United States: The Risk Of Using Fingerprints: Illinois Supreme Court Issues Landmark Ruling Interpreting The Illinois Biometric Information Privacy Act

In its first ever ruling concerning the state's Biometric Information Privacy Act ("BIPA"), Illinois Supreme Court held that a person need not have sustained actual damage beyond technical violations of BIPA in order to pursue claims for damages.  The Illinois Supreme Court's ruling will likely greatly increase the potential exposure for companies in actions alleging violations of the Act, and makes strict compliance with the Act significantly important.

For businesses in Illinois (and potentially in states with similar statues), the ruling in Rosenbach v. Six Flags Entertainment Corp., No. 123186, 2019 Ill. Lexis 7 (Ill. Jan. 25, 2019) serves as a loud warning shot that they must immediately take steps to strictly comply with BIPA's requirements, or risk facing costly class action litigation.  There have been approximately 200 class action cases filed to date, and filings have increased exponentially since the Illinois Supreme Court's ruling.  Since the decision in Rosenbach, approximately 75 additional class action cases have been filed at a rate of approximately 5 additional cases per day. 

As stated by the Illinois Supreme Court, "[w]hatever expenses a business might incur to meet the law's requirements are likely to be insignificant," in light of the potential for "liability for failure to comply with [BIPA's] requirements."  Id. at *21.

BIPA Background

Despite being more than a decade old, BIPA litigation was rather stagnant for its first ten years, until a flurry of lawsuits were filed under this cause of action in 2018.  BIPA prohibits an entity from collecting, capturing, purchasing or otherwise obtaining a person's "biometric identifier" or "biometric information," unless it satisfies certain notice, consent, and data retention requirements.  At the time BIPA was passed into law, the thought of an entity utilizing fingerprint or facial recognition for employee identification was typically reserved for high-net-worth entities or those with dire need for added levels of security.  But in today's commerce, businesses small and large across nearly every industry are using fingerprint or facial recognition for both employee and customer identification.

BIPA outlines several requirements for the collection and use of biometric information by private entities. Private entities collecting a person's biometric information musty (1) inform the person in writing that his or her biometric information is being collected; (2) explain the purpose and length of time for which the information will be used; and (3) receive written consent.

BIPA also creates a limited right of action for "person[s] aggrieved by a violation" of its terms. A "person aggrieved" by a negligent violation of BIPA may recover "liquidated damages of $1,000 or actual damages, whichever is greater."  A "person aggrieved" by an intentional or reckless violation of BIPA may recover "liquidated damages of $5,000 or actual damages, whichever is greater."

The Illinois Supreme Court's Decision

Since 2014, Defendants, operators of an amusement park in Illinois, have used a fingerprinting process when issuing repeat-entry passes to the park.  Id. at *2.  Plaintiff alleged that this system scans pass holders' fingerprints; collects, records and stores biometric identifiers and information gleaned from the fingerprints; and then stores that data in order to quickly verify customer identities upon subsequent visits by having customers scan their fingerprints to enter the theme park.  She further alleged that in 2014, while the fingerprinting system was in operation, her 14-year-old son visited the amusement park on a school field trip, where his thumbprint was used to gain access as a season pass holder.

Plaintiff filed a three count complaint alleging Defendants violated BIPA by: (1) collecting, capturing, storing, or obtaining biometric identifiers and biometric information from Plaintiff's son and other members of the proposed class without informing them or their legally authorized representatives in writing that the information was being collected or stored; (2) not informing them in writing of the specific purposes for which Defendants were collecting the information or for how long they would keep and use it; and (3) not obtaining a written release executed by Plaintiff, her son, or members of the class before collecting the information.  Id. at *6.

The Illinois Supreme Court held that a person need not sustain actual damages to qualify as "aggrieved" under BIPA as necessary to sustain a cause of action under the Act.  Id. at *16.  Rather, "[a] person is prejudiced or aggrieved, in the legal sense, when a legal right is invaded by the act complained of or his pecuniary interest is directly affected by the decree or judgment."  Id.  Accordingly, based on this construction, the Illinois Supreme Court held that a when a private entity fails to comply with one of BIPA's Section 15's requirements, that violation constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach.  Id. at *17-18.  Further, it opined that "[n]o additional consequences need be pleaded or proved. The violation, in itself, is sufficient to support the individual's or customer's statutory cause of action."  Id. at *18.

Further, the Illinois Supreme Court explained that BIPA vests in individuals and customers the right to control their biometric information by requiring notice before collection and giving them the power to say no by withholding consent.  Id.   It explained that these procedural protections are particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual's unique biometric identifiers—identifiers that cannot be changed if compromised or misused.  Id. at *18-19 (citations and quotation marks omitted).  The Illinois Supreme Court further opined that "[w]hen a private entity fails to adhere to the statutory procedures, as [D]efendants are alleged to have done here, the right of the individual to maintain [his or] her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.  This is no mere 'technicality.'  The injury is real and significant."  Id. at *19 (citations and quotation marks omitted).

The Illinois Supreme Court concluded its opinion by holding that contrary to the Appellate Court's view, an individual need not allege some actual injury or adverse effect beyond violation of his or her rights under the Act in order to qualify as an "aggrieved" person and be entitled to seek liquidated damages and injunctive relief pursuant to BIPA.  Id. at *22. 

What This Means For Businesses

The decision will make it significantly easier for individuals to assert causes of action and seek damages for mere non-compliance with BIPA's requirements – absent any allegations of harm or injury.  In that regard, the decision makes it of the utmost importance that companies take strict measures to comply with BIPA's requirements.  As stated by the Illinois Supreme Court, "[w]hatever expenses a business might incur to meet the law's requirements are likely to be insignificant," in light of the potential for the significant "liability for failure to comply with [BIPA's] requirements."  Id. at *21.  Moreover, class action filings under BIPA have increased exponentially since the Illinois Supreme Court's ruling, further opening the litigation floodgates and increasing the potential exposure of non-compliant businesses. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.