On January 25, 2019, the Illinois Supreme Court issued a unanimous decision in a case interpreting the Illinois Biometric Information Privacy Act (“BIPA”). In Rosenbach v. Six Flags Entertainment Corporation, the court ruled that a plaintiff need not allege the existence of an actual injury or adverse impact to recover for violations of the Act. Rather, the mere violation of BIPA in and of itself is sufficient to allow a plaintiff to recover liquidated damages, attorney’s fees and costs, and even injunctive relief. The court stressed that its ruling would bolster individuals’ privacy rights because “[w]hen private entities face liability for failure to comply with [BIPA] without requiring affected individuals…to show some injury beyond violation of their statutory rights, those entities have the strongest possible incentive to conform to the law and prevent problems before they occur and cannot be undone.” This ruling makes it imperative that companies that “collect, capture, purchase, receive through trade, or otherwise obtain” biometric information understand BIPA’s requirements and the potential for significant liability, especially in the class action context.
Because of the growing and increasingly commonplace use of biometric information in “financial transactions and security screenings,” Illinois enacted BIPA in 2008 to regulate the “collection, use, safeguarding handling, storage, retention, and destruction of biometric identifiers and information.” 740 ILCS 14/5(g) (West 2016). In short, the Act applies to any private entity that collects or uses “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” as part of a security/password protocol for identifying individuals and customers.
The Act has two primary operative sections—Sections 15 and 20, the “teeth” of the Act. Section 15 both requires specific actions on the part of private entities and prohibits other actions. The failure to follow its mandates would constitute a violation that could give rise to liability. Specifically, BIPA mandates that private entities must:
- Develop, and publish publicly, a written policy that establishes a retention schedule for all biometric information;
- Destroy all biometric information whenever the purpose of collecting the information has been satisfied or within three years of an individual’s last interaction with the private entity, whichever occurs first;
- Protect from disclosure all biometric information “using the reasonable standard of care within the private entity’s industry, and
- Protect from disclosure all biometric information in a manner that is at least as protective as the manner in which the private entity protects other “confidential and sensitive information.”
BIPA further prohibits private entities from:
- Collecting, capturing, purchasing, receiving through trade or otherwise obtaining a person’s biometric information unless the private entity first, and in writing, informs the individual that biometric information is being collected or stored, the specific purpose and length of time for which the biometric information is being collected, stored and used, and receives the individual’s written consent to the collection, use or storage of biometric information, and
- Selling, leasing, trading or otherwise profiting from a person’s biometric information.
Section 20 provides BIPA’s enforcement mechanism. It provides that “any person aggrieved by a violation” of the Act shall have a private right of action. It further provides the specific remedies to include $1,000 liquidated damages for any negligent violation of the Act, $5,000 liquidated damages for any intentional or reckless violation of the Act, recovery of reasonable attorney’s fees and costs, and any other relief a court may deem appropriate, including injunctive relief. The Illinois Supreme Court made clear that “the legislature intended [Section 20] to have substantial force.” The creation of a private right of action for “any person aggrieved by a violation” was the focus of the Illinois Supreme Court’s decision in Rosenbach, and its decision resolved a conflict between two prior decisions. See, e.g., Rivera v. Google, Inc., No. 16-cv-02714, 2018 WL 6830332 (N.D. Ill. Dec. 29. 2018) (holding that a plaintiff need to have suffered an actual injury to sue under BIPA) and In re Facebook Biometric Info. Privacy Litig., No. 15- cv-03747 326 F.R.D. 535 (N.D. Cal. 2018) (holding that a plaintiff need not allege an actual injury from a violation of BIPA).
The plaintiff in Rosenbach was the mother of a fourteen year old boy who purchased a season pass to the Six Flags Great America amusement park outside of Chicago. To activate his season pass, the plaintiff’s son had to submit to a scan of his thumbprint when he arrived at the park. The parties seemingly agreed that Six Flags collected the son’s biometric information in violation of BIPA’s disclosure and consent obligations. Six Flags moved for dismissal, contending that to be an “aggrieved person” under BIPA, a plaintiff must have some actual injury or adverse event. The trial court denied Six Flag’s motion to dismiss, and the appellate court reversed, concluding that a mere “technical violation” of BIPA without an actual injury resulting from that violation does not render an individual an aggrieved person for purposes of the Act.
The Illinois Supreme Court, however, reversed the intermediate appellate court and allowed the lawsuit to proceed. The Court stressed that “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief.”
The court reasoned that BIPA makes clear “that individuals possess a right to privacy in and control over their” biometric information, and when a private entity fails to comply with BIPA, the violation is “an invasion, impairment, or denial of” that right to privacy. That court emphasized that the Illinois legislature noted that “the full ramifications of biometric technology are not fully known,” and therefore BIPA imposes “safeguards to insure” that individuals’ privacy rights “are properly honored and protected…before they can be compromised.” To this end, BIPA subjects private entities to “substantial potential liability…for each violation of the law whether or not actual damages, beyond violation of the law’s provisions, can be shown.”
The court further stressed that BIPA places on private entities “the strongest possible incentive to conform to the law and prevent problems before they occur and cannot be undone.”
Since Rosenbach, Illinois courts have seen a dramatic rise in the number of BIPA-violation cases filed. The court’s decision in Rosenbach has made it imperative that every private entity that “collects, stores, uses or transmits” biometric information review its policies for doing so and make sure that it is BIPA-compliant. A single violation could result in a large class action involving liability for at least $1,000 for each violation and the plaintiff’s attorney’s fees.