Bad News for Companies in Illinois Using Fingerprints, Voice Scans, and Other Biometric Information: Plaintiffs Need Not Show Harm Beyond Alleging a Violation under the Illinois Biometric Information Privacy Act (the “BIPA”)
Many businesses collect and store biometric information for a myriad of reasons, including, for example, verifying the accuracy of time cards for employees of manufacturers and restaurants to ensure accurate payment of wages, or simply to ease the consumer’s ability to purchase a product or a service. The BIPA specifically regulates those businesses’ required notice to the employee or consumer before collecting such data and further prescribes what can or cannot be done with the information and the eventual destruction of the information. Until this month, however, the courts in Illinois were split on whether a private party must have suffered an actual injury prior to bringing suit for a technical violation of the Act.
Reversing the lower court decisions discussed in our alerts from December 2017 and October 2017, on January 25, 2019, the Illinois Supreme Court in Rosenbach v. Six Flags unanimously held that under the BIPA a plaintiff need not allege any actual injury or adverse effect from a violation of the BIPA, just that the defendant violated the plaintiff’s rights to notice and consent about the collection, storage, and disposal of fingerprints, voice prints, face scanning, iris scanning and many other individual biometric identifiers under the BIPA. Now, without having to allege any concrete injury (e.g., misuse or wrongful disclosure) from a company’s failure to comply with statutory notice and consent requirements regarding the protection of biometric information, a prevailing plaintiff may recover liquidated damages of $1,000 or actual damages (whichever is greater) for each negligent violation and $5,000 or actual damages (whichever is greater) for each intentional or reckless violation plus reasonable attorneys’ fees and costs and other relief, including injunctive relief. Not surprisingly, the Illinois Supreme Court’s decision on the BIPA is seen as a boon to plaintiffs’ class action attorneys and a blow to employers and companies who use biometric information for security, attendance and other purposes.
The Six Flags Great America Amusement Park in Gurnee, Illinois, used a fingerprinting process when issuing repeat passes to the park. As alleged in the complaint, Six Flags’ system scans the pass holders’ fingerprints and collects and stores these “biometric identifiers” so that a customer’s identity can be easily verified at the time of a subsequent visit before entering the park.
In May or June 2014, the plaintiff’s son visited the park and was asked to scan his thumb into Six Flags’ biometric capture system before receiving a season pass. The complaint alleged that neither the son nor his mom signed any written release before providing the thumbprint. The plaintiff also alleged that the son did not consent in writing to the collection, storage, or use of the son’s thumbprint and that Six Flags did not publicly disclose what was done with the information and how long the information would be kept. Finally, the complaint alleged that Six Flags did not have any written policy made available to the public that discloses the defendant’s retention schedule or guidelines for retaining and then later destroying the information from their system, all of which the complaint alleged were required by the BIPA.
The trial court refused to dismiss two counts of the complaint, which sought damages and injunctive relief under the Act. Six Flags sought an immediate interlocutory review of the circuit court’s ruling. The appellate court agreed to consider whether the plaintiff and her son were “aggrieved person[s]” under Section 20 of the Act entitled to seek (a) damages and (b) injunctive relief even when the only injury alleged is a violation of Section 15(b) of the BIPA by a private entity who collected his biometric identifiers and/or biometric information without providing him the required disclosures and obtaining his written consent as required by Section 15(b) of the BIPA. The appellate court held that the plaintiff was not “aggrieved” within the meaning of the BIPA solely because a defendant violated the aspect of the law without showing some additional injury or adverse effect from the technical violation. The appellate court’s decision in the Six Flags case directly conflicted with a decision from the Illinois Appellate Court, First District.
Supreme Court’s Ruling
In Rosenbach, the Illinois Supreme Court held that even though the BIPA referred to an “aggrieved person” in the section on who can sue under the BIPA, the legislature clearly intended that a plaintiff did not need to allege more than that the defendant violated the BIPA. “The violation, in itself, is sufficient to support the individual’s or customer’s cause of action.” In addition to its textual analysis, the Court also found that policy reasons supported its decision. “Compliance should not be difficult; whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded; and the public welfare, security, and safety will be advanced.”
Impact of Ruling
The short-term impact of the Court’s ruling is that the numerous class actions s lawsuits filed in the past year under the BIPA will continue to go forward. Businesses sued in these actions now have diminished defenses. Because Illinois is the only state that allows such a private right of action with such substantial penalties against companies which fail to comply with the BIPA’s technical requirements, it will continue to attract lawsuits against national companies using biometric information in their operations here. As the use of biometric information grows in Illinois, these class actions will continue to proliferate. Whether this expansion of BIPA’s reach will deter business from coming to Illinois or using biometric information here is anyone’s guess. For now, though, any business in Illinois that utilizes biometric information in its operations for attendance, customer usage tracking or other purposes will need to re-examine their compliance with all aspects of the BIPA if they hope to avoid becoming the next target of a class action lawsuit.
The policy reasons behind the BIPA may be revisited in upcoming legislative initiatives designed to align Illinois with other states’ biometric privacy laws, which only allow the states’ attorney generals to bring such claims. The Illinois Supreme Court can only interpret and apply the BIPA as written, it cannot “read into the statute conditions or limitations the legislature did not express, and interpret the law in a way that is inconsistent with the objectives and purposes the legislature sought to achieve.” For those businesses collecting biometric information in Illinois, much care will needed to properly navigate BIPA’s obligations.
Clark Hill has experience drafting biometric policies, providing guidance in compliance with the BIPA and, if necessary, litigating disputes alleging violations of the BIPA. Please contact Paul Starkman, Dan Graham, Tim Herman or Pam Leichtling if you have further questions.