White & Case Technology Newsflash

On January 25, 2019, the Supreme Court of Illinois held in Rosenbach v. Six Flags Entertainment Corp. that an "aggrieved" person entitled to seek damages and injunctive relief under Illinois' Biometric Information Privacy Act ("BIPA"),¹ need not allege actual or separate injury beyond a violation of the individual's rights under BIPA.² BIPA, an Illinois state law, is currently the only biometric privacy law that provides the opportunity for a private individual to bring an action in court.³ This holding overturns a lower appellate court decision, and aligns with recent holdings in the Northern District of California.

The Rosenbach case concerns scanned fingerprints used for theme park admission passes. According to the complaint, Six Flags "collects, records and stores 'biometric' identifiers and information gleaned from the fingerprints."⁴ The complaint alleges Six Flags scanned the plaintiff's fingerprint without written consent and did not provide written information regarding the collection, purpose, use and storage of the biometric information, in violation of BIPA section 15, which reads:

"(b) No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first:

(1) informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored;

(2) informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and

(3) receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative."

The complaint seeks damages and injunctive relief to compel disclosure pursuant to the BIPA requirements and to prohibit further violations.⁵ Pursuant to section 20 of BIPA, "[a]ny person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party." Six Flags moved to dismiss the claims on the grounds that the plaintiff lacked standing because he did not suffer an actual injury and therefore, was not an "aggrieved person."⁶

The trial court denied the defendant's motion to dismiss the claims for damages and injunctive relief. The trial court granted the defendant's motion for interlocutory review only for the question of whether a claimant has standing as an "aggrieved person" who may seek statutory liquidated damages and injunctive relief under section 20 of BIPA, when the only alleged injury is a private entity's violation of BIPA.⁷

The appellate court answered "no", holding that "[i]f a person alleges only a technical violation of [BIPA] without alleging any actual injury or adverse effect, then he or she is not aggrieved and may not recover under any provisions in section 20."⁸ The Illinois Supreme Court reversed, stating that to follow Six Flags' argument and the appellate court's decision that the claimant must have an injury additional to a "technical" violation of BIPA would "disregard" the common meaning of the term "aggrieved" and would interpret the law "in a way that is inconsistent with the objectives and purposes of the legislature."⁹

The Illinois Supreme Court, through statutory interpretation, analyzed the meaning of aggrieved as it pertains to Illinois law, holding that a person is "aggrieved" when an individual's rights have been invaded, infringed, denied or adversely affected.¹⁰ Accordingly, the court stated that BIPA codifies the "right to privacy in and control over [one's] biometric identifiers and biometric information," and if a private entity violates the duties imposed on it under section 15 of BIPA, that noncompliance "constitutes an invasion, impairment or denial of the statutory rights" of the individual whose biometrics have been infringed.¹¹ The court stated that the purpose of the law is to "head off" problems before they occur because the right to maintain privacy to one's biometrics "vanishes into thin air" once an entity fails to uphold its duties under BIPA. Thus, the court stated, the ability to hold entities accountable purely for violation of BIPA's requirements, without the need of additional injury, is inviolable as it facilitates the incentive to comply with BIPA, thereby protecting the public's right to biometric information privacy. The Court states that to hold otherwise "would be completely antithetical to [BIPA's] preventative and deterrent purposes."¹²

This decision has broad implications on a number of pending litigations, potentially affecting 200 or more pending cases, in which individuals contend private entities engaged in a variety of industries have violated their rights to biometric privacy under BIPA.¹³ In addition, the usual class certification hurdle of commonality and predominance—the requirement that members of a class pose common legal and factual questions that predominate over individualized inquiries and can be decided in a single judgment—becomes less of a procedural challenge. Under this ruling, a judge could in theory determine whether an entire class may or may not be "aggrieved" simply based on the manner in which the proposed class members' biometrics were collected.

The BIPA statute provides that the "prevailing party may recover for each violation . . . liquidated damages of $1,000 or actual damages, whichever is greater" if the violating entity is acting negligently.¹⁴ For parties violating BIPA intentionally or recklessly, the liquidated damages increase to $5,000 per violation.¹⁵ A prevailing party may also recover reasonable attorneys' fees and costs as well as other litigation expenses.¹⁶

With the continuous and exponential growth in the use of biometrics in everyday life (e.g., facial and fingerprint scans to unlock personal phones and computers and provide credit card authentication), it is only a matter of time before more states pass similarly strict biometric privacy laws in order to protect consumers. Based on this decision and the potential for additional similar legislation, companies that routinely and deliberately, or even passively, collect biometric information from their consumers may need to reconsider how and when to provide notice and receive consent for collecting and using that information. This should not be viewed as an issue that is limited to technology companies.

¹ The Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (West 2016).
²Rosenbach v. Six Flags Entm't Corp., 2019 IL 123186.
³ See Kochman, Ben, Ill. High Court Sides With Consumers In Biometric Privacy Suit, Law360 (Jan. 25, 2019), https://www.law360.com/cybersecurity-privacy/articles/1122073.
⁴Rosenbach, 2019 IL 123186, 4.
⁵Id. at 11.
⁶Rosenbach v. Six Flags Entm't Corp., 2017 IL App (2d) 170317, 12-13.
⁷Id. at 15.
⁸Id. at 28.
⁹Rosenbach, 2019 IL 123186, 34, 38.
¹⁰Id. at 24-32.
¹¹Id. at 33.
¹²Id. at 37.
¹³ See Kochman, supra note 3.
¹⁴ BIPA, 740 ILCS 14/20.
¹⁵Id.
¹⁶Id.

[View source.]