Phillip M Schreiber is a partner and Andrew N Fiske is an attorney in Holland & Knight's Chicago office

HIGHLIGHTS:

  • The Illinois Supreme Court's recent decision in Rosenbach v. Six Flags Entertainment Corp. greatly expands potential liability for private entities with Illinois employees that fail to properly collect, store and use biometric information under the state's Biometric Information Privacy Act (BIPA).
  • Under the Court's ruling, claimants only need to show technical violations, rather than actual damages, to be entitled to relief.
  • Illinois entities must ensure that they adopt and implement written policies to collect, store, and use biometric identifiers and information in compliance with the Act.

In its Jan. 25, 2019, decision in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, the Illinois Supreme Court significantly expands potential liability for private entities with Illinois employees that fail to properly collect, store and use biometric information under the state's Biometric Information Privacy Act, 740 ILCS 14/1 et seq (BIPA or the Act). The Court held that individuals in Illinois whose biometric information is obtained in contravention of the requirements of BIPA need not suffer actual damages to be entitled to relief under the Act. The Court's holding will have wide-ranging implications for private entities already under siege from a plaintiff's class action bar eager to identify new claimants under the Act. More than 200 lawsuits currently are pending. To avoid exposure to lawsuits under BIPA, any entity with Illinois employees or that operates in Illinois and collects, stores or uses biometric identifiers or information must ensure that it has and continues to comply strictly with all of the Act's requirements.

The Illinois Biometric Information Privacy Act

BIPA restricts the collection and use by private entities of "biometric information," defined as "any information, regardless of how it is captured, based on an individual's biometric identifiers that is used to identify an individual." Biometric identifiers are defined to mean "a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry." The Act requires employers in possession of biometric identifiers or information to develop a written policy establishing a retention schedule and guidelines for the permanent destruction of biometric identifiers and information no later than three years after the initial purpose of retaining the information has been satisfied or the subject's last interaction with the entity. Prior to collection, dissemination, storage or use of biometric information, the collecting entity must inform the subject in writing of the length of time the information will be collected, stored and used, and obtain the subject's written release.

BIPA creates a right of action for any person "aggrieved" by a violation of the Act. Prevailing parties may recover, for each violation of the Act: 1) the greater of $1,000 in liquidated damages or actual damages for negligent violations, 2) the greater of $5,000 in liquidated damages or actual damages for intentional or reckless violations, 3) reasonable attorneys' fees and costs, including expert witness fees and other litigation expenses, and 4) injunctive or other further relief the court deems appropriate.

Illinois Supreme Court Decision in Rosenbach

The Rosenbach decision resolved a split in the Illinois Appellate Court over what it means to be an "aggrieved" individual under BIPA. Only aggrieved individuals can bring a claim under the Act. The Illinois Appellate Court split over whether a technical violation of the Act without any actual harm is sufficient to make an individual "aggrieved." In an unanimous decision, the Illinois Supreme Court rejected the need for an individual to have suffered actual harm. Instead, the Court held that a person is "aggrieved" under the Act even if his or her biometric information was collected in a manner that did not fully comply with the requirements of the Act and no actual injury is required.

The Supreme Court rejected the Appellate Court – Second District's construction of the term "aggrieved," which required actual harm to have been suffered. The Court analyzed case law and the Act's language to find that "aggrieved" was not limited to persons suffering actual damages, but applied to persons whose legal rights were adversely affected:

"[W]hen a private entity fails to comply with one of Section 15 [of the Act]'s requirements, that violation constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach....such a person or customer would clearly be "aggrieved" within the meaning of section 20 of the Act and entitled to seek recovery under that provision, No additional consequences need be pleaded or provided. The violation, in itself, is sufficient to support the individual's customer's statutory cause of action. Rosenbach at ¶ 33.

The Court further noted that the General Assembly "has codified that individuals possess a right to privacy in and control over their biometric identifiers and biometric information. Id.

Open Questions

The Rosenbach decision answered only one question under BIPA. Many others remain to be decided in future court cases. One immediate question that likely will need to be addressed is whether the data collected by fingerprint scanners used for timeclock purposes constitutes a biometric identifier under the Act. Many (if not all) such scanners do not collect an image of the individual's fingerprint. Rather, certain portions of the print are mapped for purposes of creating a data hash. Whether or under what specific circumstances this process constitutes the collection of biometric information remains to be seen.

Going Forward

The Supreme Court's decision undoubtedly will spark more litigation under BIPA. Private entities operating in Illinois that collect, store or use biometric identifiers or information of any person, whether employees, independent contractors, customers or others, must confirm that that they have adopted and are implementing a written policy concerning the collection and storage. In addition, the entities must provide the requisite notice to those whose biometric information is to be collected and obtain their written consent to collect their biometric information.

Holland & Knight has written previous alerts on BIPA: see "New Employer Guidance for Illinois Biometric Information Litigation" (Aug. 6, 2018), and "A New Employment Law Frontier: Illinois' Biometric Information Privacy Act" (May 25, 2017).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.