Illinois Supreme Court Upholds Scope of Biometric Information Privacy Act
Last year, we wrote about the Illinois Biometric Information Privacy Act (BIPA). The 2008 act requires companies to obtain affirmative consent from consumers and employees before collecting “biometric identifiers” such as fingerprints, retina scans, and facial or voice recognition. This issue has become more prominent in recent years as biometric technology has advanced, and not surprisingly, companies have objected to the consumer protections in BIPA. A recent Illinois Supreme Court opinion has clarified the scope of the act, and has made clear that Illinois consumers whose rights are violated under BIPA have the right to sue immediately, without needing to wait before sustaining some other “injury” or “harm.”
As we discussed last year, employers such as Wendy’s have been accused of violating the act by making employees clock in and out of work using their fingerprints, and storing the fingerprints indefinitely in a central database. While employers commonly use this type of biometric technology, it is also becoming increasingly used more broadly in the consumer context. The case heard by the Illinois Supreme Court, Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Jan 25, 2019), deals with consumers.
In Rosenbach, plaintiff Stacy Rosenbach sued Six Flags on behalf of her son, alleging that the company violated BIPA by taking her son’s fingerprints when he purchased a season pass to the Six Flags Great America amusement park in Gurnee. Specifically, the lawsuit claimed that Six Flags violated section 15(b) of BIPA, which requires companies collecting a person’s biometric information to (1) inform them in writing that their information is being collected or stored; (2) explain the purpose the information is being stored for, and how long it will be stored; and (3) receive written consent from the party before collecting the information.
Six Flags sought dismissal of the lawsuit, arguing that Rosenbach had suffered no “actual or threatened injury” and therefore lacked standing to sue. An Illinois circuit court denied Six Flags’ motion to dismiss the BIPA claims (but did dismiss a related claim for unjust enrichment). Six Flags appealed the ruling to the appellate court, which granted review and overturned the circuit court’s ruling. The appellate court opinion accepted Six Flags’ argument that a plaintiff is not “aggrieved” under BIPA unless they have suffered some additional harm or injury beyond the violation of the statute itself. Rosenbach petitioned the Illinois Supreme Court for leave to appeal, and the court allowed her petition.
Given the scope of the issues involved and the implications for consumers, the case attracted attention from a wide variety of groups. The Electronic Frontier Foundation and the American Civil Liberties Union filed friends of the court briefs supporting Rosenbach’s position, while the Illinois Chamber of Commerce and the Illinois Restaurant Association filed briefs on behalf of Six Flags.
Despite the conflicting lower court rulings, the Illinois Supreme Court had little trouble finding in favor of Rosenbach. In a unanimous ruling written by Chief Justice Karmeier, the court held that a person whose biometric information has been collected in violation of BIPA is an “aggrieved” person under the act, and does have the right to sue. The court resoundingly rejected Six Flags’ argument that a person must wait to suffer some other injury in order to sue.
The court began by looking at the language of the statute, and noting that BIPA contains no requirement that a plaintiff sustain “actual damage” beyond the violation of the statute. BIPA states simply that “[a]ny person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.” Other Illinois statutes, such as the Consumer Fraud and Deceptive Business Practices Act (815 ILCS 505/10a(a)), do contain requirements that a plaintiff allege “actual damage.” BIPA does not, so the court went on to analyze the definition of “aggrieved.” Under both its “settled legal meaning” and common dictionary definitions, “aggrieved” is commonly understood to mean an infringement or denial of legal rights.
The Illinois Supreme Court did not rely solely on statutory interpretation, but went on to discuss the reasoning behind BIPA. The purpose of BIPA, according to the court, is to give “individuals and customers the right to control their biometric information by requiring notice before collection and giving them the power to say no by withholding consent.” When the Illinois General Assembly passed the law in 2008, it expressly noted that:
“[b]iometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric- facilitated transactions.” 740 ILCS 14/5(c) (West 2016).
The court described the right of plaintiffs to sue under the act as “integral to implementation of the legislature’s objectives,” since “no other enforcement mechanism is available.” Whatever expenses business might incur to comply with BIPA pale in comparison to “the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded.” In the court’s view, the point of BIPA is to address problems before they occur, so requiring individuals to wait until they suffer some additional harm or injury would be “completely antithetical to the Act’s preventative and deterrent purposes.” Because the right to control one’s biometric privacy is far more than a mere “technicality,” the Illinois Supreme Court reversed the appellate court ruling and allowed Rosenbach’s lawsuit to proceed.
So what does this all mean for Illinois consumers and employees? First and foremost, it means that people need not wait until their biometric information has been compromised to assert their rights under BIPA. As the Rosenbach opinion recognized, the point of BIPA is to encourage companies to safeguard biometric data, so forcing plaintiffs to wait until after a data breach to sue would have been like locking the barn door after the horse has escaped. Of course, companies can still collect biometric information from customers and employees, but they simply must explain how it will be stored and receive affirmative consent in writing before doing so. Despite the stated concerns of business groups, that should not be terribly onerous for companies.
The broader implications of the ruling are also important. While fingerprinting has been commonly used for decades, more advanced biometric technology like facial recognition is becoming much more widely used. The potential for abuse of this type of technology is troubling – while a person must allow someone to take their fingerprints, facial recognition technology could theoretically be used anytime you walk down the street, even without your knowledge. Indeed, countries such as China already use facial recognition technology to track and target minority groups.
While Big Brother thankfully hasn’t taken over to that extent in the U.S. just yet, our use of this technology raises its own concerns. Just earlier this month, U.S. Customs and Border Protection admitted that license plate images and photos of travelers crossing the border into the U.S. were compromised as part of a cyberattack. This news comes as federal officials are looking into replacing airline boarding passes with facial recognition technology. While the biometric information held by third parties is increasing by leaps and bounds, the data security of that information is not. If the federal government cannot safeguard biometric data from malicious cyberattacks, how many private companies can? This is precisely why Illinois passed the Biometric Information Privacy Act in the first place, and thanks to the Rosenbach ruling, Illinois consumers will not have to wait until their information is hacked to assert their rights under the law.
Wexler Wallace is currently investigating claims relating to employer violations of the Biometric Information Privacy Act in Illinois. Click here for more information.