Illinois Supreme Court Finds that Companies Could Be Held Liable for Non-compliance with Statutory Privacy Safeguards

January 2019

On January 25, 2019, the Illinois Supreme Court ("Court") ruled in Rosenbach v. Six Flags Entertainment Corp. that if an entity that collects, maintains, stores, or transfers biometric data merely fails to comply with statutory requirements when obtaining this information, this alone is sufficient “injury” to allow consumers to sue for damages and injunctive relief. This case underscores the privacy safeguards under the Illinois Biometric Information Privacy Act (BIPA), which carries penalties that could exceed $5,000 per violation. According to the Court, no data breach, wrongful disclosure, or actual injury to the consumer is required for a company to be subject to civil liability under the BIPA. To avoid potentially significant liability, all entities handling information subject to the BIPA should review their policies, procedures, and methods for collecting and storing such data. 

The BIPA has been in effect for more than a decade and governs how entities operating in Illinois handle consumer biometric data. It requires these companies to obtain explicit written consent from an individual before collecting any biometric identifiers, such as fingerprints, retinal scans, or face scans. The BIPA allows for “aggrieved” individuals to sue for violations of the Act, which is exactly what Stacy Rosenbach did when she found out that Six Flags had collected her 14-year-old son’s fingerprint, in an effort to streamline park entrance for season pass holders and allegedly without consent or adequate disclosure. The BIPA also requires companies to inform individuals in writing when collecting or storing biometric identifiers and to disclose the specific purpose and duration for which that data is kept. 

Six Flags argued that to recover under the BIPA, a plaintiff must sustain an “actual injury or harm” rather than simply allege a “technical violation” of the BIPA. The Court disagreed, explaining that when a company fails to adhere to the statutory procedures, an individual’s right of privacy “vanishes into thin air.” It added, “This is no mere ‘technicality.’ The injury is real and significant.” The statutory violation itself was sufficient, otherwise consumers would be required to wait until some quantifiable harm occurred, which was not the legislature’s intent when it enacted the BIPA.

The Court also said, “Compliance should not be difficult; whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded.” The ruling could affect the more than 200 similar pending cases. With companies essentially facing strict liability for their statutory violations, more suits are sure to follow. 

Alleging actual injury is often a difficult threshold in data privacy cases. Without actual injury, such as a misappropriation of an individual’s personal data, courts struggle to find redressable harm. In Rosenbach, the court found injury from a statutory violation alone and credited this finding to the uniqueness of biometric identifiers. The court explained that the procedural protections of the BIPA are especially needed because “technology now permits the wholesale collection and storage of an individual’s unique biometric identifiers—identifiers that cannot be changed if compromised or misused.” The BIPA itself explains, “Biometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”

The BIPA states, “The full ramifications of biometric technology are not fully known.” As the use of biometric information expands, and new laws are enacted to regulate such use, courts will continue to see cases involving biometric data collection, use, or breaches. The companies behind this technology or using this data need to stay abreast of potential pitfalls, liability, and increasing regulation. If you need assistance complying with biometric information laws or other privacy laws, please contact one of our Cybersecurity & Data Privacy attorneys.

Firm Highlights
News

Jeremy P. Brummond Presents at Webinar for Experienced Construction Attorneys

More
News

Lewis Rice Welcomes 2021 Summer Associates

More
Client Alert

Public Access to Electronic Court Records in Missouri

More
Diversity & Inclusion

Two Lewis Rice Members Selected for Leadership Council on Legal Diversity Programs

More
Client Alert

Missouri Supreme Court Reverses Overtime Wages Judgment Resulting from Employer-Mandated Screenings Under the Portal-to-Portal Act

More
Client Alert

Supreme Court Hands Down Unanimous Decision Limiting FTC’s Ability to Seek Monetary Relief

More
News

Meghan S. Largent and Lindsay S. C. Brinton Negotiate $700,000 Award to Cobb County, Georgia Landowners in Rails-to-Trails Case

More
Client Alert

COVID-19 Rescue Plan Act Expands Paid Leave Availability but Does Not Revive Employer Mandates

More
News

Jeannine Moentmann Becomes President of St. Louis Paralegal Association for 2021-2022

More
Client Alert

The New Standard Contractual Clauses: Scope, Impact, and Next Steps

More
Client Alert

Federal Appellate Court Determines a Website Is Not a “Place of Public Accommodation” Under the ADA

More
Client Alert

Model COBRA Notices Under the American Rescue Plan Act

More
Diversity & Inclusion

Lewis Rice Member Ronald A. Norwood Serves on Missouri Bar’s Special Committee on Lawyers of Color to Establish Diversity, Inclusion Programs

More
Client Alert

The Changing Workplace Following the Latest CDC Mask Guidance

More
Client Alert

CROWN Act Legislation on the Verge of Passage in St. Louis City & County

More
Client Alert

Temporary COBRA Changes Under the American Rescue Plan Act

More
Diversity & Inclusion

Law Firm ILN-telligence Podcast Hosts Ronald A. Norwood to Discuss Mentorship, Diversity & Inclusion in the Legal Industry, and the Importance of Equity for All

More
Client Alert

DOL Publishes Cybersecurity Guidance for Benefits Plans

More
Client Alert

EEOC Issues Updated Guidance on COVID Vaccination Policies

More
News

Brian P. Pezza Gives Advice on Vaccination Acceptance in the Workforce in Society for Human Resource Management Article

More