Illinois Supreme Court opens floodgates for class action litigation under state’s biometric privacy law
This is a guest post by Ana Tagvoryan, Jeffrey N. Rosenthal and David J. Oberly, attorneys at Blank Rome LLP.
In recent years, putative class action lawsuits under the Illinois Biometric Information Privacy Act (BIPA) have increased substantially due to the rapid adoption of biometric technology applications by businesses—such as biometric fingerprinting of employees to provide secure building access, biometric scans to authenticate transactions on mobile applications, and biometric time clocks that use fingerprint scanning or facial recognition to track employee time and attendance.
To date, those lawsuits have seen mixed results; a good portion filed in federal court fail due to plaintiff’s inability to establish Article III standing in the absence of any alleged actual injury/harm sustained as a result of the alleged BIPA violation. But in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Ill. 2019), the Illinois Supreme Court significantly altered the playing field in terms of BIPA litigation in state courts when it ruled plaintiffs may pursue a claim for damages and injunctive relief for mere technical violations of the BIPA—even where no actual harm/damage is sustained.
The opinion is significant for data privacy and class action litigators alike, as it will likely lead to a significant uptick in the number of BIPA class actions in the foreseeable future. So too does it open the door to significant potential exposure for companies utilizing biometric information as part of their business operations, whereby plaintiffs do not need to allege (or establish) actual injury/harm to maintain a cognizable claim pending in state court under Illinois’s BIPA.
Overview of the Illinois Biometric Information Privacy Act
BIPA was enacted in 2008 to help regulate the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information. BIPA imposes numerous restrictions on how private entities collect, retain, disclose, and destroy biometric identifiers, including retina or iris scans, fingerprints, voiceprints, scans of hand or face geometry, or biometric information. The requirements of BIPA are enforceable through private rights of action; specifically, BIPA provides any person “aggrieved” by a violation of its provisions “shall have a right of action . . . against an offending party,” and may recover for each violation the greater of liquidated damages or actual damages, reasonable attorney’s fees and costs, and any other relief the court deems appropriate, including injunctive relief.
Factual and procedural background
Six Flags operates amusement parks across the country, and since at least 2014, has used a fingerprinting process when issuing repeat-entry passes. Six Flags’ system is said to scan pass holders’ fingerprints; collect, record, and store “biometric” identifiers and information gleaned from the fingerprints; and then store that data to quickly verify customer identities upon subsequent visits by having customers scan their fingerprints to enter the theme park. Plaintiff Stacy Rosenbach purchased a season pass for her 14-year old son, Alexander, after Alexander visited the park on a school field trip. At that time, Alexander had his thumb scanned into Six Flags’s biometric capture system and received his season pass card. The card and his thumbprint, when used together, enabled him to gain access as a season pass holder.
The elder Rosenbach subsequently filed suit alleging Six Flags violated BIPA by failing to inform its customers that biometric information was being collected and stored, the specific purposes for which the fingerprint had been collected, and for how long the company would keep and use the fingerprint, as well as by failing to obtain a written release before collecting the fingerprint. Rosenbach sought both liquidated damages and injunctive relief under BIPA.
At the trial court level, the judge denied Six Flags’s motion to dismiss Rosenbach’s BIPA claim. The appellate court reversed, finding that a plaintiff who alleges only a technical violation of the statute, without alleging some injury or adverse effect, is not an “aggrieved” person and therefore cannot pursue a claim stemming from a violation of BIPA.
The Illinois Supreme Court ruling
At issue before the Illinois Supreme Court was whether an individual qualifies as an “aggrieved” person—and thus may seek liquidated damages and injunctive relief under BIPA—if he or she has not alleged any actual injury, damage, or other adverse effect beyond a mere technical violation of the statute. Six Flags contended an individual must have sustained some actual injury or harm—apart from the statutory violation itself—to sue under BIPA. According to Six Flags, a violation of the statute—without more—is not actionable.
The Illinois high court rejected Six Flags’ position, finding instead that an individual need not allege any actual injury/damages to pursue a cognizable claim and be entitled to seek liquidated damages and injunctive relief under BIPA. In reaching this decision, the Court relied on four primary rationales.
First, the Court found that under principles of statutory construction, Six Flags’s construction of BIPA as limiting the right to bring a cause of action to circumstances where an individual has sustained some actual damage was untenable. Indeed, the Court noted that when the Illinois General Assembly intends to require plaintiffs to show actual harm to pursue a private right of action it makes that intention clear. Here, however, the statute simply states “[a]ny person aggrieved by a violation of this Act shall have a right of action[.]” As such, accepted principles of statutory construction compelled the Court conclude a person need not have sustained actual damage beyond a violation of his or her rights under BIPA to bring a cause of action.
Second, the Court found the definition of “aggrieved” also supported its conclusion. In the Court’s view, based on both the Court’s definition of the term in prior cases, as well as the standard dictionary definition of “aggrieved,” the word means merely suffering an infringement of a legal right, without more.
