The big game is over and we find ourselves hunkering down for the remaining weeks of winter. We could all use an island vacation or, in the alternative, some light reading material to distract ourselves from the cold outside the walls of our homes and offices. We have you covered (for the light reading, not the Caribbean trip), and over the coming weeks we will be sharing a series summarizing recent legal decisions in the data privacy and security arenas.
To kick things off, we are looking at a recent case discussing the use of an individual’s biometric data. So sit back, hold your cup of coffee or tea for that little bit of extra warmth, and get ready to lose yourself in the land of biometric data.
When do companies have to get individuals’ consent/authorization to use their biometric data? This question is playing out in Illinois courts. The Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (BIPA) provides that a “person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.” The term “aggrieved” is not defined in BIPA and has become a focal point for litigation.
In January 2019, the Illinois Supreme Court issued a unanimous decision in Rosenbach v. Six Flags Entertainment Corp. The case resolves a lower court split in interpreting BIPA, holding that a plaintiff need not allege an actual injury to bring a cause of action under BIPA. In the suit, the plaintiff claimed a violation of BIPA when the Six Flags theme park collected her son’s thumbprint without permission (i.e., without the notice and consent required by BIPA) as part of the park’s process of scanning and storing pass holders’ fingerprints when entering the amusement park.
The Court held that a plaintiff need not allege an “actual injury or adverse effect, beyond violation of his or her rights under the Act [BIPA], in order to qualify as an aggrieved person.” Consequently, the season pass holder could be considered an “aggrieved person” under BIPA and entitled to seek injunctive relief and liquidated statutory damages of up to $5,000 per alleged violation even though there were no alleged concrete injuries. The Court overruled the state appellate court, which had found that a mere “technical” violation of BIPA alone (i.e., collecting biometric identifiers and/or biometric information without providing disclosures or obtaining written consent as required by BIPA) was not a sufficient basis for a party to allege he/she was “aggrieved” by an alleged statutory violation (i.e., an actual injury, harm, or data breach). This differs from the approach to standing employed in other federal courts and is inconsistent with judicial interpretation on what it means to be “aggrieved” by an alleged statutory violation.
Agreeing with the California court’s interpretation of BIPA (in the Facebook photo tagging litigation), the Illinois Supreme Court held that when a private entity fails to adhere to BIPA’s statutory procedures, the individual’s right to “maintain [his or] her biometric privacy vanishes into thin air,” which is “the precise harm the Illinois legislature sought to prevent.” Thus, once the statutory violation has occurred, the affected individual may bring a BIPA claim.
Given the growing trend in collection and use of biometric information and technology, companies operating in Illinois should be aware of the Rosenbach case and should expect to see a continuing increase in litigation with plaintiffs alleging harm as an “aggrieved” party without a concrete injury. The implications of this case will reach beyond Illinois and the increased attention to privacy by design in consumer-facing products and services. While Illinois is the only state that currently allows a private right of action, Washington and Texas also have existing biometric privacy laws. It is worth watching the Illinois legislature to see what types of amendments follow this ruling, as well as the progress of biometric privacy legislation in other states (e.g., New York). In addition to privacy concerns with regard to consumer-facing products and services, the Rosenbach case also has significant implications for employers in all states as they incorporate biometric-related programs and technology into the workplace. Our Labor and Employment Team outlines the implications for employers here. In light of these issues, we will continue to monitor developments and watch to see whether exposure under BIPA – and any similar developing biometric privacy laws – will increase even in the absence of any alleged actual injury.
For questions about this update, please contact: