The Illinois Biometric Information Privacy Act (IBIPA) has been grabbing headlines of late as class action lawsuits under IBIPA’s private right of action are piling up, but an Illinois state appeals court recently held that a plaintiff “must allege some actual harm,” potentially stemming the flood of litigation.
Noting that biometric identifiers are biologically unique and permanent (unlike, for example, passwords) and thus irreparably problematic if compromised, IBIPA regulates the collection, retention, disclosure, and destruction of biometric identifiers and biometric information.
Under the statute, “biometric identifiers” are retina or iris scans, fingerprints, voiceprints, and hand or face geometry scans. Some exceptions, such as writing samples, written signatures, and physical descriptions, are specifically listed. The second category of regulated data, “biometric information,” broadly includes any information “based on an individual’s biometric identifier used to identify an individual.” Companies, therefore, can’t evade the purview of the law by converting a biometric identifier into a new identifier—say, a unique number.
Under IBIPA, private entities in possession of biometric identifiers or biometric information must
- establish, follow, and make available a written policy regarding the retention and destruction of such data;
- provide written notice regarding the collection of such data, including the purpose and duration of such collection;
- obtain a written release from the data subject;
- not sell or profit from such data;
- not disclose such data (with some limited exceptions); and
- use reasonable care, at least equivalent to such entity’s practices regarding other confidential and sensitive information, to protect such data.
IBIPA includes an express private right of action that entitles a prevailing party to attorney fees and the greater of actual damages or liquidated damages, which are $1,000 per negligent violation or $5,000 per intentional or reckless violation. In employer or consumer settings, aggregate damages could soar. This private right of action, though, is limited to a person “aggrieved” by an IBIPA violation. The court in Rosenbach v. Six Flags Entertainment Corp. & Great America LLC found this qualifier to be determinative.
The plaintiff in Rosenbach argued that an amusement park had collected a fingerprint, for season pass entry purposes, without properly obtaining written consent or disclosing a biometric plan. But the plaintiff did not allege any actual injury arising from the amusement park’s conduct. Because IBIPA does not define “aggrieved,” the court turned to statutory interpretation principles. Reasoning that the Illinois legislature included the word “aggrieved” to limit the scope of actionable claims, and reluctant to render the term superfluous, the court held that a person must allege “some injury or adverse effect” (emphasis in original) to qualify as an aggrieved person under IBIPA.
Although private IBIPA claims must satisfy some minimum threshold of harm, risks remain for companies that collect and use biometric data. Rosenbach raises issues similar to those analyzed by the US Supreme Court in Spokeo, where the standing question has yet to be settled. The necessary concrete harm to a personal, privacy, pecuniary, or property right could be relatively minimal, given the stated intent of IBIPA based on the unique and permanent nature of biometrics. Anxiety or increased risk suffered by an individual might even suffice. Illinois requires a plaintiff to put his or her finger on some actual harm, but the wound might not need to be deep—or even tangible.