Submit to Digest

Rosenbach v. Six Flags: Illinois Supreme Court Interprets Illinois Biometric Privacy Law

Reports Privacy

Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Jan 25, 2019)

On January 25, 2019, the Illinois Supreme Court reversed the state’s appellate court’s ruling that  a mere technical violation of the Illinois Biometric Information Privacy Act (“BIPA”), 740 ILL. COMP. STAT. 14 (2008), was insufficient to confer standing to sue and remanded the case to the circuit court for further proceedings.

The Illinois Supreme Court unanimously held that an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under BIPA, in order to qualify as an “aggrieved” person and be entitled to bring private action under the Act.

Plaintiff Stacy Rosenbach had filed a lawsuit against defendant Six Flags, alleging that it violated BIPA’s requirements under Section 15(b) when Six Flags took her son’s fingerprint as part of his purchase of a season pass to the amusement park.

Section 15(b) requires that a private entity collecting or using a person’s biometric information (1) inform a person in writing that his or her biometric information is being collected, (2) explain the purpose and length of time for which the information will be used, and (3) receive written consent. Section 20 provides a private right of action for “[a]ny person aggrieved by a violation of this Act” to recover damages, legal fees, and other relief.

According to the allegations, neither the plaintiff nor her son were informed of the specific purpose and length of term for which his fingerprint had been collected. Moreover, neither of them signed any written release regarding the taking of the fingerprint, and neither of them consented to the collection or use of that biometric information. Plaintiff did not allege that her son suffered any actual injury or harm and sought monetary damages and injunctive relief under Section 20 of the Act.

Defendant contended, and the intermediate appellate court agreed, that an individual must have sustained some actual injury or harm, apart from the statutory violation itself, in order to have standing to sue under the Act as an “aggrieved” person.

The Illinois Supreme Court, however, viewed the defendant’s challenge to the plaintiff’s right to bring suit as “meritless.” The court found that “principles of statutory construction” compel the conclusion that a person need not have sustained actual damage, beyond violation of his or her rights under the Act, in order to bring action under it. As the term “aggrieved” was not defined in the Act, the court relied on its “settled legal meaning,” established more than a century ago—that “a person is prejudiced or aggrieved in the legal sense, when a legal right is invaded by the act complained of or his pecuniary interest is directly affected by the decree or judgment.” The court also acknowledged that this understanding of the term is consistent with the standard definitions of “aggrieved” found in dictionaries. Merriam-Webster’s Collegiate Dictionary, for example, defines aggrieved as “suffering from an infringement or denial of legal rights.”

The court also found that BIPA conferred upon individuals a “right to privacy in and control over their biometric information.” Accordingly, when a private entity fails to comply with Section 15(b)’s requirements, that violation constitutes an impairment or denial of statutory rights of any person whose biometric information is subject to breach. Thus, the court reasoned, such a person would be “aggrieved” within the meaning of Section 20 and entitled to seek recovery under that provision.

Moreover, the court noted that the state legislature expressly acknowledged that biometrics are unlike other unique identifiers—such as social security numbers, which, if compromised, can be changed—because an individual has no recourse once his or her biologically unique information has been compromised. The court therefore reasoned that requiring individuals to wait until they have sustained injury beyond violation of their statutory rights before they may seek recourse would be “completely antithetical to the Act’s preventive and deterrent purposes.”

The Rosenbach decision has consequences for companies well beyond Six Flags. For example, Facebook has faced lawsuits concerning its use of face recognition technology to identify people in images uploaded to the platform. Facebook may face billions of dollars in fines for a technical violation of the Act even if there was no actual injury or harm to the users. Furthermore, the Rosenbach decision may invite more BIPA lawsuits to be filed, to which companies may respond by taking preventive actions such as implementing biometric data collection and usage policies to ensure compliance with the Act.