On January 25, 2019, the Illinois Supreme Court held in Rosenbach v. Six Flags Entertainment Corporation that plaintiffs are not required to allege actual harm in order to seek damages against private entities under the state’s Biometric Information Privacy Act (BIPA). BIPA regulates companies’ collection, retention, and disclosure of biometric identifiers. It further provides a private right of action for persons “aggrieved” by a violation of the Act for recovery of liquidated damages, injunctive relief, attorneys’ fees, and costs. By allowing suits for technical violations of BIPA’s notice and consent provision to go forward, the Rosenbach decision will likely encourage the filing of new cases under the Act and may influence the interpretation of data privacy laws in other states.
The Rosenbach case challenged the use of fingerprint biometric data to administer season pass admissions at a Six Flags amusement park. The plaintiff alleged that Six Flags violated BIPA because it failed to disclose or obtain consent to use and retain her minor son’s fingerprints. The defendants sought dismissal of the complaint on standing grounds, arguing that the plaintiff failed to allege any actual or threatened injury. While the trial court rejected the defendants’ argument, the appellate court took the opposite view and held that the plaintiff must affirmatively allege an injury or adverse effect resulting from the violation in order to have standing to sue.
The Illinois Supreme Court rejected that view and held that plaintiffs alleging BIPA violations “need not allege some actual injury or adverse effect.” The court stated, based on statutory construction principles, that the term “aggrieved” applied when “a legal right is invaded” and proof of actual damages is not required in order to qualify as an aggrieved party. It also reasoned that a contrary construction would thwart the legislature’s intent to safeguard individuals’ privacy rights in their biometric information and enforce compliance by private entities through the risk of potential liability.
Prior to the court’s ruling, cases alleging violations of BIPA had produced mixed results. For example, one federal court in California reached a conclusion similar to Rosenbach and certified a class of Illinois Facebook users who challenged the company’s collection and storage of biometric data derived from face templates under BIPA without alleging actual injury.[1] In contrast, several courts in Illinois had held that allegations that a company violated BIPA’s notice and consent requirements did not establish injury-in-fact under Article III unless the data was disclosed to a third party without the person’s knowledge or consent.[2]
By eliminating a threshold requirement of injury, the Rosenbach ruling will likely encourage more plaintiffs to seek redress for technical violations of BIPA. However, it also could have an impact beyond BIPA by influencing how courts interpret other biometric data privacy laws that have been adopted or are being contemplated in other states. Thus, we expect that courts will continue to grapple with standing and injury as more jurisdictions adopt biometric data privacy laws and litigation proliferates.
[1] In re Facebook Biometric Information Privacy Litig., 326 F.R.D. 535 (N.D. Cal. 2018); see also https://www.clearycyberwatch.com/2018/02/data-privacy-class-action-facebook-survives-motion-dismiss/#more-2081.
[2] Miller v. Southwest Airlines, No 18. C. 36, 2018 WL 4030590, at *3 (N.D. Ill. Aug. 23, 2018) (citing similar cases).