In a ruling with wide-spread implications, the Illinois Supreme Court on Friday upheld a consumer’s right to sue companies for collecting biometric data – such as finger prints and iris scans – without disclosing how such information will be used.
The ruling came after a lawsuit was filed by the family of a teenager whose finger prints were collected in 2014 when he purchased a season pass to a Six Flags Entertainment Corp. amusement park. The complaint alleged that the practice violated Illinois’s Biometric Information Privacy Act or BIPA, which has become the focal point for litigation around practices such as tagging photographs on social media websites.
BIPA – perhaps the most closely watched law in the U.S. dealing with the collection and use of biometric data – contains a “notice and consent” requirement which means companies must obtain a written release from the person whose information is being collected, or their legally authorized representative, and provide in writing the purpose of collecting such information and how long it will be stored. BIPA also provides for a private right of action, allowing individuals to file suit under the law.
In the unanimous ruling, the court held that consumers need only show a violation of the requirements imposed by BIPA and need not prove that they “sustained some actual injury or damage.”
“This is no mere ‘technicality,’” Chief Justice Lloyd A. Karmeier wrote for the court. “The injury is real and significant.”
The Illinois Supreme Court, which overturned an appellate court ruling, looked to the plain meaning of the statute’s language and its legislative history in finding “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act” in order to seek relief under the statute. Therefore, the court held, the consumer had standing to sue under BIPA, even though the teenager’s family had not alleged actual harm or misuse of the finger prints such as theft.
The impact of the ruling is significant especially for big tech companies. Facebook, for instance, is facing a class action for alleged BIPA violations over its collection and storage of its users’ facial geometry data. If successful, Facebook faces fines of $1,000 to $5,000 for each violation—meaning damages could reach into the billions. More than 200 other cases filed under BIPA are currently pending, and with this ruling, the jurisdictional issue is clarified which will likely open the door to additional lawsuits.
Whether the effects of the Illinois ruling will be felt beyond BIPA litigation is an open question. As previously reported, the federal appellate courts are split over whether there is standing to sue companies in the aftermath of a data breach without a showing of concrete harm or injury. The Third, Fourth, and Eighth, Circuits have held an increased risk of future identify theft is insufficient to establish standing, while the Sixth, Seventh, Ninth, and DC Circuits have held to the contrary. The U.S. Supreme Court has declined to weigh in.
The Circuits are focused on whether or not a data breach presents a sufficient risk of future harm, such as credit card fraud or identify theft, to confer standing. Indeed, this was the question the Second Circuit asked itself when it was confronted with alleged BIPA violations in 2017 and found there was no injury. But the Illinois Supreme Court side stepped this question entirely in finding a mere violation of BIPA was sufficient to confer standing, without wadding into the question of whether a consumer must also show a tangible injury, such as misuse or a substantial risk of future harm.
The case is entitled Stacy Rosenbach v. Six Flags Entertainment Corp., No. 123186 (Ill. 2019).