In a significant ruling for businesses operating in Illinois, the Illinois Supreme Court held that plaintiffs are not required to allege actual harm to sue for liquidated damages and/or injunctive relief under the state’s biometric privacy statute. Businesses operating in Illinois should review their compliance with the statute if they collect biometric information or may do so in the future.
On January 25, the Illinois Supreme Court ruled in Rosenbach v. Six Flags Entertainment Corp. that a plaintiff can sue under the state’s Biometric Information Privacy Act (BIPA) regardless of whether an actual injury is alleged.[1] Class action litigation under BIPA is expected to intensify in the wake of Rosenbach, as many BIPA cases were stayed pending the decision or dismissed based on the reversed appellate court decision providing that actual injury was required to plead a cause of action under BIPA.
Passed in 2008, BIPA regulates how a “private entity”[2] collects, retains, discloses, and/or transmits “biometric identifiers” and “biometric information.” “Biometric identifier” means “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” and “biometric information” means “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.”[3]
In passing BIPA, the Illinois legislature observed that “[t]he use of biometrics is growing in the business and security screening sectors and appears to promise streamlined financial transactions and security screenings.”[4] It cautioned that “[b]iometrics are unlike other unique identifiers that are used to access finances or other sensitive information. . . . Biometrics . . . are biologically unique to the individual; therefore, once compromised, the individual has no recourse [and] is at heightened risk for identity theft.”[5]
BIPA requires a private entity collecting an individual’s biometric information to first
A private entity possessing biometric information must also develop a publicly available written policy “establishing a retention schedule and guidelines for permanently destroying . . . biometric information when the initial purpose for collecting . . . such . . . information has been satisfied or within 3 years of the individual's last interaction with the private entity, whichever occurs first.”[7]
BIPA is the only biometric privacy statute in the United States that allows for a private right of action. A prevailing plaintiff “aggrieved by” a BIPA violation may recover liquidated damages of $1,000 for each negligent violation (or actual damages, if they exceed $1,000) and $5,000 for each intentional or reckless violation (or actual damages, if they exceed $5,000), plus attorney fees and other litigation expenses.[8] A plaintiff can also seek injunctive relief.[9]
Because liquidated damages are assessed on an individual basis, BIPA can expose companies to significant liability. For example, a company that negligently collects biometric information from 1,000 Illinois customers and/or employees could face potential liability of $1,000,000, excluding attorney fees and other costs.
As a result, it may not be surprising that more than 200 putative BIPA class actions have been filed throughout the United States—a number that is expected to increase after Rosenbach. Many of these cases allege that businesses violated BIPA by not seeking written consent before requiring employees to use fingerprint-based timekeeping systems.
In 2016, the Rosenbach plaintiff filed a class action complaint alleging that Six Flags collected his thumbprint when he signed up for a season pass at Six Flags Great America, an amusement park in Gurnee, Illinois. The plaintiff alleges that Six Flags collects customers’ fingerprints before issuing season passes, allowing it to verify the identities of season pass–holders on subsequent visits to the park by scanning their fingerprints. He claims that Six Flags did not inform him in writing that his biometric information was being collected, that he was not told “the specific purpose and length of term for which his fingerprint had been collected,” and that he did not execute a written consent.[10]
Six Flags moved to dismiss, arguing that the plaintiff “suffered no actual or threatened injury” from the alleged BIPA violation and was thus not “aggrieved” under the statute.[11] After the trial court denied Six Flags’ motion, Six Flags filed an interlocutory appeal and the Illinois Appellate Court agreed with Six Flags; it reversed the trial court’s denial of Six Flags’ motion to dismiss, holding that a mere “technical violation” of BIPA, without some additional injury or adverse effect, does not make one “aggrieved” under BIPA.[12]
The Illinois Supreme Court has now unanimously reversed the appellate court’s decision, basing its analysis on principles of statutory construction. The court reasoned that where the legislature has wanted to require actual damages to establish standing, it has “made that intention clear.”[13] Noting that the statute has provisions regarding the collection, retention, disclosure, and destruction of biometric information, the court held that “when a private entity fails to comply with one of [BIPA’s] requirements, that violation constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach. . . . No additional consequences need be pleaded or proved.” The court reasoned that “[t]o require individuals to wait until they have sustained some compensable injury beyond violation of their statutory rights before they may seek recourse, as defendants urge, would be completely antithetical to the Act’s preventative and deterrent purposes.”[14]
Rosenbach will likely result in plaintiffs aggressively pursuing new and existing BIPA lawsuits. In holding that plaintiffs are not required to prove actual harm—such as disclosure of biometric information to a third party or emotional anguish—to sue under BIPA, Rosenbach may make it easier to bring BIPA cases and survive initial motion practice.
