On January 25, 2019, the Illinois Supreme Court issued its decision in the closely watched case, Rosenbach v. Six Flags Entertainment Corp., regarding whether individuals need to show actual injury or adverse effect to qualify as “aggrieved” under the Illinois Biometric Information Privacy Act (“BIPA” or the “Act”).[1] In a unanimous opinion, the court found that BIPA is intended to prevent any injury in the first place, and therefore, a plaintiff is aggrieved by a violation of the statute itself and need not allege or suffer additional actual harm to recover under the statute. This is a reversal of the appellate court’s decision, which had found that a purely technical violation of the act—without demonstrating further harm—was not a sufficient basis upon which to award damages.
The Illinois court’s decision could mean a green light for the dozens of class action suits filed under BIPA in state and federal courts. It also provides guidance for courts attempting to distinguish the U.S. Supreme Court’s Article III standing analysis in Spokeo v. Robins from the harms requirement in biometric privacy cases.[2] (See our Client Memos on Spokeo here, and post-Spokeo class action lawsuits here.) The bottom line is that entities that collect biometric data need to understand and, where applicable, adhere to the requirements of BIPA, or otherwise risk potential claims for significant damages based on technical violations of the statute.
Overview of BIPA
BIPA regulates private entities’ collection, storage, use, and disclosure of biometric identifiers or biometric information, such as face scans, fingerprints, or voiceprints. Under BIPA, private entities must implement a number of specific protocols regarding their handling of biometric data, such as:
- Retention Schedules. Publish retention schedules and establish guidelines for timely destruction of biometric identifiers and biometric information.
- Notice. Provide written notice to individuals that informs them when their biometric identifiers or biometric information is being collected or stored, including the purpose of collection and the retention period.
- Authorization. Obtain informed written consent from individuals or their legally authorized representative prior to collecting biometric data.
- Disclosures. Refrain from disclosing without consent, absent limited circumstances, and from selling or otherwise profiting from an individual’s biometric data.
- Security. Use industry-standard security measures to protect the storage and transmittal of biometric identifiers or biometric information.
BIPA is currently the only state biometric privacy law in the U.S. with a private right of action, which is available to “any person aggrieved by a violation of this Act.” Plaintiffs can recover damages of up to $1,000 for negligent violations and $5,000 for intentional and reckless violations per each violation, as well as injunctive relief and reasonable attorneys’ fees. BIPA was enacted in 2008, and has gained greater publicity in recent years due to a number of high-profile class action lawsuits alleging violations of the law by consumer technology giants and smaller Illinois-based businesses alike. Most of these cases have been brought in Illinois state courts, though a handful have been brought in federal courts in Illinois, California, and New York, raising the question of BIPA’s extraterritorial reach.
A Statutory Violation of BIPA Is Sufficient Harm
The plaintiff in Rosenbach alleged that Six Flags amusement park collected and maintained her minor son’s biometric identifiers and information without providing sufficient written notice or obtaining written consent from her or her son. Six Flags collected the boy’s thumbprint through a fingerprint identification system used to administer his season pass to the park. It is undisputed that the thumbprint collected in this process was a biometric identifier, and when electronically stored by Six Flags, constituted biometric information subject to BIPA. The plaintiff sought statutory damages and injunctive relief.
Rosenbach arrived at the state supreme court on appeal from the Illinois Second District Appellate Court, which found that while Six Flags’ actions were a technical violation of the statute, the plaintiff was not sufficiently “aggrieved” within the meaning of BIPA without alleging further injury or adverse effect. However, in September 2018, the Illinois First District Appellate Court reached the opposite conclusion on similar facts, holding that BIPA does not require plaintiffs to show harm in addition to violations of the Act. The First District reasoned that requiring plaintiffs to show additional harm is antithetical to the legislative intent, emphasizing that “the whole purpose of the Act is to prevent any harm from occurring in the first place.”[3] The state supreme court agreed with the First District’s analysis, asserting that when a company fails to comply with one of BIPA’s requirements, that violation constitutes a denial of the statutory rights of the person whose biometric identifier or biometric information is at issue, even if additional harm is not alleged.
The court remanded the case to the circuit court, with clarification that a person is entitled to seek damages under BIPA without alleging “some actual injury or adverse effect” beyond the violation of his or her rights under the Act.
Spokeo and Standing in Biometric Privacy Cases
The Illinois Supreme Court’s decision in Rosenbach departs from a recently decided case from the U.S. District Court for the Northern District of Illinois, Rivera v. Google.[4] Rivera granted Google’s motion to dismiss, finding that Google’s creation and retention of face templates did not rise to the level of a concrete injury-in-fact sufficient to confer Article III standing under the Supreme Court’s Spokeo analysis. However, in February 2018, the U.S. District Court for the Northern District of California distinguished BIPA from the privacy law at issue in Spokeo, the Fair Credit Reporting Act (“FCRA”), reading BIPA as targeting the unauthorized collection of information in the first instance.[5]
While it may appear that Spokeo and Rosenbach are at odds, the divergent outcomes in BIPA cases have turned on the courts’ interpretation of the key component of the law—whether a plaintiff is “aggrieved” within the meaning of the Act and may pursue damages based solely on a defendant’s violation of the statute. While the Court in Spokeo found that a bare procedural violation of FCRA was insufficient to confer Article III standing, it noted that in some circumstances a violation of the procedural rights granted by a statute can be sufficient to constitute a concrete injury. The Illinois Supreme Court’s ruling in Rosenbach suggests that BIPA may be one such statute.
It remains to be seen whether federal courts will follow the state court’s lead in distinguishing the harm requirement in BIPA from the FCRA harm at issue in Spokeo. Regardless, companies that do business, or process the biometric identifiers or information of persons located in, Illinois should consider implementing the notice, informed consent, and other requirements of BIPA to avoid becoming entangled in any of the class action lawsuits that are sure to follow in Rosenbach’s wake.
[1] Rosenbach v. Six Flags Entm’t Corp., No. 123186 (Ill. Jan. 25, 2019).
[2] Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1548-49 (2016).
[3] Sekura v. Krishna Schaumburg Tan, Inc., No. 2016-CH-04945 at *18 (Ill. App. Ct. 1st Dist. 2018).
[4] Rivera & Weiss v. Google, Inc., No. 16 C 02714 (N.D. Ill. Dec. 29, 2018).
[5] Patel v. Facebook Inc., 290 F. Supp. 3d 948, 956 (N.D. Cal. 2018) (emphasis added).
