Illinois Supreme Court: No ‘Actual Harm’ Required for Biometric Information Privacy Act Claims

Ballard Spahr LLP
Contact

The Illinois Supreme Court held on January 25, 2019, that plaintiffs filing suit under the Biometric Information Privacy Act—which regulates how private entities disclose and discard biometric identifiers—do not need actual damages for standing. The decision has serious implications for companies collecting biometric data from Illinois residents.

The Act provides a private right of action to individuals “aggrieved” by any violation, allowing them to seek, among other remedies, liquidated or actual damages, attorneys’ fees, and costs. However, there has been widespread uncertainty as to whether an aggrieved individual asserting a private action under the Act needed to show that he or she suffered an actual injury as a result of an alleged violation, or if a violation of the Act in and of itself conveys standing.

In Rosenbach v. Six Flags Entertainment, Corp., et al., the mother of the 14-year-old plaintiff purchased a season pass to the Six Flags amusement park for her son online. Unknown to the plaintiff’s mother at the time, to activate the pass, her son had to visit the park in person and provide Six Flags a scan of his thumbprint. His thumbprint and the pass, together, allowed him expedited access within the park.

When the plaintiff’s mother learned that Six Flags had scanned her son’s thumbprint, she brought suit, acting on his behalf, alleging—among other things—that Six Flags had violated the Act by collecting and storing biometric data without her consent, failing to inform her of the specific purposes and intended uses of the biometric data, and not getting a written release before obtaining it.

Six Flags moved to dismiss the plaintiff’s claims, arguing, in part, that the plaintiff—who did not allege an actual or threatened injury resulting from the violation—lacked standing. Although the trial court initially denied Six Flags’ motion, the Illinois Court of Appeals agreed with Six Flags: a “technical violation of the Act” was not enough to confer standing; the aggrieved party must, at a minimum, allege that the violation caused plaintiff to suffer an actual injury or adverse effect.

However, the Illinois Supreme Court issued a ruling overturning the appellate court’s decision, holding that “a person need not have sustained actual damage beyond violation of his or her rights under the Act in order to bring an action under it.” The court’s ruling was driven by the state legislature’s stated assessment of the risks posed by collecting biometric data and the difficulty remedying data breaches once they occur. A violation of the Act, therefore, was “no mere ‘technicality,'” as posited by the lower court, but rather resulted in “real and significant” injuries to the aggrieved party.

The court’s ruling may open the door to many more legal challenges that businesses that collect such data have so far resisted. Indeed, the Act already serves as the basis for claims in federal lawsuits around the country. This recent holding will ensure that plaintiffs in those and forthcoming lawsuits can establish standing with mere technical violations.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP
Contact
more
less

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.