On January 25, 2019, the Illinois Supreme Court ruled that a consumer need not demonstrate an adverse effect or specific harm, such as evidence that personal information was stolen or misused, to have standing to sue under the state’s Biometric Identity Protection Act (BIPA). The court held that a procedural violation of the law itself is sufficient to support a private right of action under BIPA. The court’s decision will give real teeth to the 200-plus BIPA actions already filed in Illinois – the only biometric law in the country with a private right of action – and we are likely to see a boost in lawsuits against private entities alleging procedural BIPA violations.
In Rosenbach v. Six Flags (a more detailed explanation of the facts and previous inter-district split is provided in a previous blog post), the Court held that Rosenbach’s son can be considered an “aggrieved person” under BIPA based simply on the fact that his fingerprint was taken (for a season pass to Six Flags) without the required written consent. The Illinois Supreme Court opined that even a “technical” breach prevents an individual from maintaining his/her biometric privacy, which the court considers a “real and significant” injury to one’s “statutory right.”
The ruling reverses a lower court decision that a plaintiff must show specific injury in order to satisfy the “aggrieved person” standard under BIPA. The lower court held that merely alleging a technical violation of the law, without claiming some adverse effect or harm, does not constitute “aggrieved” and does not support a private right of action.
The high court emphasized that the threat of facing lawsuits for failing to comply with BIPA’s procedural requirements, including providing notice and obtaining consent, strengthens one of the purposes of the law: deterrence. With potential statutory fines ranging from $1,000 to $5,000 per violation, companies should evaluate data collected to determine whether it is subject to BIPA and, if so, take appropriate steps to comply with the Act’s procedural requirements, such as providing written notice of and obtaining written consent to collect, capture, purchase, or otherwise obtain biometric information and setting and publicizing retention parameters and guidelines for permanently destroying biometric identifiers. As the Illinois Supreme Court stated, it is probably less costly to ensure compliance on the front end than to engage in litigation and risk the potential fines for noncompliance on the back end.