On January 25, 2019, the Illinois Supreme Court issued a highly anticipated ruling in the Rosenbach v. Six Flags case regarding enforcement of the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (BIPA or the Act). In its unanimous ruling, the Court held that a procedural violation of the Act, even absent a showing of actual injury, is sufficient to confer standing to sue for a BIPA violation.
This means that an employer who, for example, uses employee fingerprint data for timekeeping purposes could be on the hook for a BIPA violation for failure to follow the comprehensive notice-and-consent rules set forth in the Act.
Whether the Rosenbach ruling will trigger a spike in biometric privacy litigation against private employers remains to be seen. For now, understanding BIPA and key compliance principles can help employers mitigate against some of the risks inherent in collecting employee biometric data.
Recap of BIPA
BIPA was enacted in 2008 and defines “biometric data” as “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Companies who gather biometric data are required to satisfy the following prerequisites prior to collection:
- Inform the subject (or his or her legally authorized representative) in writing that his biometric data is being collected or stored;
- Inform the subject (or his or her legally authorized representative) in writing of the specific purpose and length of term for which the biometric data is being “collected, stored, and used”; and
- Obtain express written consent from the subject (or his or her legally authorized representative) prior to collection of his or her biometric data.
BIPA creates a private right of action for individuals “aggrieved by” violations of the Act, which can include injunctive relief and liquidated damages up to $5,000.
The Rosenbach Case
In 2014, Stacy Rosenbach purchased a season pass online to Six Flags Great America amusement park for her minor son. While on a school field trip to the amusement park, her son was asked to scan his thumbprint in order to complete the season pass authorization process, which he informed Rosenbach of after returning home from school. According to the complaint filed by Rosenbach, neither she nor her minor son were ever informed of the purpose for taking his fingerprints or length of its storage, nor did either of them provide written consent to the collection as required by the Act.
Rosenbach sued under BIPA on behalf of her minor son, seeking redress for him and on behalf of others similarly situated. Rosenbach’s BIPA claims initially survived a motion to dismiss filed by Defendants, who later sought interlocutory review to determine whether an individual can be an “aggrieved person” under the Act if she only alleges a technical violation of the statute. The circuit court held that to sustain an action for a BIPA violation, “injury or adverse effect must be alleged.” The court further stated that while the injury need not be pecuniary, it cannot amount to a mere “technical violation of the Act.”
On appeal, the Illinois Supreme Court reversed the circuit court’s ruling and held that a violation of the statute is, by itself, actionable. Relying on traditional canons of statutory interpretation, the Court explained that in enacting BIPA, the legislature intended to protect the right of individuals to safeguard their biometric privacy, and that once an entity fails to follow the notice and consent procedures set forth in the statute, that right is violated. The Court noted that “[t]his is no mere ‘technicality.’ The injury is real and significant.”
The Illinois Supreme Court’s analysis in Rosenbach echoes the rationale set forth in Section 5(c) of the Act, which explains that:
Biometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.
The Rosenbach decision resolves a split in how Illinois courts have interpreted what it means to be “aggrieved” under BIPA. Notably, federal courts within the Seventh Circuit analyzing BIPA claims tend to follow the reasoning set forth in the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), which explains that concrete and particularized injury-in-fact is required to confer Article III standing to sue in federal court. See e.g., Rivera v. Google, Inc., 2018 WL 6830332 (N.D. Ill. Dec. 29, 2018) (rejecting BIPA claim on grounds that plaintiffs had not suffered concrete injury from collection of Google Photo face geometry scans); Johnson v. United Airlines, 2018 WL 3636556 (N.D. Ill. July 31, 2018) (dismissing BIPA claim for alleged failure to provide notice or obtain consent prior to collecting employees’ biometric data where there was no actual harm). Nevertheless, individuals who are unable establish actual injury for a BIPA violation can still pursue their claims in state court based on the Rosenbach ruling.
While there are several questions that remain unresolved after Rosenbach, the Illinois Supreme Court has made clear that BIPA serves a critical deterrence function when it comes to individual privacy interests. Accordingly, the Rosenbach decision may open the floodgates to increased state court litigation among plaintiffs alleging violations of their statutory biometric privacy rights.
For these reasons, private companies doing business in Illinois should arm themselves against potential litigation by reviewing their data collection and storage practices to ensure strict adherence to the notice and consent procedures set forth in BIPA.
Private employers should note their vulnerability to attack, particularly in light of high-profile data breaches in recent years such as the 2015 hack of the U.S. Office of Personnel Management in which over 5.6 million federal workers’ fingerprints were stolen. Employers who use biometric technology for time recording or other personnel authentication purposes will continue to be targeted given the heightened sensitivity attributed to these sorts of breaches. Human Resources and IT departments should therefore be vigilant about enforcement of their privacy policies, and should consult with legal counsel as needed to ensure that their collection practices comply with ever-evolving biometric data collection and storage laws.