The Illinois Supreme Court today made it far easier for workers to bring suit against their employers for technical violations of the state’s biometric information privacy statute, putting employers on notice that they must immediately improve their biometric practices in order to avoid the same fate. The long-awaited decision in Rosenbach v. Six Flags Entertainment Corporation means that any time an employer violates the technical aspects of the state statute—even if no specific injury or adverse effect results—their employees have standing to sue them for violations under the Illinois Biometric Information Privacy Act. Illinois employers that utilize biometric information must now be hyper-cautious with regard to the collection, maintenance, transmission, and destruction of this data.
What Does The State Law Say?
Before we dive into the decision, it’s helpful to understand the law at play. The state Biometric Information Privacy Act (740 ILCS 14 et seq.) requires private entities—including employers—that collect or maintain employees’ fingerprints, retinal or iris scans, voiceprints, hand scans, or face geometry to first receive written consent from the employee, and also develop a publicly available policy that establishes the retention schedule for the applicable biometric information. The Act further mandates that the employer destroy biometric information upon the earlier of either of the following circumstances: (1) the initial purpose for collecting the relevant biometric information has expired, or (2) within three years of the individual’s last interaction with the employer.
Employers who collect, maintain, or potentially transmit biometric information must also do so with a reasonable standard of care. Finally, the statute prohibits employers from selling, leasing, or trading any such biometric information for profit.
School Field Trip Leads To Lawsuit
In the summer of 2014, 14-year old Alexander Rosenbach visited the Six Flags Great America amusement park in Gurnee, Illinois on a school field trip. His mother previously purchased a season pass for him online; Alexander presented the pass when he arrived at the park and was required to complete the sign-up process at that time. The park asked him to scan his thumbprint into their biometric data capture system, and his fingerprint was then coupled with his season pass card. This process allows the park to efficiently facilitate the entry process, as season-pass holders simply need to scan their fingerprints to enter.
It was only when Alexander returned home and told his mother about the sign-up process that she learned it involved the collection of biometric data; the park did not provide any paperwork or further information about the specific purpose of the scan, or how long it would retain the fingerprint data. Neither she nor her son signed any sort of written release permitting the taking and the use of the biometric information.
She brought a lawsuit against Six Flags alleging a violation of the Illinois Biometric Information Privacy Act. She was not able to allege that her son was injured or victimized in any sort of tangible way as a result of the violation, however. A state appellate court dismissed the claim because it did not believe a technical violation of the statute, without evidence of some injury or adverse effect, warranted a ruling against the company. She appealed her claim to the state Supreme Court, and today that court reversed the lower court, cleared her case to proceed, and created a rather expansive reading of the statute that should put employers across the state on notice.
State Supreme Court: Individual Does Not Have To Prove Injury To Bring Suit
At issue in Rosenbach was the statutory definition of an “aggrieved” individual, which was not otherwise defined in the Act. Rosenbach’s mother argued that a technical violation of the statute—the mere collection of a fingerprint without requisite notice and authorization, absent any other specific injury—rendered an individual “aggrieved” and therefore conferred the necessary standing under the Act.
Six Flags, on the other hand, contended that a plaintiff must plead and prove actual harm above and beyond the mere base requirements of the Act in order to be entitled to relief. The Supreme Court disagreed with Six Flags and overturned the lower appellate court. It concluded that any time a person’s “legal right is invaded” by a violation of the statute, that person is considered an “aggrieved” individual entitled to bring a claim.
Accordingly, the court said, whenever an entity fails to comply with any of the statute’s requirements, that action constitutes a violation of that person’s rights under the statute. The court concluded by making the following sweeping statement in ruling for the Rosenbach family: “No additional consequences need be pleaded or proved. The violation, in itself, is sufficient to support the individual’s or customer’s statutory cause of action.”
What Does This Ruling Mean For Illinois Employers?
Class actions and other litigation based on alleged violations of the Act have been more prevalent in recent years, and today’s Rosenbach decision will almost assuredly make them more frequent. Following this decision, it is more important than ever to maintain strict compliance with the Act, as the statute carries harsh penalties. A prevailing party is entitled to $1,000 per negligent violation and $5,000 per willful violation, or actual damages, whichever is greater. The Act also provides for attorneys’ fees, costs, and any other relief that a court may deem appropriate.
If you collect any kind of biometric information from your Illinois workforce, you should take this opportunity to consider whether your biometrics collection and retention practices meet the requirements of the Act. You should identify existing relevant policies and, if appropriate, develop and distribute new policies and authorizations that are strictly compliant with the Act.
The Rosenbach decision has demonstrated that employees—including a class of employees—need only meet a minimal threshold in pleading and proving claims under the Act. Implementing the necessary policies and authorizations can allow you to be well-positioned to defend against any potential litigation, and better equipped to handle biometric data.