On January 25, 2019, the Illinois Supreme Court handed down its highly anticipated decision in Rosenbach v. Six Flags Entertainment Corp., et al., Case No. 123186 (IL). The appeal addressed the question of whether a plaintiff may seek liquidated damages ($1,000 for a "negligent" violation or $5,000 for an "intentional or reckless" violation) under the Illinois Biometric Information Privacy Act ("BIPA" or the "Act"), 740 ILCS 14/1, et seq. (West 2016), despite no proof of actual injury or damage arising from the violation. The Illinois Supreme Court has now answered this question in the affirmative, holding that a technical violation of BIPA, without more, is "in itself sufficient to support the individual's or customer's statutory cause of action" and "[n]o additional consequences need be pleaded or proved." Rosenbach, case No. 123186 at ¶33.
BIPA mandates that before a private entity can collect any person's biometric identifier or information, they must first inform that person or that person’s representative, in writing that:
- Biometric information is being collected or stored; and
- The specific purpose and length of time of which the biometric identifier or information is being collected.
The entity must then obtain a written release executed by the person or their legally authorized representative. 740 ILCS 14/15. While a number of other states, such as Texas and Washington, have similar statutes, Illinois' Act is unique in that it is currently the only state biometric privacy statute that affords a private right of action and liquidated damages for violations. Id. at §20.
In Rosenbach, the Plaintiff alleges that that defendant, Six Flags, violated BIPA when, without providing the requisite written notice or obtaining consent, it collected and stored the fingerprint of plaintiff’s minor son in order to activate the minor's season pass for the theme park. Plaintiff does not allege that any tangible harm or injury resulted from the fingerprint collection.
The trial court initially held that plaintiff had standing to proceed with the suit. On appeal, the Illinois Appellate Court reversed, holding that there is no standing to proceed based solely on a defendant's violation of the Act, and that, while the injury need not be pecuniary, "it must be more than a 'technical violation of the Act.'" Rosenbach, case No. 123186 at ¶15. The Illinois Supreme Court has now weighed in, siding with the trial court.
The high Court's ruling turns on the court's interpretation of BIPA's private right of action provision, which states that "any person aggrieved by a violation of this Act shall have a right of action in a State circuit court…" (740 ILCS 14/20) (emphasis added). Because BIPA does not define "aggrieved," the court relied on basic principles of statutory construction and the common meaning of the term to conclude that to be "aggrieved" by a violation of BIPA requires merely that one's "legal right is invaded." Rosenbach, Case No. 123186 at ¶30 (i.e., that one's rights are "adversely affected" (Id. at ¶31)). Based on this interpretation, the court concluded that "[w]hen a private entity fails to adhere to the statutory procedure…the precise harm the Illinois legislature sought to prevent is then realized…The injury is real and significant." Rosenbach, Case No. 123186 at ¶34.
This new ruling will undoubtedly open the floodgates to litigation based on technical violations of the Illinois Act; more than 200 suits already filed in Illinois based on BIPA are likely to now move forward, and more will surely follow. Thus, any retailer or other business - big or small - that does business in Illinois and collects any biometric identifiers or information from its customers or employees (including "retina or iris scans, fingerprints, voiceprints, scans of hand or face geometry, or biometric information") should proceed with caution and ensure that they are in full compliance with all of BIPA's requirements. Companies may also want to consider incorporating class action or class arbitration waivers into any customer agreements to help mitigate against future class claims for BIPA violations. While such waivers would not bar a BIPA claim altogether, they may prevent the aggregation of claims and limit the company's overall exposure for such violations.