Amongst the flurry of activity in the privacy space recently, there have been two particular trends that businesses need to monitor.
The first is the state by state expansion of what constitutes personal information. A decade ago, most state laws emphasized an individual’s name in conjunction with a Social Security Number, a driver’s license, or some kind of financial account details. Now, at least with respect to breach reporting, state laws encompass insurance details, genetic information, biometrics, and potentially email addresses.
This expansion of what information must be protected has been complemented, some would say, by aggressive prodding by the plaintiffs’ bar to identify a foothold for asserting a claim of damages. Traditional tort law and Article III standing requirements have demanded that there be some articulable economic harm imposed upon the claimant. Because consumers are largely sheltered from any direct financial costs arising from a data breach, it has been difficult for class action plaintiffs to overcome defendants’ challenges that they have any cognizable right to be in court at all.
Privacy Notices and a Private Right of Action
Enter stage left statutory damages and, possibly, the Illinois Biometric Information Privacy Act (BIPA). On Friday, the Illinois Supreme Court released its decision in Rosenbach v. Six Flags, which focused on that threshold question of who can be considered a “person aggrieved by a violation of this Act.” Section 20 (Right of Action) of BIPA states simply that a violation of the Act is sufficient to constitute a claim, provided that the claimant was “aggrieved.” According to the Rosenbach court, an individual is so aggrieved or harmed by a simple violation of the law without any necessary demonstration of economic or other harm.
BIPA Section 15 details the notice, collection, retention, and disclosure requirements and restrictions applicable to an entity in Illinois capturing a person’s biometric information. Chief among these is the requirement for written notice describing what biometric information is collected, for what purposes, accompanied by a written release or consent from the individual. For a host of reasons, biometric identifiers are used to provide a greater degree of assurance that an individual is who they claim to be. This leads many companies to experiment with using biometrics in the employment context, such as clocking into and out of work.
You can see where this is going, right? With potential liquidated damages of $1,000 for negligent violations and $5,000 for intentional or reckless violations, those numbers add up quickly into a tempting pot of gold for the class action bar. The Rosenbach ruling has garnered significant attention because the Illinois Supreme Court declared that, in this context, a claim of not having been provided appropriate notice or having provided proper consent is sufficient to permit the plaintiff class to cross the threshold. The claimants must still prove that the defendant failed to meet its obligations under Section 15, but the fundamental point to watch in the future is whether this novel approach toward standing expands to other jurisdictions and in other contexts.
At the federal level, the US Supreme Court’s 2016 opinion in Spokeo v Robins is widely regarded as holding that plaintiffs cannot rely on ‘mere’ statutory violations, and must still demonstrate a concrete harm before acquiring Article III standing. The Court did not exclude all statutory violations, however, and stated that certain procedural rights granted by statute might still be sufficient to demonstrate harm. Whether the provision of a privacy notice and collection of consent by a business would constitute such a serious procedural right remains to be seen. To most eyes, Rosenbach cannot be squared with Spokeo.
The Rosenbach decision therefore is an important one for businesses to monitor, even without operations in Illinois. Facebook and other firms are defending themselves against BIPA claims in the context of photos and facial recognition technology. More importantly, in other states such as California, there are many laws on the books or in process (such as the California Consumer Privacy Act) that could provide the basis for state law claims when there is a private right of action. Stay tuned.