Posted by Post Authored by Peter Danos
In recent years, the United States has seen rapid technological innovations in the biometric field. In fact, biometric technologies have become mainstream in our current society. While many find these innovations advantageous, biometric technologies have simultaneously generated a multitude of privacy concerns. These privacy risks are particularly worrisome when a company or third-party entity uses a person’s unique biometric data.
To address these concerns, Illinois enacted the Illinois Biometric Information Privacy Act (“BIPA”) on October 3, 2008, subsequently codified as 740 ILCS/14 et seq. BIPA forbids the unauthorized collection and storing of biometric data. Biometric data, or information, includes fingerprints, retina or iris scans, voiceprint, and hand/face-geometry scan. Section 16(b) of BIPA explains that if a company or private entity wants to collect an individual’s biometric information, the company must: (1) inform the individual or the individual’s guardian; (2) indicate, in writing, the purpose and length of the collection; and (3) receive written consent from the individual or the individuals. As a result, BIPA prevents a company from profiting off this biometric information. Also, the company must develop and publish a publicly available written policy that establishes a retention schedule and guideline for its destruction.
BIPA also contemplates a vindication process for individuals if a company mishandles their biometric data. Specifically, an “aggrieved” party may pursue damages[1] or injunctive relief. Interestingly, the Act fails to define an “aggrieved” party. This led to the inevitable circuit split within the Illinois Appellate courts as to whether an individual must suffer an actual injury to be considered “aggrieved.” This question was finally answered in Stacy Rosenbach, et al. v. Six Flags Entertainment Corporation, 2019 IL 123186 (Jan. 25, 2019).
In Rosenbach, Plaintiff Rosenbach’s (“Rosenbach”) minor son, Alexander, was scheduled to visit Defendant Six Flags (“Six Flags”) for a school field trip. In anticipation of this trip, Rosenbach purchased a season pass for Alexander online and provided his personal information to Six Flags. Unbeknownst to both Rosenbach and Alexander, Alexander had to complete the sign-in process by scanning his thumb into Six Flag’s biometric capture system. The season pass would then use Alexander’s prints to give him access to Six Flags. Alexander completed the sign-in process upon his arrival at the park and subsequently detailed the process to Rosenbach when he arrived home that night.
Throughout the process, Six Flags neither informed Rosenbach in writing why Alexander’s fingerprints would be taken nor told him how long Alexander’s fingerprints would be collected. At no point did Rosenbach or Alexander sign a written release or consent in writing. Alexander has never returned to Six Flags, yet Six Flags has continued to retain Alexander’s fingerprint data. Rosenbach subsequently filed a three-count complaint, one of which alleged a violation of § 16(b) of BIPA.
It was undisputed that Rosenbach suffered no actual injury.[2] Therefore, Rosenbach’s claim was based on Six Flag’s failure to follow the prescribed statutory protocol found in § 16(b). Six Flags argued that because Rosenbach suffered no actual injury, Rosenbach lacked standing to bring forth the underlying dispute. The court disagreed, finding that no accompanying injury is required for a party to be “aggrieved.”
In reaching its conclusion, the court relied on the statutory construction and standard definition of “aggrieved.” It determined that requiring an actual injury “would be completely antithetical to the Act’s preventative and deterrent purposes.” Therefore, to properly assert standing under the BIPA, the “aggrieved” party is not required to allege actual harm. The party is only required to allege that a company or third party mishandled a plaintiff’s biometric information.
While many people view this holding as a win for privacy law, there is a strong argument to be made that this holding may bring about a floodgate of BIPA litigation. Businesses and companies must be wary if they continue to use people’s biometric information.
[1] The BIPA allows the aggrieved party to recover “liquidated damages of $1,000,” or “$5,000 if an entity ‘intentionally or recklessly’” violated the Act.
[2] The court made it clear that Rosenbach was bringing this suit on behalf of Alexander.
About the Author:
Peter Danos is an associate at Miller Canfield, where is works in the litigation and dispute resolution group. He previously clerked for Judge Charles P. Kocoras in the U.S. District Court for the Northern District of Illinois. Peter graduated from John Marshall Law School in 2018, and he received his bachelors of Biology degree from St. Xavier University – Chicago.