The Supreme Court of Illinois (‘the Supreme Court’) issued, on 25 January 2019, its judgment in Rosenbach v. Six Flags Entertainment Corporation, in which it vacated the decision of an appeal court, holding that §20 of the Biometric Information Privacy Act 2008 (‘BIPA’), which provides a right of action to any person ‘aggrieved’ by a violation of BIPA, does not require that person to suffer actual injury or adverse effect (‘the Decision’). The plaintiff in the case alleged that Six Flags’ practice of fingerprinting certain visitors to the Great America theme park, among them her son, violated BIPA, since biometric information and identifiers were collected without obtaining written consent or disclosing a plan for their collection, storage, use, or destruction.
Mary A. Smigielski, Partner at Lewis Brisbois Bisgaard & Smith LLP, told DataGuidance, “The Decision changes the landscape of BIPA litigation. With this ruling, a mere technical violation of BIPA is sufficient to have a right of action under the same […] For example, an employee who used a biometric time clock to punch in and out of work may have had their finger scanned by the clock and their fingerprint stored for moments before the information was converted into an algorithm that cannot be reverse-engineered. The information was secure, and the employee suffered no harm. Nonetheless, if their employer did not obtain consent under BIPA, the employee may now obtain damages.”
In particular, the Supreme Court emphasised that injuries suffered as a result of technical violations of BIPA are “real and significant.” In this regard, it noted that the Legislature had codified individuals’ right to privacy and control over their biometric identifiers and biometric information. Accordingly, the Supreme Court concluded that when a private entity fails to comply with BIPA, that violation constitutes an invasion, impairment, or denial of the affected person’s statutory rights.
For complaints filed federally, courts will still have to address whether bare procedural violations of BIPA are sufficient to meet the ‘injury in fact’ requirement for standing
Smigielski noted, “The consequences of non-compliance [for businesses] are potentially staggering because BIPA provides for damages of $1,000 for each negligent violation and $5,000 for each intentional violation. For example, a plaintiff’s attorney [may assert] that ‘each violation’ means each punch on a biometric time clock, four times during the day for a non-exempt employee who takes lunch. The more reasonable interpretation is that ‘each violation’ is the one violation per employee for not obtaining consent. However, courts have yet to definitively interpret this provision.”
In support of its findings, the Supreme Court highlighted the distinct risks posed by the use of biometrics, which, it stated, are unlike other unique identifiers that are used to access finances or other sensitive information. For example, the Supreme Court noted that social security numbers, when compromised, can be changed, whereas biometrics are biologically unique to the individual; therefore, once compromised, the individual has no recourse, and is at heightened risk for identity theft.
Kevin J. Angle, Counsel at Ropes & Gray LLP, observed, “The Supreme Court considered a discrete issue; whether the language of BIPA itself, the word ‘aggrieved,’ requires a showing of injury. For complaints filed federally, courts will still have to address whether bare procedural violations of BIPA are sufficient to meet the ‘injury in fact’ requirement for standing under Article III of the U.S. Constitution, which is a separate question. Particularly where plaintiffs knowingly provided their information to defendants, some federal courts have found that plaintiffs could not satisfy that standard. The recent decision in Rivera v. Google went even further, finding no standing even where the plaintiffs did not know that templates of their faces were being made. [Nevertheless,] the Decision is significant, [and] companies collecting biometrics should carefully review the procedures they have in place for notice and consent to minimise the prospect of being challenged for noncompliance.”
RUMER RAMSEY Junior Privacy Analyst