The collection, use, storage and destruction of biometric identifiers such as fingerprints, voice prints, scans of the hand or face geometry and retina or iris scans, and information derived therefrom, has been fertile ground for data privacy class actions under the Illinois Biometric Information Privacy Act (“BIPA”). Passed in 2008, the BIPA was the first statute to simultaneously regulate biometric data, and afford a private cause of action for violating it. The BIPA requires companies to disclose the collection of biometric data and its purpose, to securely store it, and to obtain written consent.
See 740 ILSC 14/1, §15.
Under the Act, “[a]ny person aggrieved by a violation” is provided a right of action against the “offending party” and “may recover for each violation” the greater of liquidated damages up to $5,000 or actual damages, attorneys’ fees and costs, and injunctive relief. Id. §20. Because plaintiffs are often hard pressed to demonstrate any injury-in-fact, defendants move to dismiss on standing and failure to state a claim grounds. These motions have met with mixed success. Compare McCollough v. Smarte Carte, Inc., 2016 WL 4077108 at *4-5 (N.D. Il. Aug. 1, 2016)(where public locker provider collected customers’ fingerprints to use as keys without obtaining written consent in violation of BIPA, lack of injury-in-fact was fatal under rationale of Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016)) with Patel v. Facebook, Inc., 290 F. Supp. 3d 948, 953-954 (N.D. Cal. 2018) (where social media company captured facial geometry to identify individuals in photographs to “tag” them for identification and profile-linking purposes, court held “the abrogation of procedural rights mandated by BIPA necessarily amounts to a concrete injury.”).
The Illinois Supreme Court recently rejected the argument that a mere technical violation of the BIPA without alleging some injury or adverse effect is fatal to a class action claim. In Rosenbach v. Six Flags Entertainment Corp., --- N.E.3d ---; 2019 WL 323902 (Il. Jan. 25, 2019), defendants, owners and operators of an amusement park, sold season passes that used fingerprints to expedite entry, maximize time in the park spending money, and eliminate lost revenue due to fraud. 2019 WL 323902 *1. Plaintiff class representative claimed that he was neither informed about the specific purpose and term for which his fingerprints were collected nor consented in writing to the storage and use of his biometric identifiers or information. Id. at *2.
The Supreme Court found “untenable” defendants’ construction that plaintiffs must sustain “some actual damage” to make out a BIPA claim. Id. at *5. Case law interpreting “aggrieved” in the State’s Aids Confidentiality Act (410 ILCS 305/1 et. seq.) and in other contexts, and principles of statutory construction, “compel[led] the conclusion that a person need not have sustained actual damage beyond violation of his or her rights under the Act in order to bring an action under it.” Id. The Court reasoned that when a company violates section 15 of the Act, this “constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach.” This statutory violation, even absent actual harm, infringes on plaintiff’s rights and makes him “aggrieved.” Id. at *6. This is because “an individual’s unique biometric identifiers” “cannot be changed if compromised or misused” and the right to “biometric privacy vanishes into thin air.” Id. The Supreme Court noted that its construction of the Act followed the legislation’s purpose, would give companies “the strongest possible incentive to conform to the law and prevent problems before they occur” and would advance “the public welfare, security and safety.. . . .” Id. at *7.
The Rosenbach decision is a departure from federal standing jurisprudence and reflects an expansive view of what it means to be “aggrieved” under Illinois’ biometric privacy statute. It will greatly encourage consumer protection class actions where no data breach, loss or damage has occurred. Companies doing business in Illinois (directly or through the Internet) that capture biometric data and information, would be well advised to ensure that their disclosure, consent and data security practices, and contractual terms, comply fully with the BIPA.