Illinois State Supreme Court Issues Important Decision on Standing Requirements Under Biometric Privacy Law

In a long-awaited ruling, the Illinois Supreme Court has unanimously decided that under the state’s Biometric Information Privacy Act (BIPA), plaintiffs need not allege “actual injury” beyond violation of the statute in order to pursue claims for violation of the law. This decision emphasizes the importance of ensuring that collection of biometric information, such as fingerprints and facial features, complies with the BIPA’s notice and consent requirements. In addition, both industry and privacy watchdogs will be watching whether, in light of this decision, Illinois maintains or, as some predict, weakens the BIPA.

Illinois’ BIPA was enacted in 2008, making it the first state to regulate the collection of biometric information such as retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry. The BIPA requires companies that collect biometric information to develop and make public a written policy that establishes a retention schedule and guidelines for destruction of the information. The BIPA also requires that companies collecting biometric information inform the subject about the collection and its purpose, and that they receive a signed, written release before collecting the information. The BIPA prohibits companies from selling biometric information, as well as from otherwise disclosing such information without consent. Finally, the BIPA requires companies that collect biometric information to apply a reasonable standard of care to protect the information.

Under the BIPA, private individuals who are “aggrieved” by a violation of the law can sue companies for the alleged violations. The BIPA provides for damages of $1,000 for any violation, or $5,000 for an intentional or reckless violation, plus attorneys’ fees. Since the BIPA was enacted, plaintiffs have filed numerous class actions alleging violations, with over 100 BIPA cases in the Illinois courts in just the last two years.

In the case at issue, 14-year-old Alexander Rosenbach had a season pass to a Six Flags amusement park, but in order to activate it, he had to provide a thumbprint. Six Flags did not inform either the boy or his mother of the purpose for the thumbprint collection, nor did Six Flags seek their consent. Rosenbach’s mother sued on his behalf. The trial court largely denied Six Flags’ motion to dismiss, and the intermediate appellate court then ruled in Six Flags’ favor, finding that a plaintiff is not “aggrieved” under the BIPA if the only harm is a violation of the statute. Rosenbach appealed, and the Illinois Supreme Court has now ruled in his favor.

The court read the BIPA more expansively, concluding it did not require plaintiffs to show actual damage, beyond violation of the rights conferred by the statute, as a result of the defendant’s conduct. The court noted that while such damage must be shown under other state laws, those other laws have included that requirement explicitly in their text. The court also cited past judicial interpretations of the word “aggrieved” to conclude that it can be applied to situations “when a legal right is invaded by the act complained of.” In the Illinois Supreme Court’s view, the appellate court incorrectly viewed the harm claimed by Rosenbach as merely “technical,” while the Supreme Court concluded it could be “real and significant.” The court pointed out that in enacting the BIPA, the state legislature had assessed the risks of biometric information collection and codified individuals’ “right to privacy in and control over” such information so a company’s failure to comply with the law “constitutes an invasion, impairment, or denial of the statutory rights of any person or customer” whose biometric information was improperly collected, and that invasion is sufficient to establish standing.

With the Illinois Supreme Court’s decisions, many other BIPA cases that have been in limbo likely will now be reactivated. A large number of these involve employers that use biometric devices to keep track of employees’ time (e.g., by using fingerprints to clock in and out). Furthermore, both Washington and Texas have biometric privacy laws, though neither has a private right of action, and biometric information is included as “personal information” under California’s new privacy law; in addition, a handful of other states have biometric privacy laws similar to BIPA pending. Of course, these other states all have their own case law, legislative history, and individual panels of judges, but the Rosenbach decision may be influential in other decisions that consider similar questions about what constitutes an injury for purposes of this kind of statute. Indeed, Massachusetts legislators in January proposed a new law very similar to the BIPA, providing a private right of action for violation of the statute alone, with no other injury needing to be shown. That said, the decision conflicts with some in the Seventh Circuit and other state courts, which have required an actual injury to bring claims. Indeed, arguably, the decision lowers the standing requirement below what courts have required under federal Article III, and since Illinois courts have held that the state’s constitutional standing requirements mirror the federal requirements, the ruling could potentially be attacked on that ground.

The Rosenbach decision should be widely read and analyzed by both privacy advocates and by companies using biometric information as part of their business. The question now is, will Illinois legislators be pressed to amend the BIPA to tighten requirements for bringing a claim, as some have predicted? With so many BIPA cases on Illinois courts’ dockets, it is likely only a matter of time before there is further clarification of the law, and perhaps of other existing and future biometric laws.