Companies that collect and store biometric information from their customers and employees received good news from an Illinois appeals court in late December, a much-needed win in an area that has seen a massive rise in class action filings over the last year. The court in Rosenbach v. Six Flags found that the putative class representative in an action against Six Flags did not allege that he had suffered an actual injury, and thus could not satisfy the “aggrieved person” requirement in the Biometric Information Privacy Act (BIPA). This decision—and BIPA—affects any company collecting biometric data from customers or employees who reside in Illinois, and possibly outside of the state.
Biometric data is information used to identify an individual using that person’s unique biological characteristics. The data is collected using technology such as fingerprint or retina scans or facial recognition software. Government agencies and private companies have collected and used biometric data for a number of purposes, such as to enhance security, track employees, serve as a substitute for paper or electronic tickets, or even to create “virtual” characters on a video game using the physical characteristics of a human player. Only the risks attendant with its collection and storage outnumber the uses for biometric data: unlike a credit card number, if a thief steals a person’s fingerprint, the owner of the print cannot simply alter it to avoid future identity theft. The tail on the risk may be as long as that person’s life.
With these risks in mind, Illinois was the first of a handful of states that have enacted laws to govern the collection and storage of biometric data. The Illinois BIPA statute remains the only one on the books to provide for a private right of action, statutory damages and attorneys’ fees. Naturally, BIPA has become an oft-wielded tool of class action plaintiffs’ lawyers, especially in the last year, and the number of putative class actions under BIPA is growing rapidly.
Companies subject to BIPA’s requirements have grown increasingly frustrated with these lawsuits, because the plaintiffs rarely allege that they have suffered any harm other than the statutory violation. Where defendants find themselves in federal court, they may rely on Spokeo, Inc. v. Robins, a 2016 US Supreme Court opinion holding that a naked statutory violation alone is not enough to confer Article III standing. (Note, however, that many courts have found that the invasion of privacy or a minor waste of time, for example, may satisfy the requirement of actual harm, and at least one federal court has indicated that the nature of the underlying biometric data may be so valuable as to render Spokeo’s holding inapplicable.)
In state court, where Article III of the Constitution does not control, defendants often assert a similar defense, citing to the language of BIPA rather than the Constitution. BIPA requires a plaintiff to be an “aggrieved person,” arguably meaning that the grievance must be in addition to the violation of the letter of BIPA.
Federal and state courts alike have tended to deny motions to dismiss brought by defendants arguing that the plaintiffs failed to allege actual harm, or that they were “aggrieved” under BIPA. In December 2017, however, the Illinois Appellate Court for the Second District overruled a trial court and dismissed a putative class action because the plaintiff did not allege an actual injury under BIPA.
In Rosenbach v. Six Flags, 2017 IL App (2d) 170317 (Ill. App. Ct. Dec. 21, 2017), the plaintiff alleged that Six Flags collected his fingerprints when it issued him a season ticket pass to its amusement parks. Six Flags allegedly violated BIPA because it failed to obtain the consent of, or disclose to, the plaintiff (or his parents) before it collected the plaintiff’s biometric information. Six Flags argued that even if the allegations were true, the plaintiff did not suffer any injury from the BIPA violations, and therefore was not an aggrieved person under the statute.
The Rosenbach decision is certainly good news for companies collecting, storing and using the biometric data of their customers and employees. That said, plaintiffs’ lawyers have managed to find ways to plead around deficiencies such as those identified in this case, and not all courts will follow the reasoning of this Illinois appellate court. The best defense against BIPA actions, like many statutory actions, is to avoid being an easy target by implementing a robust and transparent compliance program around the collection, storage, and use of biometric data.