texas and Washington have enacted biometric privacy laws, but BIPA’s statutory damages provision stands alone – so far. Judicial interpretations and legislative actions surrounding BIPA could come to impact businesses with a far broader footprint than just the state of Illinois. Businesses that collect and use biometric data for employment and commercial purposes must follow BIPA, and associated judicial and legislative closely.

©1994-2019 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer
Member / Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-...

617-348-1732
Elana Safner, Mintz Levin Law Firm, Washington DC, Litigation Law Attorney
Associate

Elana advises clients on public policy, regulatory issues, and disputes affecting the communications sector, as well as privacy and cybersecurity matters. She also has experience with Federal Communications Commission (FCC) procedures and rulemakings.

She has a Certified Information Privacy Professional (CIPP) (US Specialization) certification from the International Association of Privacy Professionals.

Prior to joining Mintz Levin, Elana worked as an associate in the DC office of an international law firm, where she advocated on behalf of her clients spanning a wide variety of industries and issues, including telecommunications, privacy, cybersecurity, and autonomous vehicles. Elana has also presented and published on the topic of legal issues facing artificial intelligence.

202-434-7346