Third, the Court also relied on the fact that a violation of BIPA’s requirements—in and of itself—constituted an “injury” that is “real and significant” because “when a private entity fails to adhere to the statutory procedures . . . ‘the right of the individual to maintain his or her biometric privacy vanishes into thin air.’”
Finally, the Court found the intended purposes and goals of BIPA required allowing individuals to pursue legal action simply upon a BIPA violation, without mandating an individual suffer an additional injury before seeking legal recourse. In doing so, the Court highlighted that to achieve the purpose of providing Illinois residents with a right to control their biometric information, it was necessary to subject private entities who fail to follow the statute’s requirements to substantial potential liability. By subjecting offending entities to such broad liability for failure to comply with the law’s requirements without requiring affected individuals or customers to show some injury beyond a violation of their statutory rights, those entities had the strongest possible incentive to conform to the law and prevent problems—which cannot be undone—before they occur. Conversely, to require individuals to wait until they sustain some sort of compensable injury beyond a violation of their statutory rights would be completely antithetical to BIPA’s preventative and deterrent purposes.
Takeaways: no harm, still foul?
Rosenbach is extremely noteworthy for both data privacy and class action litigators. The opinion eliminates the essential requirement of having to demonstrate an actual injury/harm to pursue legal recourse for alleged BIPA violations. The elimination of this core requirement will likely result in a significant uptick in the number of BIPA-related lawsuits filed across the country, as more plaintiffs attempt to bring claims based exclusively on technical violations.
To make matters worse, the ruling now exposes companies to significant potential exposure for technical failures to fully comply with the BIPA. In the class action context, Rosenbach opens the floodgates to a potential new wave of extremely costly litigation, with damage figures that will almost certainly be widely disproportionate to the nature and extent of the violations. In this respect, a prevailing party in a BIPA suit is entitled to $1,000 per negligent violation, and $5,000 per willful violation, or actual damages, whichever is greater, as well as attorney’s fees. Although this damages figure may seem small, companies must keep in mind a class of just ten thousand consumers under the BIPA would subject a company to $10 million in potential exposure.
With that said, plaintiffs will not be afforded such an easy path with respect to BIPA claims filed in federal court. Importantly, although Illinois state courts require an injury-in-fact, standing is not jurisdictional (as it is in federal court), but instead is merely an affirmative defense that is the defendant’s burden to establish. Consequently, Illinois courts are generally not as restrictive as compared to their federal counterpart as it relates to the issue of standing, with Illinois courts holding that standing “should not be an obstacle to the litigation of a valid claim.” In federal court, however, BIPA plaintiffs must contend with the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins, 136 S.Ct. 1540 (2016), in which the Court set out the general rule that a “bare procedural violation” of a statute is not automatically enough to satisfy the concreteness requirement of Article III standing. In fact, just a few weeks before the Rosenbach case was decided, an Illinois federal court in Rivera v. Google, No. 16 C 02714 (N.D. Ill. Dec. 29, 2018), dismissed a BIPA lawsuit against Google pertaining to the company’s photo app technology based on an absence of any “concrete injury” sufficient to confer Article III standing in connection with Google’s alleged technical violations of the BIPA, demonstrating that federal courts have offered a differing interpretation vis-à-vis Illinois state courts as it relates to the issue of technical violations of the BIPA, albeit on different grounds.
Finally, Rosenbach highlights the importance of ensuring strict compliance with the stringent requirements of BIPA and other state biometric privacy laws to mitigate litigation risk for companies dealing with biometric information. While Illinois has led the way in enacting biometric privacy legislation, it will certainly not be the last state to legislate biometric data. Many other states across the country have proposed or adopted legislation modeled after BIPA; it is also reasonable to posit that other states will follow suit and enact similar legislation, leading to greater regulation of companies that deal with biometric information across the nation.
It is evident companies who utilize biometric information—regardless of where they do business—must take extra care as related to the collection, use, storage, and destruction of this type of data. Companies should also devote the necessary time and effort to review and evaluate existing biometric policies and practices and, if appropriate, develop and implement new policies and release agreements that ensure compliance with BIPA’s strict requirements. In particular, to ensure compliance with BIPA and similar laws, companies must: (1) inform customers in writing that their biometric information is being collected or stored, with an explanation of the purposes for which the information is being stored, and for how long the information is being stored; and (2) obtain a written release agreement that provides customers’ consent to the collection and use of their biometric data. Failure to do so could result in yet another company being swept away by the ensuing flood of BIPA litigation.
About the authors
Ana Tagvoryan is a partner at Blank Rome LLP and serves as chair of the Firm’s Privacy Class Action Defense group and vice chair of the Corporate Litigation group. Jeffrey N. Rosenthal is a partner at Blank Rome LLP. He concentrates his complex corporate litigation practice on consumer and privacy class action defense, and regularly publishes and presents on class action trends, attorney ethics and social media law. David J. Oberly is an associate at Blank Rome LLP and is also a member of the Firm’s Cybersecurity & Data Privacy group.
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.