On January 25, 2019, the Illinois Supreme Court unanimously held that a plaintiff does not need to allege any actual injury or damages to successfully state a claim under the Illinois Biometric Information Privacy Act (BIPA). Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Jan. 25, 2019) (a copy of the opinion is available here). A violation of the statute by itself is sufficient to state a claim, even if no breach or misuse of the biometric information or identifier has occurred. Because BIPA includes stiff liquidated damages for violations, the court’s ruling is likely to lead to renewed interest by the plaintiffs’ bar in class action suits alleging BIPA violations.
Companies that collect or obtain biometric information or identifiers (for simplicity, collectively “biometric data”) should immediately take steps to ensure compliance with the statute if they have not already done so. A few key provisions of BIPA that companies should be sure to understand include the following:
- BIPA’s definition of biometric data is broad and includes fingerprints, voiceprints, eye scans and face/hand scans but not photographs or written signatures.
- BIPA applies not only to the company that originally collected the biometric data but also to any other company that obtains such data.
- To collect or obtain biometric data in compliance with BIPA, a company must provide notice to the person whose biometric data is being obtained and obtain a written release prior to collecting or obtaining the information.
- BIPA forbids selling, leasing, trading or otherwise profiting from a person’s or customer’s biometric data.
- BIPA applies to all biometric data collected or obtained by private entities, whether that data pertains to members of the public, consumers or employees, and regardless of the purpose for which the private entity is using the data.
- The statutory damages available for a person aggrieved by a BIPA violation are steep, including $1,000 to $5,000 per violation, attorneys’ fees and costs, and the possibility of injunctive relief
Set forth below in more detail is an overview of Rosenbach v. Six Flags, a more detailed explanation of BIPA’s requirements and some basic steps companies can take to reduce their potential liability to a BIPA claim.
Rosenbach v. Six Flags
In Rosenbach v. Six Flags Entertainment Corp., the plaintiff (who was a minor) alleged that the defendant amusement park violated BIPA by collecting his thumbprint to validate his identity as a season pass holder without making the disclosures or obtaining the consent required under BIPA. 2019 IL 123186 ¶¶ 4–8. The plaintiff brought both individual and putative class claims in Illinois state court. Id. ¶ 10. The defendant moved to dismiss on the ground that the plaintiff lacked standing to sue and failed to state a cause of action because the plaintiff had suffered no actual or threatened injury other than the alleged BIPA violation. Id. ¶ 12. The trial court substantially denied the motion to dismiss, the defendant appealed, and the Illinois Supreme Court agreed to decide whether a plaintiff may seek statutory liquidated damages and injunctive relief when the only injury alleged is a violation of BIPA. Id. ¶ 14.
The court answered this question in the affirmative, finding that no injury other than a violation of BIPA need be alleged to seek the statutory liquidated damages of $1,000 to $5,000 per violation and injunctive relief. Noting that BIPA provides a right of action to any person “aggrieved” by a violation of BIPA, the court found that both the plain meaning of the word “aggrieved” and legislative intent favored the plaintiff’s position that no injury other than a statutory violation need be alleged.
As to the meaning of the word “aggrieved,” the court found, based on a review of past cases and dictionary definitions, that persons whose legal rights are invaded or infringed by an act are “aggrieved” thereby, whether or not they suffer some consequent injury as a result of that invasion or infringement. Id. ¶¶ 30–32. As to legislative intent, the court noted that other Illinois statutes (such as the Illinois Consumer Fraud and Deceptive Business Practices Act (815 ILCS 505/10a(a)) require a plaintiff to allege that he or she suffered “actual damage”; the court found that the legislature’s decision not to include such a provision in BIPA showed that it intended to allow plaintiffs to bring BIPA claims even in the absence of harm resulting from a violation. Id. ¶¶ 25–27.
The court further supported its holding by citing a series of policy reasons for allowing individuals to bring BIPA claims even absent consequent harm. “[BIPA] vests in individuals and customers the right to control their biometric information by requiring notice before collection and giving them the power to say no by withholding consent.” Id. ¶ 34. According to the court, particularly in our digital world, an individual’s ability to “maintain his or her biometric privacy vanishes into thin air” without prior notice and consent; resulting in “injury [that] is real and significant.” Id. ¶ 34. The court also distinguished between financial information and Social Security numbers on one hand and biometric data on the other, observing that unlike financial information or someone’s Social Security number, which can be changed following a data breach, someone’s biometric data cannot be changed. Id. ¶ 35.
Consequently, with BIPA, the court reasoned, the Illinois legislature tried to “head off such problems before they occur” in two ways. First, BIPA imposes safeguards to ensure that privacy rights are “properly honored and protected to begin with, before they are or can be compromised.” Id. ¶ 36. Second, BIPA includes significant penalties to provide “the strongest possible incentive” for companies to “conform to the law and prevent problems before they occur and cannot be undone.” Id. ¶ 37. “Compliance should not be difficult,” the court reasoned, and “whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded….” Id. at ¶ 36.
