As we previously reported, the Illinois Biometric Information Privacy Act (BIPA) requires individuals and companies to provide notice and obtain consent before collecting or using biometric data. The Act also requires individuals and companies to properly store and dispose the collected data. Numerous companies have faced class action lawsuits for failing to comply with BIPA’s requirements. In Rosenbach v. Six Flags Entertainment Corp., a mother filed suit against Six Flags for failing to comply with BIPA while collecting her son’s fingerprint upon her child’s entry into one of its amusement parks. At issue in Rosenbach is whether a claimant must suffer an actual injury from an entity’s improper collection or handling of the claimant’s biometric data to qualify as an “aggrieved” party as required by the statute. While we previously reported on Rosenbach’s factual background and an Illinois Appellate Court’s holding that a claimant must suffer an actual injury from an entity’s violation of BIPA to have standing to file suit, the Illinois Supreme Court recently weighed in to reverse that decision.
Now, in Illinois, a company who fails to comply with BIPA while collecting or storing biometric information can be subjected to BIPA’s injunctive relief and significant per violation liquidated damage provision – even if no party suffered any type of actual injury from the company’s data practices. In 1913, the Illinois Supreme Court held than a person need not suffer an actual harm to be aggrieved in the legal sense. Rosenbach cites its “frequently” used 1913 definition of “aggrieved” in conjunction with supporting dictionary definitions of the term to presume that the Illinois Legislature would have expressly written actual harm language into BIPA if it intended to divert from the State’s already established definition of “aggrieved.”
Rosenbach emphasizes that because a person’s biometric information cannot be changed, any BIPA violation, regardless of whether it results in actual harm, is “real and significant.” Rosenbach asserts that the Illinois Legislature passed BIPA “to try to head off such problems before they occur.” Therefore, Rosenbach holds that “[t]o require individuals to wait until they have sustained some compensable injury beyond violation of their statutory rights” before filing suit “would be completely antithetical to the Act’s preventative and deterrent purposes.”
Companies in Illinois that use or collect biometric information from customers or employees must take immediate steps to ensure that they are complying with BIPA. At a minimum, this includes preparing a written policy and retention and destruction guidelines, providing the requisite notice, and adopting the appropriate safeguards for storing and transmitting biometric information. Contact your Vorys lawyer if you have questions about complying with BIPA.