Disclaimer

The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.

 Skip to Content

No Actual Harm Needed to Sue Under BIPA: Illinois Supreme Court Finds Statutory Violation Sufficient
January 30, 2019
The Illinois Supreme Court has issued its highly anticipated decision involving the Illinois Biometric Information Privacy Act (740 ILCS 14/1 et seq.) (BIPA), which requires that companies obtain written consent and disclose how they collect, retain, disclose, and destroy biometric identifiers such as retina or iris scans, fingerprints, voiceprints, scans of hand or face geometry, or other biometric information from the public. Making it a hotbed for class action litigation in recent years, the law provides "aggrieved" individuals a private right of action to sue, which if successful, could result in liability up to $1,000 per negligent violation and $5,000 per reckless violations, as well as attorneys' fees and costs and injunctive relief. Given that this is the only biometric statute that provides a private cause of action, BIPA has been at the epicenter of biometric privacy litigation and has led to several other states, including Washington and Texas, enacting similar laws.

On January 25, 2019, with courts split over what it means to be "aggrieved" under the law, the Illinois Supreme Court resolved the issue in Rosenbach v. Six Flags Entertainment Corp., No. 2019 IL 123186. Plaintiff had filed a putative class action against Six Flags alleging that Six Flags violated BIPA's requirements when the amusement park took her son's thumbprint as part of his purchase of a season pass to the theme park. According to the allegations, neither the plaintiff nor her son were informed of the specific purpose and length of term for which his fingerprint had been collected. Moreover, neither of them signed any written release regarding the taking of the fingerprint, and neither of them consented to the collection or use of that biometric data. Plaintiff sought monetary damages and injunctive relief under the Act but did not allege that her son suffered any actual harm.

The Illinois Supreme Court held that an individual need not allege an actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an "aggrieved" person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act. In so finding, the Court reasoned that "[i]t is clear that the legislature intended for this provision to have substantial force" and that "[w]hatever expenses a business might incur to meet the law's requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded." Moreover, the Court concluded that it would be "completely antithetical to the Act's preventative and deterrent purposes" to require a showing of some compensable injury beyond violation of statutory rights.

In light of the Illinois Supreme Court's ruling, even technical violations of the Act resulting in no actual injury may lead to significant liability for companies. At a minimum, the ruling is likely to cause additional BIPA litigation to be filed. Further, other states may pass biometric legislation with private rights of action. Accordingly, companies will be wise to anticipate potential exposure and, therefore, take the following steps:

  • Evaluate the extent to which they collect biometric data from their employees and/or customers;
  • If those companies collect such data, develop written policies governing the collection, storage, use, and disposal or destruction of that data; and
  • Obtain informed, written consent from their employees and customers.
Related Practices
Cybersecurity and Privacy Technology
Related Industries
Technology
©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.