Illinois high court answers highly litigated biometric law question

Last week, the Illinois Supreme Court answered a much debated and, consequently, highly litigated question: What constitutes harm under the Illinois Biometric Privacy Act?

Before revealing the answer, it is important to explore the BIPA's origins to both understand why this even became a question and why its answer is so important. In 2008, the Illinois Legislature enacted BIPA in response to the: (i) growing use of biometrics in the business and security screening sectors; and (ii) anticipation of new biometric-facilitated transactions. 740 ILCS 14/5. While the full extent of those biometric-facilitated applications was unknown in 2008 (and still remains so today), the Legislature did know that its citizens needed certain safeguards in place to govern the collection, use and storage of their biometric information. After all, biometric information, unlike other unique identifiers such as Social Security numbers, cannot be changed if compromised. 740 ILCS 14/5.

Individuals cannot take steps to safeguard their biometric information if they do not know that their biometric information is being collected, used or stored. The BIPA therefore contains an informed written consent requirement, which mandates that companies obtain an individual's informed, written consent before collecting, using or storing that individual's biometric information. 740 ILCS 14/15. Through informed consent, an individual can decide whether to allow for the collection of his or her biometric information, and if so, by whom.

The act also allows individuals to make another decision: whether to initiate a private right of action against companies that fail to comply with BIPA's requirements. For instance, if a private entity fails to comply with the informed consent requirement, an individual may assert a private right of action against that private entity, and seek a minimum of a $1,000 liquidated damages penalty, per violation, against it. 740 ILCS 14/20. There is a limitation, however: The individual asserting the private right of action must be aggrieved. 740 ILCS 14/20. BIPA does not define "aggrieved," thereby sparking the question of what constitutes harm under the act.

Six Flags and the Rise of BIPA Class Actions

From 2008 through 2015, BIPA remained in relative obscurity. But commensurate with the increasing pervasiveness of biometrics in day-to-day transactions, savvy plaintiffs' lawyers began inundating the courts with putative class action complaints that alleged technical violations of BIPA -- such as a company's collection of an individual's biometric information without first obtaining written consent -- and seeking millions in penalties against that company for those alleged violations.

One such class action came in 2016. Stacy Rosenbach filed a BIPA class action on behalf of her son against Six Flags Entertainment Corporation. No one knew at that time that the Six Flags action would ultimately answer what constitutes harm under the act.

The Six Flags action shares a similar fact pattern to hundreds of putative BIPA class actions. Rosenbach purchased for her son a season pass for an Illinois amusement park. She alleged in her complaint that the amusement park captured, collected and stored her son's thumbprint (i.e., biometric information), which her son used to access his season pass, without first obtaining Rosenbach's consent. Notably, she did not allege that her son's biometric information was lost or compromised.

Six Flags filed a motion to dismiss Rosenbach's complaint. Six Flags argued that to qualify as an "aggrieved" person under the act, Rosenbach must allege that the collection or use of her son's biometric information resulted in some form of actual injury. Because she failed to allege an actual injury, Six Flags argued that Rosenbach could not allege a cause of action. The trial court disagreed with Six Flags and denied Six Flags' motion to dismiss. Six Flags appealed.

The Illinois Appellate Court agreed with Six Flags and reversed. The Appellate Court found that an individual who raises a mere technical violation of the act, without alleging any actual injury, is not an "aggrieved" person under the Act, and a person that is not "aggrieved" may not recover under the act. Rosenbach appealed to the Illinois Supreme Court.

The Illinois Supreme Court reversed the Appellate Court. In so doing, the Supreme Court finally answered the question of what constitutes harm under BIPA -- a violation of BIPA. Actual harm is not necessary; a mere technical violation, such as the failure to satisfy the informed consent requirement, is enough to satisfy the "aggrieved" requirement. See Rosenbach v. Six Flags Entertainment Corp., 123186 (Ill., Jan. 25, 2019).

Implications

There are both short-term and long-term implications from the Six Flags' decision. In the short term, Illinois state courts will be inundated with more BIPA class actions. There are already approximately 200 pending cases in Illinois based on a similar fact pattern. Undoubtedly, more will follow. An influx of litigation against private entities -- and the removal of the uncertainty of the harm requirement -- will come at a cost to business and to the further immersion of biometric-facilitated applications.

There are also long-term implications. This ruling further crystalizes that individuals have a right to control their personal information. And if a company denies an individual of that control, then that denial constitutes a harm to that individual's privacy rights, a harm for which that individual can seek redress. For too long, companies have been able to collect, store and disclose personal information of individuals without their knowledge and thus, without their consent. Often, an individual would only learn that his or her personal information was collected, stored, and disclosed when that information became compromised. Because biometric information cannot be changed if compromised, requiring individuals to wait until after their biometric information becomes comprised to enforce their rights is too little too late. Now, at least in Illinois, individuals have a right to know when their biometric information is being collected, used, or stored -- and an ability to enforce the denial of that right.