February 12, 2019 Practice Points

Illinois Supreme Court Rules in Biometric Information Privacy Act Case

A statutory privacy loss is injury enough.

By Jennifer Mesko and Emily Knight

The Illinois Biometric Information Privacy Act (BIPA) has generated a burgeoning area of class action litigation over the last several years. There are numerous interesting legal questions percolating through lower courts in these cases, one of which is whether a plaintiff must allege or demonstrate actual harm to have standing to pursue a claim under BIPA. Put another way, does the statute’s requirement that a person be “aggrieved” to have a private right of action create a requirement of separate, real-world harm? The Illinois Supreme Court has taken the opportunity to resolve this question in the negative; a statutory privacy loss is injury enough. Rosenbach v. Six Flags Ent. Corp., No. 123186, 2019 IL 123186, ¶ 33 (Jan. 25, 2019).

Background

Rosenbach dealt with a fingerprinting system for Six Flags season pass holders at its amusement parks. Specifically, Rosenbach purchased a season pass for her minor child, Alexander, prior to a field trip. Alexander had to complete the sign-up process in person upon arriving at the park. As part of that process, he was required to scan his thumb into a biometric data capture system. Plaintiff alleges that Alexander was not provided any additional information at that time about the “specific purpose and length of term for which his fingerprint had been collected”; nor did he sign a “written release regarding taking of the fingerprint” or consent in writing “to the collection, storage, use sale, lease, dissemination, disclosure, redisclosure, or trade of, or for [defendants] to otherwise profit from, Alexander’s thumbprint or associated biometric identifiers or information.” Id. at ¶ 8.

The defendants moved to dismiss the action, in part, because the plaintiff was not “aggrieved” because she had suffered no actual injury and therefore lacked standing to sue. The defendants sought interlocutory appeal on two questions:

  1. “[w]hether an individual is an aggrieved person under § 20 of the Illinois Biometric Information Privacy Act, 740 ILCS 14/20, and may seek statutory liquidated damages authorized under § 20(l) of the Act when the only injury he alleges is a violation of § 15(b) of the Act by a private entity who collected his biometric identifiers and/or biometric information without providing him the required disclosures and obtaining his written consent as required by § 15(b) of the Act,” and
  2. “[w]hether an individual is an aggrieved person under § 20 of the Illinois Biometric Information Privacy Act, 740 ILCS 14/20, and may seek injunctive relief authorized under § 20(4) of the Act, when the only injury he alleges is a violation of § 15(b) of the Act by a private entity who collected his biometric identifiers and/or biometric information without providing him the required disclosures and obtaining his written consent as required by § 15(b) of the Act.”

Id. at ¶ 14.

The appellate court granted review and answered both questions in the negative, finding that plaintiffs seeking recourse under BIPA must show specific injuries—such as stolen identity or monetary loss—in order to meet the statute’s “aggrieved person” standing requirements. 2017 IL App (2d) 170317, ¶ 28.

The Illinois Supreme Court’s Decision

The Illinois Supreme Court reversed the appellate court’s decision, rejecting arguments that BIPA required an injury beyond a loss of statutory privacy rights, or “technical” violations. Specifically, the Court found that if the General Assembly had wanted to impose an actual damage requirement, it would have done so explicitly as it did in the Consumer Fraud and Deceptive Business Practices Act. 2019 IL 123186, ¶ 25. BIPA, instead, is more similar to the AIDS Confidentiality Act, which does not require proof of actual damages. Id. at ¶ 26. In addition, the Court analyzed the “settled legal meaning” of “aggrieved” from other Illinois cases and dictionary definitions, finding that denial of an individual’s “right to privacy in and control over their biometric identifiers and biometric information” is sufficient. Id. at ¶¶ 29–33.  Lastly, the Court noted that its holding is consistent with the underlying purposes of BIPA – requiring individuals to wait until they have sustained some compensable injury beyond a technical violation before they may seek recourse “would be completely antithetical to the Act’s preventative and deterrent purposes.” Id. at ¶ 37. Moreover, expenses a business might incur to fully comply with BIPA’s requirements are likely insignificant compared to the risk of irreversible harm individuals could suffer if their biometric data is compromised. Id.

While there remain other novel statutory interpretation questions and defenses to be litigated, this is a critical defeat for the more than 200 pending cases accusing businesses of breaching BIPA by capturing their customers’ or employees’ biometric data without their consent.

Jennifer Mesko is counsel and Emily Knight is an associate with Tucker Ellis LLP in Cleveland, Ohio.


Copyright © 2019, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).