In a decision that will inevitably add fuel to an already furious fire, the Illinois Supreme Court has ruled in Rosenbach v. Six Flags, that plaintiffs may pursue claims under the Biometric Information Privacy Act (BIPA) based on technical violations of the statute, even absent any actual harm or damages.
BIPA is the statute at the heart of more than 200 currently pending class action lawsuits, the vast majority of which have been filed in the past two years and many of which have been on hold pending the court’s recent decision. The Act imposes various restrictions on how private entities collect, retain, disclose, and destroy “biometric identifiers” from individuals. Biometric identifiers include information such as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Essentially, it is information that companies capture in some form, based on individual, identifiable biological identifiers. When that information is collected and stored for some commercial purpose, BIPA applies and the company collecting and/or storing the information must ensure compliance with the various notice and release procedures spelled out in the statute.
While many states have implemented biometric privacy laws, Illinois is one of the few that contains a private right of action that allows individuals to sue companies directly for violations. It also contemplates statutory liquidated damages (in the absence of actual damages) in the amount of $1,000 per negligent violation, and $5,000 per intentional violation, plus attorneys’ fees.
BIPA has been on the books since 2008 but was largely unknown and unutilized. In recent years, however, as the adoption of biometric technology became more prevalent, there has been a significant uptick in litigation. Initially, the statute was applied primarily in the consumer context and had not been weaponized against employers. Then, in late 2016, a flurry of class action lawsuits based on violations of the statute were filed, all alleging violations of the statute by employers in their use of technology that collects biometric identifiers (such as fingerprints or handprints) for various purposes, typically timekeeping or security purposes. Currently, there are more than 200 pending class action lawsuits based on BIPA in the courts.
Rosenbach v. Six Flags was a consumer case filed by a mother on behalf of her son who went to Six Flags Great America for a field trip and whose fingerprint was scanned at the park as part of a season ticket she had purchased for him. Rosenbach has not been to the park since and had not articulated any tangible harm or injury as a result of having his fingerprint scanned. The appellate court held Rosenbach was not an “aggrieved” person under the statute in the absence of an allegation of some injury or adverse effect. Illinois Supreme Court reversed, answering in the affirmative the threshold question that is at the center of many of the hundreds of pending lawsuits: whether individuals have standing to sue for technical violations of the statute, even if the person did not suffer any actual harm or injury as a result of the collection and/or storage of their biometric information. The court reasoned that the plain meaning of the statute provides that a person whose legal rights are violated by a private entity who collects, retains, or discloses biometric information without complying with BIPA’s notice and release requirements, is by definition an aggrieved party under the statute with standing to sue.
From a public policy standpoint, the court went on to admonish the appellate court’s characterization of violations sans injury as “technical,” which, it said, “misapprehends the nature of the harm our legislature is attempting to combat” through the Act. Per the court, the purpose of the Act is to vest in individuals “the right to control their biometric information by requiring notice before collection and giving them the power to say no by withholding consent.” It noted that because people cannot change their unique biometric identifiers, the unauthorized disclosure of the same causes a “real and significant” harm. Indeed, it observed, “once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”
The court’s decision has broad implications. Most immediately, many of the pending BIPA class actions had been stayed pending the court’s decision. Now that it is apparent those plaintiffs have standing, we can expect those cases to proceed. It also seems highly likely that it will encourage a second wave of filing similar lawsuits by an emboldened plaintiffs’ bar. While individual violations are a mere $1,000 (for negligent violations) or $5,000 (for intentional or reckless violations) per violation, these fines can add up significantly when brought as a class action. Moreover, attorneys’ fees are recoverable to prevailing plaintiffs under the Act.
While Illinois’s statute is the pioneer in content and in litigation, it is no longer alone. Many states have proposed and/or adopted legislation modeled after BIPA. Thus, wherever you are, it is a good time to take stock and find out whether any biometric data is being collected from your employees in any form or for any purpose. If your organization uses biometric data for any purpose or is considering implementing devices for this purpose, you are well advised to ensure BIPA compliance to ward off liability. The good news is that its requirements are not onerous. Per BIPA, before a private entity may collect any biometric identifying information, it must first:
Inform the individual in writing that his or her biometric information is being collected or stored. The written notice must explain the specific purpose for which the information is being stored, and for how long it is being stored; and
Obtain a written release executed by the individual consenting to the collection, storage, and use of the biometric information.
This can consist of a relatively simple form that can be incorporated into an onboarding package.