A recent decision issued by the Supreme Court of Illinois seems to stand for the proposition that the risk of harm to an individual stemming from a violation of the Illinois Biometric Privacy Act (740 ILCS 14/1-14/99) is so great that an impacted individual need not establish actual harm or injury to bring a claim. Rather, according to the Supreme Court of Illinois, exposure to the risk of actual harm or injury, standing alone, is sufficient. In a recent decision relating to this issue, the Illinois Supreme Court held that plaintiffs filing claims under the Illinois Biometric Privacy Act (the "Act") need not establish actual damages in order to have standing. The Act prohibits a private entity from collecting or obtaining an individual's biometric information without the individual's knowledge or consent and authorizes recovery of actual damages or liquidated damages up to $5,000 per violation.

In Rosenbach v. Six Flags Entertainment, Corp., et al., a 14-year old boy sued Six Flags for violating the Act after Six Flags collected his thumbprint which was then used to activate his season pass. Six Flags collected this information without notifying the boy's mother or obtaining consent. Six Flags sought to dismiss the action, arguing that its "technical violation" of the Act was insufficient to confer standing on the plaintiff absent an alleged threatened or actual injury. In overturning the Illinois Appellate Court's decision siding with Six Flags, the Illinois Supreme Court noted the legislative intent supporting passage of the Act, specifically that the ramifications of collecting biometric data are not fully known and remedying breaches involving biometric data may be difficult. The Illinois Supreme Court held that Six Flags' failure to obtain consent was more than a mere technicality and posed a real and significant injury to the plaintiff, establishing standing.

This decision by the Illinois Supreme Court is arguably inconsistent with the approach to standing broadly employed by federal courts which requires plaintiffs to have suffered actual harm or injury before bringing suit. It also makes clear that the risks to a company associated with failing to comply with the Act – which includes numerous complex requirements – can be just as damaging to a company as a data breach itself.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.