The Illinois Supreme Court has ruled that individuals need not allege actual injury or adverse effect, beyond a violation of his or her rights under the Illinois Biometric Information Privacy Act (BIPA), in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages, attorneys’ fees and costs, and injunctive relief under the Act. Rosenbach v. Six Flags Entertainment Corp. et al., No. 123186 (Jan. 25, 2019).
Potential damages can be substantial, as the BIPA provides for statutory damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation of the Act. To date, no Illinois court has interpreted the meaning of “per violation,” but the majority of BIPA suits have been brought as class actions seeking statutory damages on behalf of each individual affected.
Following this significant decision from the Supreme Court, companies that have not already done so, should immediately take steps to comply with the statute. These steps should include reviewing their time management, point of purchase, physical security, or other systems that obtain, use, or disclose biometric information against the requirements under the BIPA. (Biometric information is any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry used to identify an individual.) If there are technical or procedural gaps in compliance, they should be remedied quickly. Examples of such gaps include not providing written notice, obtaining a release from the subject of the biometric information, obtaining consent to provide biometric information to a third party, or maintaining a policy and guidelines for the retention and destruction of biometric information. For additional information on complying with the BIPA, please see our BIPA FAQs.
In reversing and remanding the case, the Illinois Supreme Court held:
The duties imposed on private entities by section 15 of the Act (740 ILCS 14/15) regarding the collection, retention, disclosure, and destruction of a person’s or customer’s biometric identifiers or biometric information define the contours of that statutory right. Accordingly, when a private entity fails to comply with one of section 15’s requirements, that violation constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach. Consistent with the authority cited above, such a person or customer would clearly be “aggrieved” within the meaning of section 20 of the Act (740 ILCS 14/20) and entitled to seek recovery under that provision. No additional consequences need be pleaded or proved. The violation, in itself, is sufficient to support the individual’s or customer’s statutory cause of action.
The Supreme Court’s decision is likely to increase the already significant number of suits, including putative class actions, filed under the BIPA. In the words of the Illinois Supreme Court, “[c]ompliance should not be difficult; whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded; and the public welfare, security, and safety will be advanced.”