The Illinois Supreme Court ruled on January 25 in Rosenbach v. Six Flags Entertainment Corp. that a plaintiff can allege a violation of rights under the state’s Biometric Information Protection Act (BIPA) even without alleging “injury or damage beyond infringement of the rights afforded them under the law.” The court decided the issue solely as a matter of statutory construction under Illinois law. This decision will have a major impact on a number of pending BIPA lawsuits and is likely to result in increased BIPA litigation given the availability of statutory damages and attorneys’ fees under the law.
The decision is also notable because the question of whether some tangible harm, such as the loss of money, property damage, or bodily harm—separate from a statutory violation—is necessary to bring suit has been central in litigation across the country under various privacy laws. Many of those cases, interpreting the U.S. Supreme Court’s Spokeo, Inc. v. Robins decision, have focused on Article III constitutional standing to sue in federal court, with varying outcomes. Although Rosenbach is not a standing case, it is possible that other courts may embrace its view that “real and significant” injury occurs when statutory requirements designed to protect privacy are not followed.
Biometric Information Protection Act (“BIPA”)
Illinois enacted BIPA in 2008. BIPA regulates the “collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.” BIPA defines “biometric identifiers” to include things like fingerprints as well as voiceprints and iris scans; “biometric information” includes all information that is “based on an individual’s biometric identifier” and “used to identify an individual.”
Under BIPA, before a business can “collect, capture, purchase, receive . . . or otherwise obtain a person’s or a customer’s biometric identifier or biometric information,” it must:
- provide the data subject or the subject’s legal representative with written notice “that a biometric identifier or biometric information is being collected or stored”;
- provide the data subject or the subject’s legal representative with written notice of “the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used”; and
- obtain written consent from the data subject or his or her legal representative.
BIPA provides a private right of action against the offending party for “[a]ny person aggrieved by a violation” of the Act. A plaintiff that prevails under the Act may recover the greater of $1,000 or actual damages for negligent violations of BIPA, or the greater of $5,000 or actual damages for intentional or reckless violations of BIPA. Recovery under BIPA also allows for injunctive relief, reasonable attorneys’ fees, expert witness fees, and litigation costs. While Texas and Washington also have biometric privacy laws, BIPA is the only biometric privacy law in the U.S. with a private right of action.
In this case, the plaintiff sought damages and injunctive relief through a BIPA claim after her son’s fingerprint was collected as part of the season passholder authentication process used by Six Flags Great America amusement park in Illinois for its repeat-entry pass system.
The plaintiff alleged that Six Flags collected her minor son’s fingerprint during a school trip, without first informing her or her son in writing (or any other form) of the purpose of the collection or the length of time the information would be kept. Rosenbach alleged that neither she nor her son signed a written release or consent to the collection.
The Illinois intermediate appellate court, in ruling on questions certified from the trial court, held that the plaintiff was not “aggrieved” under BIPA by a mere “technical violation of the Act,” interpreting BIPA to require some additional injury or adverse effect. The Illinois Supreme Court on interlocutory appeal disagreed and reversed.
Illinois Supreme Court Decision
The Illinois Supreme Court held that the intermediate appellate court’s decision conflicted with the “unambiguous language of the law” and did not interpret the law in a way that was consistent with legislative intent.
The court reasoned that the legislature’s intent had been to confer a private right of action for any violation of the statute. In doing so, the court noted that the legislature did not include any express requirement that plaintiffs allege actual damages beyond a violation of their rights under BIPA, as it has done expressly in other statutes. The court instead pointed to a different Illinois statute that likewise did not require an allegation of actual damages beyond the rights granted in the statute, which Illinois appellate courts had consistently found to create a right of action from a mere violation of the statute.
In addition, the court noted that the word “aggrieved” is not defined in BIPA and, therefore, should be given its “popularly understood” or “settled legal meaning.” Under that construction, the court found that the term has been repeatedly used by Illinois courts in cases where alleged violations of rights are sufficient to support a claim, even absent any additional alleged injury. The court also noted that both a separate Illinois appellate court decision, Sekura v. Krishna Schaumburg Tan, Inc., and a recent federal district court decision, In re Facebook Biometric Information Privacy Litigation, had rejected arguments by defendants that a plaintiff must allege some injury in fact separate from a statutory violation.
Finally, the court emphasized the legislature’s focus on the special nature of biometric information. In passing BIPA, the legislature explained that, “once [biometric information is] compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.” The court clarified that, given the serious implications of a compromise of biometric information, the legislature found it necessary to provide for liability under BIPA without requiring plaintiffs to show injury beyond a statutory violation, which would create “the strongest possible incentive [for entities] to conform to the law and prevent problems before they occur and cannot be undone.” The court added that the defendant’s violation of BIPA was not merely “technical,” as the appellate court so characterized it, but was “real and significant.” The court thus remanded the case to the Illinois circuit court for further proceedings.
The high court’s interpretation of BIPA will likely encourage lawsuits against businesses and employers that use biometric identifiers for consumer or employee authentication. And with potential recovery of at least $1,000 per violation, businesses could be facing substantial liability. BIPA defendants might now focus greater resources on contesting class certification as opposed to litigating injury-in-fact issues. Also, as noted at the outset, while the court’s decision is not direct authority for federal court standing cases, it could be an influential decision for federal court BIPA cases.
The Rosenbach decision also may prompt the Illinois legislature in its current legislative session to continue efforts that were underway in the last legislative session to amend BIPA to create broad exceptions and scale back the seemingly broad biometric privacy rights presently conferred by this law.