Biometric data refers to a physical characteristic that allows the establishment and verification of a person’s identity. The most common forms of biometric data are fingerprints, retinal and face recognition scans and voice recognition. Unlike a password, biometric data is intrinsically unique to an individual. Companies collect the data, extract it and store it, and from that point forward are able to compare it with any future scan to verify the individual’s identity. But, the two fundamental weaknesses of all identity privacy techniques likewise apply to biometric data: (1) must the entity collecting the data explain the purpose and use of the biometric data, and (2) what if your biometric data is misappropriated?
To deal with these issues, three states have thus far passed biometric privacy statutes – Illinois, Texas and Washington – with more states in the process of enacting similar laws. As the first law of its kind passed in the nation, the Illinois Biometric Information Privacy Act (“BIPA”) (740 ILCS 14/1 et seq. (West 2016)), restricts how private entities may collect, retain, disclose and destroy biometric identifiers. Specifically, BIPA requires entities collecting biometric data to provide written notice and obtain consent from individuals providing the data. BIPA is distinguished from other biometric laws because it allows a person “aggrieved by violation of the Act” to sue for statutory or actual damages, attorney fees and injunctive relief.
In January 2019, BIPA was the subject of a groundbreaking decision on whether violations of the Act were actionable in the absence of “actual harm.” In Rosenbach v. Six Flags Entertainment Corporation, 2019 Il 123186 (Jan. 25, 2019), the Illinois Supreme Court said they were. The Court reversed the appellate court and held that a plaintiff may seek statutory damages under BIPA even without alleging actual injury or any adverse effect beyond a technical violation of the Act.
The defendant Six Flags uses a fingerprinting process for repeat-entry pass holders. The system scans biometric data, then records and stores it so Six Flags can quickly verify customers’ identities. Rosenbach’s son obtained a season pass, which required him to have his thumbprint scanned. Neither Rosenbach, a minor, nor his parent were notified in advance that biometric data was necessary to obtain a pass. Six Flags also did not publish information about where and how the data were stored, for how long, whether it was used for other purposes, or how it was destroyed. Finally, plaintiff had not consented to providing biometric data and did not sign any waivers.
The 3-count complaint alleged that Six Flags violated BIPA because it failed to follow the statutory protocols requiring informed consent and written waivers. The complaint also sought injunctive relief and a common law claim for unjust enrichment. In the trial court, Six Flags successfully moved to dismiss the complaint on grounds that plaintiffs suffered no actual or threatened injury and therefore lacked standing to sue. The Illinois Appellate Court affirmed the dismissal and the Illinois Supreme Court granted leave to appeal.
In reversing the dismissal, the Court took an expansive view of BIPA based exclusively on principles of statutory construction. The Court described Six Flags’ position that the statute requires proof of actual injury as “untenable” because no such requirement was expressly stated in the statute. The Court also rejected the argument that “aggrieved” could only mean actual injury because in the Court’s view the term “aggrieved” can also include infringement of a legal right. The Court also referred to legislative comments in which the General Assembly described the ramifications of biometrics as concerning and unknown. The Court reasoned that the broad statutory language was a result of the General Assembly’s assessment of the broad risks of biometrics, the desire to remedy such risks, and the difficulty of providing meaningful recourse once data has been compromised.
Rosenbach is notable as the first decision of its kind in the biometrics arena, and its approval of the potential of statutory damages and attorney fees without proof of actual injury will inspire increased class action filings. Its broader impact may be limited, however, by the fact that Rosenbach involves an Illinois court interpreting an Illinois statute. As other states enact comparable statutes, whether the Rosenbach rationale will be adopted by courts interpreting such statues remains to be seen. That said, Rosenbach is consistent with other decisions that have weakened the standing requirement in privacy cases, especially decisions applying Illinois and California law. (See e.g., Remijas v. Neiman Marcus Group, LLC, 794 F. 3d 688 (7th Cir. 2015); Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010).
Also, Rosenbach was decided on the pleadings, and the Court’s holding was merely that failure to allege actual harm did not warrant dismissal. Whether class action plaintiffs will be able to establish class certification, liability and damages under BIPA are all issues for another day.