On January 25, 2019, the Illinois Supreme Court issued a highly anticipated decision, Rosenbach v. Six Flags Entertainment Corporate et al., extending the reach of the Illinois Biometric Information Privacy Act (BIPA). BIPA is an Illinois privacy law that regulates the collection, use, and retention of biometric data such as fingerprints, face, and eye scans by imposing procedural requirements on corporations that collect the data. Though not an employment case, the decision impacts employers using biometric time-keeping systems in Illinois.
BIPA is the country’s only biometric privacy law that affords a private right action to sue for monetary damages. Persons “aggrieved by a violation” of BIPA have a private right of action under the statute and may sue for statutory remedies, including the greater of actual or liquidated damages of $1,000 for negligent violations or $5,000 for intentional or reckless violations. Rosenbach, however, has given this provision new teeth.
Since at least 2014, Six Flags and its subsidiary, Great America, have used a fingerprinting process when issuing repeat-entry passes for their amusement parks. After learning that the amusement park scanned and stored her son’s thumbprint as part of its annual pass program, Stacey Rosenbach filed a putative class action alleging that the parks violated BIPA by collecting this information without first providing written notice or publishing a policy explaining how her son’s thumbprint would be used, retained, and destroyed. Rosenbach alleged no additional injury or adverse effect beyond a technical violation of BIPA’s requirements.
The Illinois Supreme Court unanimously held that a violation of the procedural requirements of BIPA alone rendered Rosenbach “aggrieved” under the statute. It determined that proof of actual injury or adverse effect is not required. According to the Court, “[t]o require individuals to wait until they have sustained some compensable injury beyond violation of their statutory rights before they may seek recourse . . . would be completely antithetical to the Act’s preventative and deterrent purposes.”
Impact of Rosenbach
The decision will incentivize BIPA class actions in state court. Rosenbach may also rekindle efforts in the Illinois legislature to clarify and limit the scope of BIPA. While an amendment to this effect failed to pass last year, as litigation increases, the legislature may be more keen to amend the statute and narrow the possibility for crippling liability to instances involving actual harm.
Despite the expansive developments in Illinois state court, BIPA claims may meet more resistance in federal court. A recent case from the Northern District of Illinois suggested that BIPA claims may not meet Article III standing requirements under the Supreme Court’s test for “actual harm.” Accordingly, to pursue claims in federal court, plaintiffs may need to allege more than a statutory violation.
Any business in Illinois that collects or uses biometric identifiers or biometric information should act now to implement, update and maintain policies and procedures to comply with BIPA. Such measures include:
- Drafting and communicating a written policy that describes the purpose and terms of the collection and storage of biometric information;
- Notifying employees (and consumers) in writing before any biometric information is collected; and
- Obtaining written consent from the data subject.
(See our earlier post on BIPA here.) For assistance preparing compliant policies, forms and practices, and to reduce your company’s risk of being subject to a BIPA action, reach out to your Baker McKenzie attorney.