BIPA and Rosenbach
BIPA provides a private “right of action” to “[a]ny person aggrieved by a violation of this Act.” 740 Ill. Comp. Stat. 14/20. BIPA regulates six “biometric identifiers”—“a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry”—as well as “biometric information” derived from one of these identifiers and used to identify a person. Id. 14/10. Businesses that collect consumers’ “biometric identifiers” or “biometric information” must comply with five requirements: (1) publish a written “schedule and guidelines” for the retention and destruction of the data; (2) inform the subject “in writing” of the collection, the purpose, and the duration of storage and obtain a “written release” before collecting the data; (3) refrain from “sell[ing], leas[ing], trad[ing], or otherwise profit[ing]” from the data; (4) refrain from “disclos[ing]” or “disseminat[ing]” data without consent; and (5) take reasonable measures to “protect” data “from disclosure.” Id. 14/15(a)–(e).
In Rosenbach, a mother sued Six Flags Entertainment Corporation (Six Flags) on behalf of her minor son after Six Flags allegedly captured her son’s thumbprints when he purchased a season pass. — N.E.3d —, 2019 IL 123186, ¶¶ 4–9 (Ill. Jan. 25, 2019). The court in Rosenbach held that BIPA “codified that individuals possess a right to privacy in and control over their biometric identifiers and biometric information.” Id. ¶ 33. The Court explained that BIPA violations are not “merely ‘technical’ in nature” because “an individual’s unique biometric identifiers . . . cannot be changed if compromised or misused.” Id. ¶ 34. As such, “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act.” Id. ¶ 40. “To require individuals to wait until they have sustained some compensable injury beyond violation of their statutory rights before they may seek recourse, as defendants urge, would be completely antithetical to the Act’s preventative and deterrent purposes.” Id. ¶ 37.
Rosenbach and Article III Injury in Fact
Rosenbach did not resolve whether BIPA violations are sufficient to confer Article III standing to litigate in federal courts. Even if a plaintiff’s “action [] is perfectly viable in state court under state law,” he “may nonetheless be foreclosed from litigating the same cause of action in federal court, if he cannot demonstrate the requisite injury to establish Article III standing.” Hangarter v. Provident Life & Accident Ins. Co., 373 F.3d 998, 1022 (9th Cir. 2014).
“Article III standing requires a concrete injury even in the context of a statutory violation.” Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1549 (2016). Plaintiffs alleging a violation of a procedural statutory requirement must show (1) that the legislature “conferred the procedural right to protect a plaintiff’s concrete interests” and (2) that the “procedural violation presents a risk of real harm to that concrete interest.” Robins v. Spokeo, Inc., 867 F.3d 1108, 1113 (9th Cir. 2017) (internal quotation marks omitted), cert. denied, 138 S. Ct. 931 (2018).
Rosenbach provides BIPA plaintiffs strong support for the first showing, concreteness. In cases where an alleged injury is intangible, such as a privacy violation, courts consider (1) “whether an alleged intangible harm has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts” and (2) the judgment of the legislature, which is “well positioned to identify intangible harms that meet minimum Article III requirements.” Spokeo, 136 S. Ct. at 1549. Rosenbach clearly holds that the Illinois legislature intended to confer standing for BIPA violations standing alone because “when a private entity fails to adhere to the statutory procedures . . . , the right of the individual to maintain his or her biometric privacy vanishes into thin air.” 2019 IL 123186, ¶ 34 (internal quotation marks omitted). In other words, the theft of biometric information poses “real and significant” harm beyond the theft of other personal identifiers: biometric information is immutable, and consumers cannot change it like a Social Security or credit card number. Id.; see 740 Ill. Comp. Stat. 14/5(c) (“Biometrics are unlike other unique identifiers that are used to access finances or other sensitive information” because, “once compromised, the individual has no recourse. . . .”). It is not at all clear, however, that the mere collection and storage of biometric data bears a “close relationship to” a recognized common law harm. Spokeo, 136 S. Ct. at 1549; see also Rivera v. Google, Inc., 2018 WL 6830332, at *8–9 (N.D. Ill. Dec. 29, 2018) (noting a “wide gap between . . . the creation and retention of [] face templates [] and the privacy interests protected by [the common law]”).
Rosenbach does not provide BIPA plaintiffs support for the second showing, real-world harm causally connected to the BIPA violation. The strongest base of support for such harm is likely found in data breach cases. See, e.g., In re Horizon Healthcare Servs., Inc. Data Breach Litig., 846 F.3d 625, 639 (3d Cir. 2017) (finding that “unauthorized dissemination of personal information” constitutes injury in fact); Gubala v. Time Warner Cable, Inc., 846 F.3d 909, 912 (7th Cir. 2017) (no “violation of the plaintiff’s privacy” absent “indication that [defendant] released, or allowed anyone to disseminate, any of the plaintiff’s personal information”); Braitberg v. Charter Commc’ns, Inc., 836 F.3d 925, 930 (8th Cir. 2016) (no standing where plaintiff did “not allege that [the defendant] disclosed [her personally identifiable] information to a third party”). These cases recognize that there is a “substantial risk” of future harm to consumers who entrust their data to companies with a prior data breach. See Clapper v. Amnesty Int’l USA, 568 U.S. 398, 414 n.5 (2013).
These unresolved Article III questions should give defendants to putative BIPA class actions in Illinois state courts pause: Is it worthwhile to remove the case to a federal court and expend resources to litigate Article III standing only to have the federal court find no standing and remand the case to Illinois state court?
Conclusion
Consumer-facing businesses in Illinois that collect biometric information need to closely follow how federal courts resolve the tension between Rosenbach and Article III’s injury-in-fact requirements. Regardless of Article III, Rosenbach guarantees that the wave of BIPA class actions will continue apace in Illinois state courts. It is therefore imperative that consumer-facing businesses thoroughly investigate their compliance with BIPA unless they want to go surfing.
Geoffrey J. Derrick is an associate with Akin Gump Strauss Hauer & Feld LLP in Washington, D.C.