Fingerprint scans and facial recognition technology have become commonplace thanks to smartphones, yet this type of biometric information is being used in other places as well. Fingerprints have become a replacement for passwords, allowing a user to log into their social media app to post a photograph, or their bank account to transfer money, all from their phone and all with a fingerprint. Biometric information also is being used as a replacement for time cards, allowing employees to clock in and out of work with ease, or even as a form of admission to enter an entertainment venue.
Following the rise of the use of biometric information, the Illinois Legislature passed the Biometric Information Privacy Act (BIPA) in 2008 to provide standards of conduct to help regulate how biometric information is collected, stored and used. Examples of a biometric identifier include a retina or iris scan, fingerprint scan, voiceprint, or hand/face-geometry scan. What makes BIPA all the more powerful is that it allows for a private right of action, permitting an individual who has been “aggrieved” to pursue damages or injunctive relief.
The Illinois Supreme Court gave BIPA even more “punch” in its decision in Stacy Rosenbach, et al. v. Six Flags Entertainment Corporation, released on January 25, 2019, holding that an individual does not need to prove harm to recover; rather, a technical violation of the Act alone is sufficient to constitute standing. Prior to the decision, the Illinois appellate courts had been split on whether an individual had to suffer an actual injury in addition to a BIPA violation to recover under the Act. This new decision will likely pave the way for future lawsuits and allow more individuals to recover for technical violations under BIPA.
The Rosenbach decision can be traced back to 2014, when14-year-old Alexander visited the amusement park Six Flags on a school field trip. Prior to his visit, Alexander’s mother (Rosenbach) purchased his season pass online. Upon Alexander’s arrival at Six Flags, he had to scan his thumbprint alongside his season pass to serve as his admission into the park. The use of biometric information such as thumbprints makes it easier for individuals to enter the park and provides the park with greater security by preventing patrons from entering the park with someone else’s pass.
According to the complaint, Rosenbach was unaware when she purchased the season pass that Alexander’s fingerprint would need to be scanned and stored. She filed suit on behalf of her son seeking redress, alleging Six Flags violated the Act because it retained biometric information without obtaining written consent, did not disclose what was done with Alexander’s biometric information and failed to disclose how long the information would be stored. Despite the allegations that Six Flags violated BIPA, Alexander did not suffer an actual injury – causing Six Flags to challenge whether Rosenbach had standing to sue.
Section 20 of the Act provides that any person “aggrieved” by a BIPA violation shall have a right of action against the offending party and may recover, for each violation:
- Liquidated damages of $1,000 or actual damages, whichever is greater, against a private entity that negligently violates a provision of the Act
- Liquidated damages of $5,000 or actual damages, whichever is greater, against a private entity that intentionally or recklessly violates a provision of the Act
- Reasonable attorneys’ fees and costs, expert witness fees and other litigation expenses
- Other relief, including an injunction.
The Semantics of “Aggrieved”
The issue central to this case and many other BIPA lawsuits is whether Alexander was “aggrieved” within the meaning of the Act, despite lacking an actual injury. Rosenbach argued that a violation of the Act alone was sufficient to render a party “aggrieved.” Whereas, Six Flags argued that the meaning of “aggrieved” most consistent with the Act requires actual harm or adverse consequences. The Illinois Supreme Court rejected the Six Flags argument and instead found that a technical violation of the Act alone does in fact meet the definition of “aggrieved.” In doing so, the court reversed the appellate court’s decision, which had held the exact opposite: that actual harm or an adverse effect must be alleged in order for an individual to have standing under BIPA.
In analyzing the word “aggrieved,” the court looked to the AIDS Confidentiality Act, another Illinois statute that, like BIPA, has a private right of action for an “aggrieved” person. Similar to BIPA, the AIDS Confidentiality Act does not contain its own definition of the word “aggrieved.” However, in 2002 it was decided that proof of harm was not required for a person to be “aggrieved’ under the AIDS Confidentiality Act. Additionally, in Rosenbach, the court focused on the plain meaning of the word “aggrieved” and found that it meant “having legal rights that are adversely affected.” Therefore, the court reasoned that to require an actual injury in addition to a BIPA violation would depart from the ordinary meaning of the word “aggrieved” and read into the Act conditions that the Illinois legislature did not intend.
Additionally, the court’s reasoning behind the Rosenbach decision focused heavily on the nature of biometric information, which unlike a social security number or password can’t be changed. Specifically, the court explained that the protections afforded by BIPA “are particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual’s unique biometric identifiers – identifiers that can’t be changed if compromised or misused.” The court further explained that when a BIPA violation occurs, an individual’s injury is already real and significant because that person immediately loses their right to maintain their biometric information. Further, to require that person to wait until he or she sustained an actual injury “would be completely antithetical to the Act’s preventative and deterrent purposes.”
This decision serves as an important reminder that it is imperative for private entities such as Six Flags to develop written policies that will establish a retention schedule and notify individuals how his or her biometric information will be used and stored. Given how technology evolves at a rapid rate and how quickly biometric information technology has entered everyday use, private entities that employ biometric information technology need to be cognizant of how they are handling individuals’ biometric information to ensure compliance with BIPA. Now that Rosenbach gives an individual the right to pursue damages or injunctive relief on a technical violation alone, businesses must be prepared for the new wave of BIPA litigation.