Text Size:

« back

Business Law FLASHPOINTS February 2019

February 15, 2019Print This Post Print This Post

Joseph Kish & Rachel Laurel, Segal McCambridge Singer & Mahoney, Ltd., Chicago
312-644-3538 | 312-645-7908 | E-mail Joseph Kish | E-mail Rachel Laurel

Actual Harm Is Not Necessary Under BIPA

The Background of BIPA

The Illinois legislature enacted the Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14/1, et seq., in 2008. The “biometric identifiers” protected under the BIPA include “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” 740 ILCS 14/10. Section 15 of the BIPA requires companies that obtain an individual’s biometric information to put in place a public written policy that describes the biometric information’s retention schedule as well as the guidelines for its destruction. This section also states that a corporation must destroy an individual’s biometric information either when there is no more use for the information or within three years of the individual’s last interaction with the company.

Additionally, in order for the company to obtain an individual’s biometric information, it must (1) provide written notice that the biometric information is being collected, (2) provide written notice regarding the purpose of collecting the biometric information and the length of time the information will be stored, and (3) receive a written release from the individual whose biometric information is being stored. The Illinois legislature added a section to the BIPA granting that “[a]ny person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.” 740 ILCS 14/20.

Diverging Court Opinions on Standing Under BIPA

Illinois courts have struggled to enforce a consistent ruling on whether a party alleging a claim under the BIPA must show particularized harm or if a mere technical violation of the Act suffices. The First District Appellate Court in Rosenbach v. Six Flags Entertainment Corp., 2017 IL App (2d) 170317, denied the plaintiffs a remedy for the unconsented collection of their biometric data under the BIPA. The court reasoned that the Illinois legislature intended the BIPA to allow a private cause of action to those who can show actual harm because the statute stated “[a]ny person aggrieved.” [Emphasis added.] 740 ILCS 14/20. If the legislature intended for a mere technical violation to suffice for standing, the court believed the legislature would have omitted the word “aggrieved.” Conversely, the court in Sekura v. Krishna Schaumburg Tan, Inc., 2018 IL App (1st) 180175, ruled the BIPA’s legislative intent was to allow for a cause of action regardless of whether the plaintiff suffered actual harm. The court stated the BIPA was enacted to “prevent any harm from occurring in the first place, thereby reassuring the public, who will then be willing to participate in this new [biometric data] technology.” 2018 IL App (1st) 180175 at ¶59.

The Supreme Court

In Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, the Illinois Supreme Court overturned the First District Appellate Court and held that an individual is not required to allege actual harm, beyond the violation of his or her rights under the BIPA, to qualify as “aggrieved” and seek remedial measures. The plaintiff alleged that Six Flags Entertainment Corporation stored her son’s fingerprint when he obtained a season pass for the park without following the proper procedures under the BIPA. She claimed neither she nor her son had any proper written notice of the purpose of storing the son’s fingerprint or how and when the data would be destroyed. The Illinois Supreme Court reviewed whether a party is “aggrieved” when no actual injury is alleged.

The court first analyzed the statutory intent of “[a]ny person aggrieved.” First, the court looked to §10(a) of the Consumer Fraud and Deceptive Business Practices Act, 815 ILCS 505/1, et seq., which requires a plaintiff to allege actual damage in order to bring a private right of action. The court compared this with the AIDS Confidentiality Act, 410 ILCS 305/1, et seq., in which the legislature provided a private right of action by any person “aggrieved” by a violation of the statute, and no actual damage is required. Furthermore, the Illinois Supreme Court held over a century ago that to be aggrieved means “having a substantial grievance; a denial of some personal or property right.” Rosenbach, supra, 2019 IL 123186 at ¶30, quoting Glos v. People, 259 Ill. 332, 102 N.E. 763, 766 (1913).

The court then moved into the legislature’s public policy intent for enacting the BIPA, quoting Patel v. Facebook Inc., 290 F.Supp.3d 948, 954 (N.D.Cal. 2018):

Such a characterization [of a violation merely technical in nature], however, misapprehends the nature of the harm our legislature is attempting to combat through this legislation. The Act vests in individuals and customers the right to control their biometric information by requiring notice before collection and giving them the power to say no by withholding consent. . . . These procedural protections “are particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual’s unique biometric identifiers—identifiers that cannot be changed if compromised or misused. . . . [T]he right of the individual to maintain [his or] her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.” [Citations omitted.] 2019 IL 123186 at ¶34.

Therefore, the court determined that the legislative purpose of enacting the BIPA was to impose safeguards and ensure those safeguards were followed. Apart from the private right of action provided in §20 of the BIPA, no other mechanism for enforcement is available. This only bolstered the court’s reasoning of the importance of ensuring a private right of action, regardless of injury. Broadening the scope to allow claims to be brought before harm occurs is a stronger check on companies to follow the BIPA’s guidelines when gathering biometric information. Additionally, compliance is not overly burdensome, and the expense that companies do incur is insignificant compared to the irreversible harm that could occur if biometric information is not properly safeguarded.

For more information about business law, see BUSINESS AND COMMERCIAL LITIGATION — 2019 EDITION. Online Library subscribers can view it for free by clicking here. If you don’t currently subscribe to the Online Library, visit www.iicle.com/subscriptions.


Subscribe to FLASHPOINTSFree monthly e-updates in 15 practice areas.