Illinois Privacy Law Does Not Require Actual Harm
On January 25, 2019, the Illinois Supreme Court held that a person whose rights under the Biometric Information and Privacy Act (“BIPA”) (740 ILCS 14/1) are violated is “aggrieved” and is not required to show that the violation caused actual harm in order to bring an action seeking damages and/or injunctive relief. Rosenbach v. Six Flags Entertainment Corp., No. 123186 (Ill. Jan. 25, 2019). The Court’s decision in this landmark class action lawsuit significantly raises the risk of liability for businesses required to comply with BIPA, one of the most expansive biometric privacy laws in the United States. Persons “aggrieved” by a violation of BIPA can recover the greater of liquidated damages or actual or liquidated damages, as well as reasonable attorney’s fees. Liquidated damages are $1,000 for each negligent violation and $5,000 for each intentional or reckless violation.
The Decision
In Rosenbach v. Six Flags, the plaintiff argued that Six Flags violated BIPA when it collected his biometric information, namely his fingerprints, without providing the required disclosures and obtaining written consent in accordance with BIPA. The defendants sought to have the case dismissed by claiming that the plaintiff lacked standing because he was not injured or adversely affected by the company’s failure to comply with BIPA.
The Court held that an “aggrieved” person is any person whose right to biometric privacy under BIPA is violated. Because BIPA did define “aggrieved,” the Court analyzed the “plain and unambiguous language of the law” and the “objectives and purposes the legislature sought to achieve,” namely, the right of individuals to control their biometric information.
Managing BIPA Liability
BIPA imposes stringent disclosure, consent, protection, and retention requirements on businesses that collect “biometric identifiers.” Under BIPA, “biometric identifiers” include retina or iris scans, fingerprints, voiceprints, or scans of one’s hand or face geometry. Businesses can protect themselves from liability under BIPA by taking the following steps:
- Identify information collected that would qualify as biometric identifiers under BIPA;
- Consider the business case for collecting each biometric identifier;
- Limit the collection and retention of biometric identifiers to that which is necessary to support the business case; and
- Review BIPA’s requirements and revise any non-compliant biometric collection and retention policies and procedures.