Privacy Violations Make "Aggrieved" Consumers
In a highly anticipated decision issued on January 25, 2019, the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp.
, 2019 IL 123186 (Ill. 2019), handed an important victory to consumers seeking redress for privacy violations under Illinois’ Biometric Information Privacy Act (“BIPA”).
Enacted in 2008, the BIPA protects consumers by providing guidelines and limitations on the collection, retention, disclosure and storage of biometric identifiers (defined as retinal scans, iris scans, voiceprints, fingerprints, and scans of hand or face geometry) and also “biometric information” (information derived from biometric identifiers). The law prohibits companies from collecting and storing this data without first obtaining a person’s informed written consent. The Illinois statute also allows a private person to sue and permits the plaintiff to recover “for each violation” either $1,000 or actual damages for negligent violations, and $5,000 or actual damages for intentional or reckless violations.
Because BIPA imposes some potentially powerful statutory penalties, defendants fight hard to avoid application of the statute. One tactic is to argue that, apart from having their information taken, to qualify as an “aggrieved” person under BIPA, a plaintiff must also suffer some actual, concrete harm apart from simply having his or her information collected in violation of BIPA’s provisions (under section 20 of BIPA, any person “aggrieved” by a violation “shall have a right of action” and may recover statutory or actual damages, plus reasonable attorney fees and costs, and any other relief deemed appropriate”). That defense was just conclusively rejected by a unanimous
Illinois Supreme Court.
, the plaintiff sued under BIPA because her 14 year old son’s thumbprint was collected after he purchased a repeat entry pass to a Six Flags amusement park. As alleged by Ms. Rosenbach, Six Flags scanned customer fingerprints and then stored the data to verify the customer’s identity for subsequent visits to make entry to the park easier and faster and also to minimize lost revenue from park entry by someone other than the pass holder.
In her complaint, Ms. Rosenbach alleged that she neither consented to nor received any information about Six Flags’ collection and storage of customer fingerprints. Ms. Rosenbach further alleged that she never would have purchased a season pass for her minor son had she known that Six Flags was collecting and storing his biometric information in violation of BIPA.
Because the boy’s information was not actually stolen and misused prior to Ms. Rosenbach’s filing suit, Six Flags argued that she could not be considered an “aggrieved person” entitled to relief under BIPA. Finding defendant’s argument wholly unpersuasive, the Supreme Court determined that the intent of the Illinois Legislature in enacting BIPA was not to require consumers to allege misuse of their data in order to have standing. Further, “[t]o require individuals to wait until they have sustained some compensable injury beyond violation of their statutory rights before they may seek recourse, as defendants urge, would be completely antithetical to the act’s preventative and deterrent purposes.”
In so holding, the Supreme Court recognized the threat of “substantial and irreversible” harm that could occur if a person’s biometric information were taken because it was not properly safeguarded. This threat, according the Court, outweighs any asserted compliance burden on businesses. The Court went out of its way to underscore that businesses should have the “strongest possible incentive” to protect their users’ data given the possibility of lawsuits seeking substantial statutory damages.
decision is certainly a powerful proclamation in favor of safeguarding consumer information. Whether companies will heed the Court’s guidance and take more responsible measures to ensure data is protected remains to be seen.