On Jan. 25, 2019, the Illinois Supreme Court issued a landmark opinion in Rosenbach v. Six Flags Entertainment Corporation, a case brought under the Illinois Biometric Information Privacy Act (“BIPA”). 740 ILCS 14/1 et seq. The court reversed the decision of the Illinois appellate court and held that a plaintiff may bring a lawsuit under BIPA as an “aggrieved” party based upon a defendant’s violation of the statutory requirements of BIPA and without the plaintiff being required to show actual damages.

The court’s decision has important ramifications for the many lawsuits that have already been brought under BIPA and opens the way for plaintiffs to seek BIPA’s liquidated damages and injunctive relief based upon technical violations of the statute.

Background

In Rosenbach, Alexander Rosenbach, a fourteen-year-old child, visited a Six Flags theme park on a school field trip and sought to use an online season pass previously purchased by his mother Stacy Rosenbach. After arriving at the park, Alexander had to complete the sign-up process by scanning his thumb into the park’s biometric data capture system and obtaining a season pass card. Combined, the thumbprint and card enabled Alexander to gain access to Six Flags as a season ticket holder. Neither Alexander nor his mother was ever informed in writing as to the specific purpose and length of term for which Alexander’s fingerprint was collected and no release was ever signed.

BIPA Requirements

Under BIPA, a party who collects “biometric information” (such as fingerprints or retinal scans) must comply with specific statutory requirements, such as obtaining informed consent and having a written policy made available to the public that discloses the party’s retention schedule and guidelines for destroying this information. 740 ILCS 14/15(a)-(b).

For enforcement purposes, BIPA creates only a private right of action for any person “aggrieved by a violation of” the statute. 740 ILCS 14/20. BIPA also provides for reasonable attorneys’ fees, injunctive relief and either actual damages or statutory “liquidated damages” of either $1,000 or $5,000 per violation, depending upon whether the defendant acted negligently or intentionally/recklessly. 740 ILCS 14/20.

The Lawsuit and Appeal

Alexander, through his mother, sued Six Flags and sought liquidated damages stemming from Six Flags’ failure to comply with the notice, consent and written policy requirements of BIPA. Six Flags filed a motion to dismiss, alleging that the plaintiff had not suffered any actual damages, and the mere fact that Six Flags committed a technical violation of BIPA did not suffice for purposes of allowing the plaintiff to maintain his lawsuit as an “aggrieved” party. The trial court denied Six Flags’ motion, but the appellate court reversed, agreeing with Six Flags that a lawsuit is not sufficient and must be dismissed if it merely alleges that a defendant violated the technical requirements of BIPA, without alleging actual damages.

The Illinois Supreme Court received the case on interlocutory review, in order to determine whether an individual is an “aggrieved” party that may seek injunctive relief and statutory liquidated damages against a defendant when the only injury he or she alleges is a violation of a private entity’s requirement to provide specific notice and obtain informed consent prior collecting biometric information.

The Illinois Supreme Court’s Opinion

The court in Rosenbach reversed the opinion of the appellate court and held that a person is “aggrieved” by a private entity where the latter fails to comply with BIPA’s statutory requirements, regardless of whether the plaintiff suffered any actual damages as a result of the violation. In other words, a private entity can be strictly liable for any failure to comply with the statutory requirements of BIPA.

The court reached its ruling by distinguishing between the term “aggrieved” (used in BIPA’s statutory language) and the concept of actual damages. It reasoned that in enacting BIPA, the Illinois General Assembly did not include any language specifically requiring the showing of actual damages as a prerequisite to bringing a lawsuit, unlike other statutes enacted by the assembly that require such damages. Rather, the court found that BIPA was analogous to the Illinois AIDS Confidentiality Act (410 ILCS 305/1 et seq.), which contained similar language and did not require actual damages for purposes of maintaining a lawsuit. Moreover, the court defined the term “aggrieved” as simply meaning that a person has a “substantial grievance,” or the “denial of some personal or property right.” While a person who suffers actual damages would clearly meet this definition, actual damages are not necessary because “[a] person is prejudiced or aggrieved, in the legal sense, when a legal right is invaded by the act complained of…”

The court further noted that its definition of the term “aggrieved” was supported by the purpose of BIPA, which gave individuals a legal right to maintain their biometric privacy, by requiring notice and giving the individuals the power to withhold consent. The court also noted that this statutory right is “particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual’s unique biometric identifiers – identifiers that cannot be changed if compromised or misused.”  For this reason, the court stated compliance with BIPA “should not be difficult; whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded…” Thus, the court held that Alexander was allowed to maintain his lawsuit through his mother.

Ramifications

The Rosenbach decision is a landmark ruling for biometric privacy rights, allowing a proliferation of lawsuits, which in many cases will be class actions, against BIPA-noncompliant private entities that collect biometric information. The court’s ruling affects all private entities that collect biometric information, including employers (for timekeeping purposes), their scanning vendors and any other entity that seeks to utilize “cutting edge” biometric data-collecting technology.

For this reason, it is imperative that private entities collecting biometric information contact an attorney regarding statutory compliance with BIPA. Taft attorneys are available to consult with businesses and employ best practices regarding BIPA-compliant policies, practices, disclosures and releases.