On January 25, 2019, the Illinois Supreme Court unanimously ruled that infringement of a right afforded under the state’s Biometric Information Privacy Act (“BIPA”), even absent harm, is sufficient for a plaintiff to allege a violation of the law. The Court found the legislature provided for liability under BIPA for a statutory violation and that losing control of one’s biometric privacy is a real and significant injury. A key question in litigation involving BIPA and other privacy laws around the country has been whether tangible harm—beyond a statutory violation—is required for legal action. The Illinois Supreme Court’s determination that such harm is not required will impact some of the 200 pending BIPA cases and will almost certainly increase the number of law suits filed under BIPA, which provides for statutory damages and attorneys’ fees. What remains uncertain is whether the ruling will be a harbinger for litigation under other privacy laws or if the decision will spur action by the Illinois legislature, which has previously tried to amend BIPA.
In Rosenbach v. Six Flags Entm’t Corp., Six Flags required the Plaintiff’s 14-year-old son to provide a scan of his thumb in order to register his season pass. In response, Rosenbach sued Six Flags under BIPA, alleging Six Flags failed to inform them of the specific purpose and time for which the biometric information was collected, and failed to obtain written consent to its collection, use, or storage. BIPA provides a private right of action for any person “aggrieved” by a violation of the Act. Six Flags moved to dismiss the suit on the ground that Rosenbach had not suffered an actual or threatened injury. The Illinois Appellate Court agreed, holding an individual suffering a mere technical violation of the act, without any injury or adverse effect, is not “aggrieved” within the meaning of BIPA.
Illinois Supreme Court’s Unanimous
The Court concluded
that “to require individuals to wait until they have sustained some compensable
injury beyond violation of their statutory rights before they may seek recourse
… would be completely antithetical to [BIPA’s] preventative and deterrent
On appeal, the Illinois Supreme Court concluded that the legislature intended to give individuals a right to privacy in their biometric information, control over their biometric information, and for any person aggrieved by a violation of BIPA to have a right of action. The Court found that the appellate court had misapprehended the nature of the harm the legislature was attempting to combat and that, when an entity fails to adhere to the statutory procedures, the right of the individual to maintain his or her biometric privacy vanishes and the harm the legislature sought to prevent is realized. This loss of control, according to the Court, is no mere “technicality.” Rather, it is a real and significant injury.
*** This is a Security Bloggers Network syndicated blog from Law Across the Wire and Into the Cloud authored by Kandi Parsons. Read the original post at: https://blog.zwillgen.com/2019/02/05/keeping-a-finger-on-bipa/