On January 25, 2019, the Illinois Supreme Court ("Court") ruled in Rosenbach v. Six Flags Entertainment Corp. that if an entity that collects, maintains, stores, or transfers biometric data merely fails to comply with statutory requirements when obtaining this information, this alone is sufficient “injury” to allow consumers to sue for damages and injunctive relief. This case underscores the privacy safeguards under the Illinois Biometric Information Privacy Act (BIPA), which carries penalties that could exceed $5,000 per violation. According to the Court, no data breach, wrongful disclosure, or actual injury to the consumer is required for a company to be subject to civil liability under the BIPA. To avoid potentially significant liability, all entities handling information subject to the BIPA should review their policies, procedures, and methods for collecting and storing such data.
The BIPA has been in effect for more than a decade and governs how entities operating in Illinois handle consumer biometric data. It requires these companies to obtain explicit written consent from an individual before collecting any biometric identifiers, such as fingerprints, retinal scans, or face scans. The BIPA allows for “aggrieved” individuals to sue for violations of the Act, which is exactly what Stacy Rosenbach did when she found out that Six Flags had collected her 14-year-old son’s fingerprint, in an effort to streamline park entrance for season pass holders and allegedly without consent or adequate disclosure. The BIPA also requires companies to inform individuals in writing when collecting or storing biometric identifiers and to disclose the specific purpose and duration for which that data is kept.
Six Flags argued that to recover under the BIPA, a plaintiff must sustain an “actual injury or harm” rather than simply allege a “technical violation” of the BIPA. The Court disagreed, explaining that when a company fails to adhere to the statutory procedures, an individual’s right of privacy “vanishes into thin air.” It added, “This is no mere ‘technicality.’ The injury is real and significant.” The statutory violation itself was sufficient, otherwise consumers would be required to wait until some quantifiable harm occurred, which was not the legislature’s intent when it enacted the BIPA.
The Court also said, “Compliance should not be difficult; whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded.” The ruling could affect the more than 200 similar pending cases. With companies essentially facing strict liability for their statutory violations, more suits are sure to follow.
Alleging actual injury is often a difficult threshold in data privacy cases. Without actual injury, such as a misappropriation of an individual’s personal data, courts struggle to find redressable harm. In Rosenbach, the court found injury from a statutory violation alone and credited this finding to the uniqueness of biometric identifiers. The court explained that the procedural protections of the BIPA are especially needed because “technology now permits the wholesale collection and storage of an individual’s unique biometric identifiers—identifiers that cannot be changed if compromised or misused.” The BIPA itself explains, “Biometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”
The BIPA states, “The full ramifications of biometric technology are not fully known.” As the use of biometric information expands, and new laws are enacted to regulate such use, courts will continue to see cases involving biometric data collection, use, or breaches. The companies behind this technology or using this data need to stay abreast of potential pitfalls, liability, and increasing regulation.