The Illinois Biometric Information Privacy Act
BIPA was enacted in 2008 to help regulate “the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information” — defined to include a person’s fingerprint, retina scan, voiceprint, and hand or face geometry (but to explicitly exclude, among other things, photographs and signatures). See 740 ILCS 14. Its provisions apply to “private entities” defined to include any individual, partnership, corporation, LLC, association or other group however organized, though it does not apply to government entities or financial institutions or affiliates thereof that are subject to certain provisions of the Gramm-Leach-Bliley Act.
Among other things, BIPA includes provisions concerning the following:
Retention and Destruction of Biometric Data. BIPA requires private entities in possession of biometric information to “develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying” biometric information either (a) once the initial purpose for collecting the biometric information has been satisfied, or (b) within 3 years of the individual’s last interaction with the private entity, whichever occurs first. See 740 ILCS 14/15(a).
Notice Before Obtaining Biometric Data. Under BIPA, private entities must provide notice to individuals (or their legally authorized representatives) prior to obtaining their biometric data. See 740 ILCS 14/15(b). The statute requires that such notice be given not only upon the initial collection of such data but also when such data is purchased, received through trade or otherwise obtained. The written notice must (i) inform the subject in writing that a biometric identifier is being provided or stored and (ii) inform the subject in writing of the specific purpose and length of term for which the biometric data is being collected, stored and used. See 740 ILCS 14/15(b)(1)–(2).
Written Consent Before Obtaining Biometric Data. BIPA provides that private entities must obtain a written release executed by the subject (or a legally authorized representative) before obtaining the subject’s biometric data. This written release is defined as “informed written consent.” 740 ILCS 14/10. The statute specifies that in the context of employment, a company may require execution of that release by an employee “as a condition of employment.”
No Sale or Lease of Biometric Data. BIPA forbids a “private entity in possession of a biometric identifier or biometric information” to “sell, lease, trade, or otherwise profit from a person’s or a customer’s biometric identifier or biometric information.” 740 ILCS 14/15(d).
Limitations on Transfer of Biometric Data. BIPA provides that a private entity in possession of biometric data may not disclose, redisclose or otherwise disseminate a person’s biometric data, unless
- the subject of the biometric data (or a legally authorized representative) consents to the disclosure,
- the disclosure completes a financial transaction requested or authorized by the subject (or a legally authorized representative),
- the disclosure is required by a state or federal law or municipal ordinance, or
- the disclosure is required pursuant to a valid warrant or subpoena.
740 ILCS 14/15(d).
Protection of Biometric Data. BIPA requires that a private entity in possession of biometric data (i) store, transmit and protect from disclosure such data using the reasonable standard of care within that entity’s industry, and (ii) store, transmit and protect from disclosure such data using in a manner that is the same as or more protective than the manner in which that entity stores, transmits and protects other confidential and sensitive information. 740 ILCS 14/15(e).
Private Right of Action. BIPA provides a private right of action to any person aggrieved by a violation of BIPA. 740 ILCS 14/20. A prevailing plaintiff may recover, for each violation,
- $1,000 per negligent violation (or actual damages, if greater)
- $5,000 per intentional or reckless violation (or actual damages, if greater)
- reasonable attorney’s fees and costs
- any other relief, including injunctive relief, that the court deems appropriate
740 ILCS 14/20.
Steps Companies Can Take to Reduce Exposure to BIPA Claims
This case underscores the importance of remaining sensitive to the requirements set forth in BIPA. Clients should consider taking the following steps to help prevent against a BIPA violation or at least limit the scope of liability if a violation is found to have occurred.
Inventory and Protect Biometric Data. Companies should determine what biometric data they are collecting and ensure that the data (i) was collected in compliance with BIPA’s notice and consent procedures, (ii) is protected appropriately and in compliance with BIPA’s requirements, and (iii) will be destroyed when no longer needed for the initial purpose for which it was collected, and in any event within three years of the subject’s last interaction with the company.
Minimize Collection and Retention of Unnecessary Biometric Data. While collection and use of biometric data can improve efficiency and results for companies, their employees and their customers, collection and retention of biometric data that is not needed (or that can be easily replaced with other procedures) can pose significant legal risk and compliance costs without an offsetting benefit. As such, companies should consider minimizing the collection and retention of biometric data that is unnecessary.
Provide Disclosures and Obtain Consent Before Obtaining Biometric Data. Companies should be careful to provide required disclosures, and obtain the required consents, before collecting or obtaining biometric data. Special care should be taken when collecting data pertaining to minors; a parent or guardian may claim that the minor lacks the ability to consent to the collection of biometric data and that a parent or guardian signature is required.