Supreme Court of Illinois holds no actual injury is required to state a claim under the Illinois Biometric Information Privacy Act
On Jan. 25, 2019, the Supreme Court of Illinois held that no allegation of actual harm is required for an individual to bring an action for a violation of the Illinois Biometric Information Privacy Act (BIPA).
The court found that the mere collection of a biometric identifier without the accompanying disclosures or written consent required by BIPA – a so-called technical violation of the statute – was sufficient to find that an individual has been “aggrieved” and may seek damages and injunctive relief under BIPA. This decision reverses the Illinois Second District Court of Appeals, which had held that in order to state a claim under BIPA, a plaintiff must allege some actual harm beyond a mere technical violation of the statute, and breathes new life into class actions brought for BIPA violations.
The Illinois Biometric Information Privacy Act
BIPA, codified as 740 Ill. Comp. Stat. §§ 14/1, et seq., became effective in 2008 and was the first state law to regulate the collection, use, and storage of biometric identifiers and biometric information. BIPA defines a biometric identifier to include a retina or iris scan, fingerprint, voiceprint, or scan or hand or face technology; and it defines biometric information to include any information based on a biometric identifier used to identify an individual (collectively, “biometric data”).
Under BIPA, a private entity possessing biometric data must comply with certain requirements, including informing individuals in writing if their biometric data is being collected or stored, and the purpose and length of time for which the biometric data is being collected, stored, and used. The entity must also obtain a written release for the biometric data executed by the individual or the individual’s legally authorized representative.
BIPA creates a private right of action for any person “aggrieved by a violation” of the statute and provides for steep damages, including the greater of actual damages or liquidated damages of $1,000 for each negligent violation, and $5,000 for each intentional or reckless violation.
Due to the increasingly popular use of biometric data and the potentially significant liquidated damages offered by the statute, the number of class action claims under BIPA has ballooned in recent years. The vast majority of those claims did not assert that the plaintiffs and potential class members suffered any actual injury as a result of the collection of biometric data in violation of BIPA. State and federal courts alike were split on what it takes to state a claim under the statute.
Rosenbach v. Six Flags Entertainment
In Rosenbach, the plaintiff brought a BIPA claim against Six Flags Entertainment Corporation for allegedly collecting his fingerprint for a season pass without providing him the requisite written disclosures or obtaining his written consent or release. The plaintiff did not allege any actual injury as a result of the technical violation or that his biometric data was sold, disclosed, or otherwise shared.
Following a motion to dismiss by Six Flags, two questions were certified for interlocutory appeal to the Second District. Both turned on whether an individual was “aggrieved,” and thus entitled to seek damages under BIPA, without alleging actual damages or adverse effects as a result of the collection of his or her biometric data. The Second District answered this question in the negative, holding that a claim was not sufficient if the defendant merely violated the statute’s technical requirements, and that a plaintiff must allege some injury as a result of the violation.
On further appeal, the Supreme Court of Illinois reversed. It explained that according to BIPA’s plain language, the statute clearly and unambiguously codified a right to biometric privacy, and further that it “defines the contours of that statutory right.” Based on this interpretation, the court held that an entity’s failure to comply with the requirements of BIPA, even without an additional injury to affected individuals, harms the individuals in that it erodes their right to biometric privacy. Thus, the court concluded, even a mere “technical violation” of the statute constitutes the loss of biometric privacy, invades a legally protected right, and renders affected individuals “aggrieved” for purposes of pursuing private right of action claims against the offending private entity under BIPA.
The Rosenbach decision creates fertile ground for claims and class action litigation against private entities doing business in Illinois. McDonald Hopkins expects substantial additional litigation under BIPA to follow Rosenbach, including as to outstanding issues such as whether an aggrieved individual can recover liquidated damages from an offending entity only once regardless of how many technical violations occurred, or whether each technical violation is separately compensable.
Looking forward, we strongly recommend that any private entity doing business in Illinois which collects, purchases, or possesses biometric data take the following precautions:
- Ensure that it has policies setting forth a retention schedule and guidelines for destroying biometric data, and that its retention and destruction policies are available to the public.
- Draft clear and unambiguous disclosures to be given to individuals prior to the collection of any biometric information informing those individuals that their biometric data is being collected and the purpose, length of time, and use for the collected information.
- Confirm that it receives and retains a clear written release for the collection of biometric data from individuals whose biometrics are being collected.
- Review internal policies and procedures to ensure that the standard of care for the storage, transmission, and protection of biometric data is reasonable for the applicable industry.
If you have any questions or would like assistance in drafting policies and procedures that comply with BIPA, please reach out to one of the attorneys listed below. McDonald Hopkins attorneys are available to help clients ensure compliance with data privacy laws and respond to potential litigation.