In a highly anticipated ruling, the Illinois Supreme Court on January 25, 2019, held that plaintiffs who violated the Illinois Biometric Information Privacy Act — which regulates the collection of biometric information such as retina scans — need not allege a separate injury or adverse effect to have statutory standing as an "aggrieved" person to bring a claim under BIPA for liquidated damages and injunctive relief. The decision in the case, Rosenbach v. Six Flags Entertainment, resolves much of the uncertainty about when an individual may bring suit under BIPA, which remains the only state biometric privacy law with a private right of action. The ruling is also likely to make predominance and typicality challenges to class actions more difficult for defendants. 

Biometric Information Privacy Act

Illinois passed BIPA in 2008 to regulate the "collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information." BIPA requires that organizations provide written notice and obtain a written release prior to the collection of any biometric identifier. A "biometric identifier" is defined as "a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry." The notice must include the purpose of the collection and the duration that the organization will use or retain the data. Only after obtaining a written release can organizations begin their collection activities. BIPA also requires organizations to have a publicly available, written policy stating how long the organization will retain the data and rules governing the destruction of that data. 

Unlike other states with biometric privacy laws, including Texas and Washington, BIPA provides that "[a]ny person aggrieved by a violation of this Act shall have a right of action ... against an offending party." "Aggrieved" parties may recover the greater of actual damages or liquidated damages of $1,000 for a negligent violation and $5,000 for an intentional or reckless violation. Successful plaintiffs may also obtain injunctive relief and recover attorneys fees.

Factual Background

Six Flags and its subsidiary, Great America (the defendants), own and operate an amusement park in Gurnee, Illinois. To speed repeat visitors' park entry and reduce fraud, since at least 2014, defendants have used a fingerprinting process when issuing repeat-entry passes for their amusement park. This process includes scanning pass holders' fingerprints; and collecting, recording and storing this data to verify customer identities upon subsequent visits.

In May or June 2014, Stacy Rosenbach's son visited a Six Flags amusement park on a school field trip. Rosenbach had purchased a season pass for her son and provided personal information about him. When Rosenbach's son arrived at the park, he was required to go through the fingerprinting process to receive his season pass card. 

After learning of her son's fingerprint collection, Rosenbach filed a putative class action complaint, alleging that the defendants had violated BIPA by:

  1. "collecting, capturing, storing or obtaining biometric identifiers and biometric information" from her son and other members of the proposed class without providing them with written notice that the information was being collected or stored;
  2. failing to provide written notice concerning the specific purpose for which the information was being collected; and
  3. failing to obtain a written release prior to collecting the information. 

Rosenbach sought liquidated damages and injunctive relief to compel defendants to make the required disclosures under BIPA and prohibit them from violating the act going forward.

The defendants moved to dismiss Rosenbach's complaint, arguing, among other things, that the plaintiff was not aggrieved because she had not suffered an actual or threatened injury. The circuit court denied the defendants' motion to dismiss the BIPA claims but permitted an interlocutory appeal on whether the plaintiff had statutory standing. Illinois' intermediate court of appeal dismissed the entire action, finding that a plaintiff is not "aggrieved" under BIPA and may not pursue either damages or injunctive relief under the act based solely on a "technical violation of the Act." The appellate court held that a plaintiff must allege an actual injury or adverse effect to have standing to bring a BIPA action.

Supreme Court Decision

The Illinois Supreme Court reversed the intermediate appellate court's ruling, holding that "an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under [BIPA], in order to qualify as an 'aggrieved' person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act."

The court began its analysis by looking at the intent of the General Assembly in enacting the specific provision of BIPA that created a private right of action. It observed that, when the General Assembly wanted to require actual damages before a private action under a statute could be brought, "it has made that intention clear." The court compared BIPA to the AIDS Confidentiality Act, under which persons "aggrieved" by violations of the statutes or regulations promulgated under the statute could bring a private action for monetary relief without proof of actual damages. 

The court next considered the settled legal meaning of the term, "aggrieved." Citing one of its decisions more than a century old, the court held that "to be aggrieved simply 'means having a substantial grievance; a denial of some person or property right[,]'" and "'[a] person is prejudiced or aggrieved, in the legal sense, when a legal right is invaded by the act complained of or his pecuniary interest is directly affected by the decree or judgment.'" Applying this definition to BIPA, the court found that the General Assembly had codified the right of individuals to privacy in and control over their biometric identifiers and information by imposing requirements on private entities concerning the collection, retention, disclosure and destruction of these identifiers and information. The court further found that "when a private entity fails to comply with one of [BIPA's] requirements, that violation constitutes an invasion, impairment, or denial of the statutory rights any person customer whose biometric identifier or biometric information is subject to the breach," and "such a person or customer would clearly be 'aggrieved' within the meaning of BIPA and entitled to seek recovery[.]"

The court noted that a violation of BIPA's requirements is no mere "technicality." Instead, it held that the injury is "real and significant" and "[t]o require individuals to wait until they have sustained some compensable injury beyond violation of their statutory rights before they may seek recourse ... would be completely antithetical to the Act's preventative and deterrent purposes." 

Takeaways

The Rosenbach decision is significant. Although it may not greatly increase the number of BIPA actions, the Rosenbach decision has made it much more difficult for defendants to challenge those actions at the pleading stage with a motion to dismiss for lack of standing. By finding that BIPA creates substantive rights for individuals to control their biometric identifiers and information through its requirements, the Rosenbach decision enables plaintiffs to establish standing solely by alleging a failure to comply with those requirements. In short, plaintiffs need only allege a procedural violation to satisfy Article III's standing requirement. In light of the increased difficulty in challenging BIPA actions at least at the pleading stage, companies which collect the biometric identifiers and information of Illinois residents should make certain that they are complying with BIPA's requirements to lessen the possibility of facing a lawsuit.      

Five Steps You Need to Know Now to Reduce Risk of a BIPA Action:

  1. Scope and Limit Risk. Confirm if, how and where biometric information is collected, used, stored, and/or destroyed. Companies will need to understand whether their data collection includes biometric identifiers and information, such as fingerprints, retina scans or facial geometry scans. Companies should eliminate unnecessary collection of biometric information and/or consider alternatives.
  2. Provide Notice. Prior to collecting biometric information, ensure that written notice is given to individuals. The notice should include (i) a disclosure that biometric information is being collected; (ii) the purpose for which biometric information is being collected; (iii) where applicable, language that states biometric information will be shared with service providers or other third parties; and (iv) a biometric information retention schedule and guidelines for permanently destroying such information. Companies should also make this policy publicly available, such as in a privacy policy or a biometric information policy.
  3. Collect Written Consent. Obtain written consent from an individual before collecting his or her biometric information.
  4. Develop Data Handling Procedures and Minimum Security Standards. Develop biometric information handling and security guidelines that align with BIPA's requirements and industry best practice along the data lifecycle for notice/consent, collection, access, use, sharing, storing, retention, and destruction.
  5. Train, Train, Train. Provide training to all employees on the collection, use, storage and sharing of biometric information.

* Brent Tuttle is an advisor in our Privacy & Cybersecurity Practice Group

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.