The Illinois Supreme Court held on January 25, 2019, that plaintiffs filing suit under the Biometric Information Privacy Act—which regulates how private entities disclose and discard biometric identifiers—do not need actual damages for standing. The decision has serious implications for companies collecting biometric data from Illinois residents.

The Act provides a private right of action to individuals “aggrieved” by any violation, allowing them to seek, among other remedies, liquidated or actual damages, attorneys’ fees, and costs. However, there has been widespread uncertainty as to whether an aggrieved individual asserting a private action under the Act needed to show that he or she suffered an actual injury as a result of an alleged violation, or if a violation of the Act in and of itself conveys standing.

In Rosenbach v. Six Flags Entertainment, Corp., et al., the mother of the 14-year-old plaintiff purchased a season pass to the Six Flags amusement park for her son online. Unknown to the plaintiff’s mother at the time, to activate the pass, her son had to visit the park in person and provide Six Flags a scan of his thumbprint. His thumbprint and the pass, together, allowed him expedited access within the park.

When the plaintiff’s mother learned that Six Flags had scanned her son’s thumbprint, she brought suit, acting on his behalf, alleging—among other things—that Six Flags had violated the Act by collecting and storing biometric data without her consent, failing to inform her of the specific purposes and intended uses of the biometric data, and not getting a written release before obtaining it.

Six Flags moved to dismiss the plaintiff’s claims, arguing, in part, that the plaintiff—who did not allege an actual or threatened injury resulting from the violation—lacked standing. Although the trial court initially denied Six Flags’ motion, the Illinois Court of Appeals agreed with Six Flags: a “technical violation of the Act” was not enough to confer standing; the aggrieved party must, at a minimum, allege that the violation caused plaintiff to suffer an actual injury or adverse effect.

However, the Illinois Supreme Court issued a ruling overturning the appellate court’s decision, holding that “a person need not have sustained actual damage beyond violation of his or her rights under the Act in order to bring an action under it.” The court’s ruling was driven by the state legislature’s stated assessment of the risks posed by collecting biometric data and the difficulty remedying data breaches once they occur. A violation of the Act, therefore, was “no mere ‘technicality,'” as posited by the lower court, but rather resulted in “real and significant” injuries to the aggrieved party.

The court’s ruling may open the door to many more legal challenges that businesses that collect such data have so far resisted. Indeed, the Act already serves as the basis for claims in federal lawsuits around the country. This recent holding will ensure that plaintiffs in those and forthcoming lawsuits can establish standing with mere technical violations.

Philip N. Yannella

yannellap@ballardspahr.com | 215.864.8180 | view full bio

As Practice Leader of Ballard Spahr’s Privacy and Data Security Group, and Practice Leader of the firm’s E-Discovery and Data Management Group, Philip N. Yannella provides clients with 360-degree advice on the transfer, storage, and use…

yannellap@ballardspahr.com | 215.864.8180 | view full bio

As Practice Leader of Ballard Spahr’s Privacy and Data Security Group, and Practice Leader of the firm’s E-Discovery and Data Management Group, Philip N. Yannella provides clients with 360-degree advice on the transfer, storage, and use of digital information.

Phil regularly advises clients on the Stored Communications Act (SCA), Computer Fraud and Abuse Act (CFAA), EU-US Privacy Shield, General Data Protection Regulation (GDPR), Defense of Trade Secrets Act, PCI-DSS, Telephone Consumer Protection Act (TCPA), New York Department of Financial Services Cybersecurity Regulations, ISO 27001 compliance, HIPAA Security Rules, and FTC enforcement activity, as well as eDiscovery issues—leveraging his experience serving as National Discovery Counsel for more than two dozen companies in nationwide litigation. He harnesses his deep knowledge of privacy, data security, and information governance laws to help multinational companies develop global information governance programs to comply with overlapping, and sometimes conflicting, laws. Phil serves on the advisory board for the ACC Foundation’s Cybersecurity Survey, the largest survey of in-house counsel on cybersecurity issues.