No Actual Harm Needed to Sue Under BIPA: Illinois Supreme Court Finds Statutory Violation Sufficient
On January 25, 2019, with courts split over what it means to be "aggrieved" under the law, the Illinois Supreme Court resolved the issue in Rosenbach v. Six Flags Entertainment Corp., No. 2019 IL 123186. Plaintiff had filed a putative class action against Six Flags alleging that Six Flags violated BIPA's requirements when the amusement park took her son's thumbprint as part of his purchase of a season pass to the theme park. According to the allegations, neither the plaintiff nor her son were informed of the specific purpose and length of term for which his fingerprint had been collected. Moreover, neither of them signed any written release regarding the taking of the fingerprint, and neither of them consented to the collection or use of that biometric data. Plaintiff sought monetary damages and injunctive relief under the Act but did not allege that her son suffered any actual harm.
The Illinois Supreme Court held that an individual need not allege an actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an "aggrieved" person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act. In so finding, the Court reasoned that "[i]t is clear that the legislature intended for this provision to have substantial force" and that "[w]hatever expenses a business might incur to meet the law's requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded." Moreover, the Court concluded that it would be "completely antithetical to the Act's preventative and deterrent purposes" to require a showing of some compensable injury beyond violation of statutory rights.
In light of the Illinois Supreme Court's ruling, even technical violations of the Act resulting in no actual injury may lead to significant liability for companies. At a minimum, the ruling is likely to cause additional BIPA litigation to be filed. Further, other states may pass biometric legislation with private rights of action. Accordingly, companies will be wise to anticipate potential exposure and, therefore, take the following steps:
- Evaluate the extent to which they collect biometric data from their employees and/or customers;
- If those companies collect such data, develop written policies governing the collection, storage, use, and disposal or destruction of that data; and
- Obtain informed, written consent from their employees and customers.