Significant questions remain, however, over how BIPA applies to companies that collect biometric information. Rosenbach’s analysis was limited to whether a plaintiff is “aggrieved” if he or she does not allege actual harm. For example, the court did not specifically address what constitutes a BIPA “violation”—whether a “violation” occurs only when biometric information is first collected or every time an individual uses his or her biometric information (to clock in or out, for example), or whether some other definition applies. Other important questions are the extent to which a defendant can be liable if a plaintiff chose to disclose biometric information despite having alternative options; and whether implied notice and consent can preclude BIPA liability. Federal courts have held that implied notice and consent may preclude BIPA liability, dismissing BIPA cases involving employees or consumers who voluntarily submit their fingerprints.[15] Some argue that such “implied consent” cases should not result in BIPA liability and are distinguishable from cases where biometric information is collected without individuals’ knowledge or consent.[16]
Standing questions may also persist. Many federal courts have refused to hear BIPA cases due to a lack of Article III standing based on the US Supreme Court's 2016 decision in Spokeo v. Robins, which held that plaintiffs cannot rely on mere statutory violations but must allege concrete and particularized harm to establish standing.[17] Thus, unless some concrete harm is alleged, BIPA cases will likely be litigated in state court.[18] But even state courts may face standing questions, as both the Illinois Constitution and Article III require actual injury to sue (even if actual injury is not required under BIPA).
In light of Rosenbach, it is important for businesses operating in Illinois to review their compliance with BIPA if they collect biometric information or consider doing so in the future. Companies should also stay informed of other biometric legislation developments. For instance, a biometric privacy law similar to BIPA, Bill Int. No. 1170, was recently introduced to New York City’s city council. Bill Int. No. 1170 would require businesses in New York City to notify customers if the businesses collect “biometric identifier information.” Like BIPA, Bill Int. No. 1170 allows for a private right of action, although it only requires businesses to notify individuals regarding the collection of biometric information rather than to provide notice and obtain written consent.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Philadelphia
Gregory T. Parks
Ezra D. Church
Chicago
Beth Herrington
Kenneth M. Kliebard
Miami
Anne Marie Estevez
[1] Rosenbach v. Six Flags Entm’t Corp., 2019 IL 123186, ¶¶ 33-38.
[2] “‘Private entity’ means any individual, partnership, corporation, limited liability company, association, or other group, however organized.” 740 ILCS 14/10. BIPA does not apply to a state or local government agency; any Illinois court; a clerk of any Illinois court; or a judge or justice of any Illinois court. See id.
[3] 740 ILCS 14/10.
[4] 740 ILCS 14/5(a).
[5] 740 ILCS 14/5(c), (f).
[6] 740 ILCS 14/15(b).
[7] 740 ILCS 14/15(a).
[8] 740 ILCS 14/20(1)-(3).
[9] 740 ILCS 14/20(4).
[10] Rosenbach, 2019 IL 123186, ¶¶ 8-9.
[11] Id. ¶ 12.
[12] Rosenbach v. Six Flags Entm't Corp., 2017 Ill. App. 2d 170317, ¶¶ 21-23, rev'd, 2019 IL 123186.
[13] Rosenbach, 2019 IL 123186, ¶ 25 (citing the Illinois Consumer Fraud and Deceptive Business Practices Act, 815 ILCS 505/10a(a), under which a plaintiff must allege actual damages to have a right of action).
[14] Id. ¶¶ 33, 37 (citations omitted).
[15] See, e.g., McGinnis v. U.S. Cold Storage, Inc., No. 17 C 08054, 2019 WL 95154, at *4 (N.D. Ill. Jan. 3, 2019) (citing cases).
[16] See, e.g., Patel v. Facebook Inc., 290 F. Supp. 3d 948, 951 (N.D. Cal. 2018) (denying motion to dismiss where “[p]laintiffs allege that Facebook collected users' biometric data secretly and without consent”).
[17] Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016).
[18] See, e.g., Dixon v. Washington & Jane Smith Cmty.-Beverly, No. 17 C 8033, 2018 WL 2445292, at *9-12 (N.D. Ill. May 31, 2018) (denying defendant’s motion to remand and motion to dismiss where plaintiff alleged disclosure of her biometric information to third party).