UNITED STATES – In a groundbreaking decision handed down on January 25, 2019, the Illinois Supreme Court unanimously held that private entities cannot collect biometric data from consumers without their consent, pursuant to the Illinois Biometric Information Privacy Act (740 ILCS 14/1 et seq.) (“BIPA”). Crucially, the Court held that individuals have standing to bring a claim under BIPA even without a showing of actual harm.
Plaintiff Stacy Rosenbach filed suit against Six Flags amusement park after it collected her fourteen-year-old son’s thumbprint data without his consent. Ms. Rosenbach claimed that the collection violated BIPA, despite the fact that her son suffered no actual harm. Rosenbach v. Six Flags Entm’t Corp., 2019 IL 123186, P21 (2019).
In holding that technical non-compliance is sufficient to confer standing, the Illinois Supreme Court reasoned that unlike Social Security numbers, which can be altered after identity theft, biometric data such as face shapes or fingerprint patterns cannot be changed to protect victims. Thus, the high court agreed that the protections afforded by BIPA “are particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual’s unique biometric identifiers,” which can be compromised or misused repeatedly over the course of a person’s lifetime. Id. at P34.
Enacted in 2008, BIPA ensures that individuals retain control over their own biometric data, including fingerprints, facial recognition, retina scans, voiceprints, and other biometric markers. The Act regulates “the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information,” requiring private entities to notify and obtain consent from individuals before collecting personal biometric identifiers. 740 ILCS 14/5, 15. Section 20 of the Act creates a private right of action for any individual whose biometric data has been collected without notice and consent, allowing such “aggrieved” persons to recover $1,000-$5,000 for each violation (depending on whether the collecting entity’s conduct was negligent, reckless, or intentional). Id. at 14/20. Successful plaintiffs may also recover reasonable attorneys’ fees, including expert witness fees and other litigation expenses. Id. After Rosenbach, an “aggrieved” individual is any person that can show a mere technical BIPA violation, regardless of whether that person suffered actual injury as a direct result of biometric data collection.
Rosenbach will significantly impact any business entity operating in Illinois—especially those that collect biometric data, which is broadly defined by BIPA. By enabling individuals to bring claims under BIPA without clearing the procedural hurdle of proving actual injury, the Court’s decision is likely to result in a massive influx of BIPA-based class action suits. It is pertinent for businesses with Illinois operations to ensure that they are compliant with the notice-and-consent provisions of BIPA to avoid litigation exposure and substantial liability to individuals.
