Illinois Supreme Court Case Recognizes Low Bar for Biometric Information Liability
January 25, 2019
In a decision issued late last week, the Illinois Supreme Court allowed a private citizen to sue a company for failing to provide written notice and obtain a signed release before collecting his fingerprint data in violation of the Biometric Information Privacy Act, even though he had no claim of actual injury or harm apart from the statutory violation itself. The decision has important implications for Illinois private companies that collect biometric data, including companies that work in and with public schools and other public entities.
The Biometric Information Privacy Act regulates the handling—from collection through destruction—of retina and iris scans, fingerprints, voiceprints, and scans of hand or face geometry (“biometric identifiers”) and information based on such identifiers (“biometric information”) by private entities in Illinois. Section 15 of the Act specifically requires private entities to provide written notice and obtain a signed release before collecting biometric identifiers and information. An “aggrieved person” under the Act may file suit seeking money damages, reasonable attorneys’ fees and costs, and other relief, including an order prohibiting the company from further violating the law.
The Illinois Supreme Court decision, Rosenbach v. Six Flags Entertainment Corporation, centered around a 14-year-old boy’s school trip to Six Flags Great American in the summer of 2014. Alexander Rosenbach’s mother, Stacy, had purchased him a season pass before the trip. When Alexander arrived at the park, he was required to scan his thumb into Six Flags’ biometric data capture system to activate the pass. Neither Alexander, who was a minor at the time, or his mother received any written notice regarding or consented in writing to the collection of his fingerprint data. Six Flags also publishes no notice or written policy regarding its collection or use of biometric data. Alexander never went back to the park, but Stacy Rosenbach sued on her son’s behalf and on behalf of a class of similarly situated individuals, seeking liquidated damages and an injunction against Six Flags for failing to comply with the Act’s notice and consent rules.
Six flags asked the trial court to dismiss the complaint in its earliest stages, contending that the Rosenbachs had not alleged any actual or threatened injury other than the statutory violation. In its decision, the Supreme Court held that no actual or threatened injury must be pled. The court explained that when “a private entity fails to adhere to the statutory procedures, as defendants are alleged to have done here, ‘the right of the individual to maintain [his or] her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.’ This is no mere ‘technicality.’ The injury is real and significant.”
The court’s decision could have broad implications in Illinois. Companies reportedly were already limiting the use of certain face-recognition products in light of the Act, and this decision may lead to further limitations. For companies that collect biometric information it is now more important than ever to provide the required notice and obtain the required consent before collecting biometric information. Public entities, including public schools, have also increasingly partnered with companies to collect biometric information for a range of uses, from library book checkouts to school lunch purchases in the cafeteria. Although the Act does not directly apply to public entities, public bodies that engage in such partnerships may wish to consider any risks of secondary liability. For more information on how to comply with the Act or to assess risks of liability for both public and private entities, contact Bill Pokorny, Jackie Wernz, or any other Franczek attorney.