On November 20, 2018, the Illinois Supreme Court heard oral arguments in the case of Rosenbach v. Six Flags Entertainment Corp. The case was brought under the Illinois Biometric Information Privacy Act (BIPA), which impacts companies that capture and store biometric information, including finger or handprints and retina or face scans. Among other things, BIPA requires that such companies provide written disclosures to and obtain written consent from individuals whose biometric information the company captures.
In Rosenbach, the plaintiff brought a putative class action claiming that Six Flags’ practice of fingerprinting season-pass holders violated BIPA because written consent was not obtained and Six Flags did not disclose how it would store, use and destroy the biometric information. Notably, the plaintiff did not claim that an injury was suffered or that the biometric information had been compromised or used improperly, only that she would have refused consent for her son to be fingerprinted and he would not have purchased the season pass.
The Illinois Supreme Court is reviewing an Illinois Second District Appellate Court finding that a “person aggrieved” by a BIPA violation must allege actual harm. The Illinois Second District Appellate Court relied on language in BIPA that “any person aggrieved by a violation of the Act shall have a right of action” in coming to the conclusion that the private right of action in BIPA is contingent on there actually being a harm and that a mere technical violation of BIPA’s requirements is not alone sufficient for a claim. The Illinois Second District Appellate Court said in part: “If the Illinois legislature intended to allow for a private cause of action for every technical violation of the Act, it could have omitted the word ‘aggrieved’ and stated that every violation was actionable. A determination that a technical violation of the statute is actionable would render the word ‘aggrieved’ superfluous. Therefore, a plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person under…the Act.”
Early impressions from the Illinois Supreme Court oral argument illustrate the issues with which the Court is grappling. For example, Justice Anne Burke stated “Isn’t it too late then, to wait for the harm? They can’t do anything about it, and they may never know.” Justice Robert Thomas asked: “Given the dire consequences arriving from a violation of the Act, doesn’t it make sense that the legislature would want to give the Act some teeth, to ensure all efforts are made to prevent the compromise of data?”
As litigation for BIPA violations grew in popularity, many cases were faced with the question of whether failure to provide the required disclosures or failure to obtain the required consent were sufficient injury to sustain a cause of action, or instead whether a plaintiff complaining of a BIPA violation is required to show actual harm or damage resulting from the alleged BIPA violation. The latter would obviously be much more difficult to sustain, requiring an assertion of a data breach or privacy violation. Because BIPA specifies statutory damages of $1,000-$5,000 per violation, a clarification regarding what types of plaintiffs may sue under BIPA will significantly impact a company’s exposure to liability.
Many cases involving BIPA have been stayed pending the Illinois Supreme Court’s final decision on the appeal. The success of most of those cases will depend in the Supreme Court’s ultimate ruling in Rosenbach.