As we reported last October, the Illinois Supreme Court was poised to address the question of whether violation of the notice and consent provisions of the Illinois Biometric Information Protection Act (BIPA), without an individual suffering any actual harm, is sufficient to allow a claim under Illinois law.(Read our alert here.)
Last Friday, the Illinois Supreme Court answered with a resounding yes.
In Rosenbach v. Six Flags Entertainment Corp and Great America LLC, a student was required to provide his fingerprints in order to obtain the theme park season pass his mother had purchased for him. In the action brought by his mother, the plaintiffs admitted that they had not suffered any harm, although the mother argued that she would not have bought the pass had she known about the fingerprint requirement. Plaintiffs argued that the theme park’s failure to obtain consent and disclose what would happen with the biometric information was sufficient to bring a claim. On the defendant’s motion, the lower court dismissed the claim with prejudice, and certified the question of whether “a person ‘aggrieved’ by a violation of BIPA must allege “some actual harm.” The appellate court, in a decision surveying both Illinois and federal law, held that the plaintiff must allege some injury or adverse effect.
The Illinois Supreme Court reversed that decision, holding that the invasion of a legal right, even without actual harm, is enough. Citing a 1913 case, Glos v. People, the court recalled the definition of an “aggrieved party,” noting that it defines either a person who has suffered a pecuniary harm or a person who has had “a legal right invaded by the act complained of….” Thus, the court held, “when a private entity fails to comply with one of section 15’s requirements [for consent and disclosure], that violation constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach.”
Through its decision, Illinois has now waded into the nationwide morass of the law on standing to sue.
A case currently up for certiorari review before the United States Supreme Court may address this matter. In Zappos.com, Inc. v. Stevens, the issue is framed thus: Whether individuals whose personal information is held in a database breached by hackers have Article III standing simply by virtue of the breach even without concrete injury, as the U.S. Courts of Appeals for the Third, Sixth, Seventh, Ninth and District of Columbia Circuits have held, or whether concrete injury as a result of the breach is required for Article III standing, as the U.S. Courts of Appeals for the First, Second, Fourth and Eighth Circuits have held.
In the interim, while the Court decides whether it will take on this issue, we anticipate a surge of cases filed in Illinois state and federal courts under BIPA. As recommended in our initial posting, companies should immediately begin reviewing their internal policies and procedures, in particular appropriate and practical ways to obtain informed consent from employees and customers, as well as insurance coverage for these claims.