The Illinois Supreme Court held in Rosenbach v. Six Flags Entertainment Corporation that individuals can sue under the Illinois Biometric Information Privacy Act (“BIPA”) without alleging “some actual injury or adverse effect, beyond violation of his or her rights” under BIPA. This decision is the latest relating to the threshold that must be met in order to bring claims under BIPA and more generally for violations of privacy rights. See previous related articles below. It is unclear, however, whether this decision will be applied beyond BIPA because the Illinois Supreme Court’s decision seems, in part, tied to the unique risks posed by the growing harm associated with the use of biometric information.
At the heart of the issue is the meaning and intent of the word “aggrieved” in evaluating whether “[a]ny person aggrieved by a violation of [BIPA] shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.” In issuing its decision, the Illinois Supreme Court not only relied on legislative intent and common definitions of the word “aggrieved,” but on its conclusion that a violation of BIPA in particular creates a “real and significant” injury. A comparison of BIPA with other Illinois statutes that use the word “aggrieved” led the Illinois Supreme Court to find that term has been interpreted in other statutes to mean that “proof of actual damages is not required in order to recover.” A review of various dictionaries led to a similar understanding, one of which defined “aggrieved” to mean “having legal rights that are adversely affected,” without mention of the concept of injury.
Finally, the Illinois Supreme Court rejected the appellate court’s characterization of a violation of BIPA as a mere “technical” violation. Rather, the intent of BIPA is to combat the harm that is inherent when an individual’s ability “to maintain [his or] her biometric privacy vanishes into thin air.” Because one’s biometric information is immutable, merely compromising one’s ability to protect that unique information creates harm, which BIPA seeks to protect. Therefore, an allegation of a BIPA violation is “no mere ‘technicality.’ The injury is real and significant.” So, while an individual does not have to specifically allege an actual injury or adverse effect in order to bring a BIPA claim, it seems that an injury is presumed.
This last basis for the decision in Rosenbach still leaves open whether it would be similarly unnecessary to allege injury or adverse effect in order to bring a claim under some other statute if a violation of that statute is not viewed to prevent some inherent harm. Accordingly, while this decision gives plaintiffs the green light to bring suit in Illinois state court based on a violation of BIPA without alleging a tangible injury, it is unclear whether that rationale will be extended to alleged violations of other privacy rights.
Rosenbach v. Six Flags Entertainment Corporation
Riviera v. Google, Inc.
In re Horizon Healthcare Services Inc. Data Breach litigation, No. 15-2309