Illinois Supreme Court Finds that Companies Could Be Held Liable for Non-compliance with Statutory Privacy Safeguards

January 2019

On January 25, 2019, the Illinois Supreme Court ("Court") ruled in Rosenbach v. Six Flags Entertainment Corp. that if an entity that collects, maintains, stores, or transfers biometric data merely fails to comply with statutory requirements when obtaining this information, this alone is sufficient “injury” to allow consumers to sue for damages and injunctive relief. This case underscores the privacy safeguards under the Illinois Biometric Information Privacy Act (BIPA), which carries penalties that could exceed $5,000 per violation. According to the Court, no data breach, wrongful disclosure, or actual injury to the consumer is required for a company to be subject to civil liability under the BIPA. To avoid potentially significant liability, all entities handling information subject to the BIPA should review their policies, procedures, and methods for collecting and storing such data. 

The BIPA has been in effect for more than a decade and governs how entities operating in Illinois handle consumer biometric data. It requires these companies to obtain explicit written consent from an individual before collecting any biometric identifiers, such as fingerprints, retinal scans, or face scans. The BIPA allows for “aggrieved” individuals to sue for violations of the Act, which is exactly what Stacy Rosenbach did when she found out that Six Flags had collected her 14-year-old son’s fingerprint, in an effort to streamline park entrance for season pass holders and allegedly without consent or adequate disclosure. The BIPA also requires companies to inform individuals in writing when collecting or storing biometric identifiers and to disclose the specific purpose and duration for which that data is kept. 

Six Flags argued that to recover under the BIPA, a plaintiff must sustain an “actual injury or harm” rather than simply allege a “technical violation” of the BIPA. The Court disagreed, explaining that when a company fails to adhere to the statutory procedures, an individual’s right of privacy “vanishes into thin air.” It added, “This is no mere ‘technicality.’ The injury is real and significant.” The statutory violation itself was sufficient, otherwise consumers would be required to wait until some quantifiable harm occurred, which was not the legislature’s intent when it enacted the BIPA.

The Court also said, “Compliance should not be difficult; whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded.” The ruling could affect the more than 200 similar pending cases. With companies essentially facing strict liability for their statutory violations, more suits are sure to follow. 

Alleging actual injury is often a difficult threshold in data privacy cases. Without actual injury, such as a misappropriation of an individual’s personal data, courts struggle to find redressable harm. In Rosenbach, the court found injury from a statutory violation alone and credited this finding to the uniqueness of biometric identifiers. The court explained that the procedural protections of the BIPA are especially needed because “technology now permits the wholesale collection and storage of an individual’s unique biometric identifiers—identifiers that cannot be changed if compromised or misused.” The BIPA itself explains, “Biometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”

The BIPA states, “The full ramifications of biometric technology are not fully known.” As the use of biometric information expands, and new laws are enacted to regulate such use, courts will continue to see cases involving biometric data collection, use, or breaches. The companies behind this technology or using this data need to stay abreast of potential pitfalls, liability, and increasing regulation. If you need assistance complying with biometric information laws or other privacy laws, please contact one of our Cybersecurity & Data Privacy attorneys.

Firm Highlights
Client Alert

Supreme Court Limits Ability to Compel Access to Private Property Without Compensation

More
News

Four Lewis Rice Attorneys Named 2022 “Lawyer of the Year” by Best Lawyers

More
News

John C. Bodnar Named BTI M&A Client Service All-Star

More
News

61 Lewis Rice Attorneys Named Best Lawyers for 2022, 16 Named Ones to Watch

More
Client Alert

Missouri Now Requires Employers to Provide Leave and Accommodations for Victims of Domestic and Sexual Violence

More
News

Brian P. Pezza Quoted in SHRM Articles on Employee Vaccination Status Disclosure and Employer Vaccination Policies

More
News

Neal F. Perryman Named to Missouri’s POWER List in Employment Law by Missouri Lawyers Media

More
News

Lewis Rice Wins $1.5 Million in Compensation for Covington Landowners

More
News

David W. Sweeney Represents Advantes Group in $7.2 Million Apartment Project

More
Diversity & Inclusion

Golf Foundation of Missouri Awards First Larry L. Deskins, Sr. Scholarship

More
Client Alert

Property Owners Can Push the Issue Under Illinois Mechanic’s Lien Law

More
Client Alert

FTC Reverses Course on Treatment of Debt Payoff Under HSR Act

More
News

Michael D. Mulligan Publishes Article in ACTEC Law Journal Comparing Sales to an Intentionally Defective Irrevocable Trust and a to Beneficiary Intentionally Defective Irrevocable Trust

More
News

Lauren R. Carey Creates New Blog for Social Media Influencers

More
Client Alert

FTC Adds Teeth to the ‘Made in USA’ Rule

More
News

Lewis Rice Recognized as Top M&A Firm by BTI Consulting Group

More
Client Alert

OSHA’s New Guidance Regarding Indoor Mask Wearing, COVID-19 Vaccination Mandates, Regular Testing of Unvaccinated Workers, and More

More
News

Michael R. Thiessen Recognized as Pro Bono Spotlight by KCMBF for August

More
News

Claims Filed for Compensation in North Carolina Ecusta Trail Rail-to-Trail Case

More
Client Alert

First-Issued Interim Final Rule Gives Guidance on No Surprises Act

More