As 2017 drew to an end, we noted the continuing flood of Illinois biometric privacy suits filed over the past year. There are literally dozens of cases pending, most in Illinois state courts, alleging violation of Illinois’s Biometric Information Privacy Act (BIPA), which regulates the collection, retention, and disclosure of personal biometric identifiers and biometric information. The suits initially targeted the use of biometrics on social media platforms, but, perhaps reflecting the increased use of biometrics in the workplace, have increasingly been asserted against businesses that collect biometric data to authenticate customers or employees.
While federal courts have weighed in on whether litigants have standing for asserting procedural violations of BIPA, it was not clear if mere procedural violations of BIPA’s consent and data retention requirements, without any showing of actual harm or data misuse, were actionable under the statute (i.e., whether persons pleading procedural violations are “aggrieved” under the statute, as BIPA expressly provides that “any person aggrieved by a violation” of the BIPA may pursue money damages and injunctive relief against the offending party).
As the year came to a close, an Illinois appellate court may have cooled the New Year’s Eve celebrations of BIPA class action lawyers a bit, as the court issued a decision which could provide defendants with a shield against BIPA suits. The court ruled that if a party alleges only a technical violation of BIPA without alleging any injury or adverse effect, then such a party is not “aggrieved” under the Act and may not seek remedies (i.e., monetary damages or injunctive relief). (Rosenbach v. Six Flags Entertainment Corp., No. 2-17-0317, 2017 IL App (2d) 170317 (Ill. App. Dec. 21, 2017)).
In Rosenbach, plaintiff brought a putative class action against theme park operators for fingerprinting season-pass holders allegedly without properly obtaining written consent and without properly disclosing their plan for the collection, storage, use, or destruction of the biometric identifiers or information, in violation of BIPA. Plaintiff did not allege any actual injury or data misuse, but only that she would not have allowed her son to buy a pass had she known about such fingerprint collection.
The trial court denied Six Flags’ motion to dismiss but later certified two questions to the appellate court relating to whether a “person aggrieved by a violation of [the] Act” must allege some actual harm. In answering the questions, the court found that a “person aggrieved” by such a violation must allege some actual harm, rejecting the plaintiff’s position that a mere technical violation of the Act is sufficient to render a party “aggrieved” (though, the court did hold that an injury or adverse effect need not be pecuniary).
“[I]f the Illinois legislature intended to allow for a private cause of action for every technical violation of the Act, it could have omitted the word ‘aggrieved’ and stated that every violation was actionable. A determination that a technical violation of the statute is actionable would render the word ‘aggrieved’ superfluous. Therefore, a plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person under…the Act.”
In ruling for Six Flags, did the Rosenbach court put an end to the roller coaster ride of BIPA class actions over procedural violations? Perhaps, for now. While the Second Circuit and some other federal courts have dismissed BIPA suits over a lack of standing under Spokeo, this is the first time an Illinois appellate court has weighed in on the meaning of an “aggrieved” party under BIPA. This one-two punch will certainly empower BIPA defendants to seek dismissal of suits that allege mere procedural violations of the statute and will likely affect the ongoing biometric privacy litigation in California courts against social media platforms over photo tagging practices. However, following similar strategies in data breach litigation, plaintiffs’ lawyers will undoubtedly in the future seek new angles to pleading a concrete harm under BIPA that can survive a motion to dismiss. Thus, it seems clear that biometrics-related litigation will continue to be active in 2018 and we will continue to monitor and report on developments as it evolves.