On January 25, 2019, the Illinois Supreme Court found that data subjects do not need to allege a concrete injury in order to sue under the Biometric Information Privacy Act (Act) (740 ILCS 14/1 et seq., BIPA).
Contrary to the appellate court’s view, the Illinois Supreme Court found that “actual injury or adverse effect” is not necessary in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages and injunctive relief.
The Law: the BIPA regulates how private entities collect, retain, disclose and destroy biometric identifiers (such as retina or iris scans, fingerprints, voice prints, scans of hand or face geometry, or biometric information).
Under the BIPA any person “aggrieved” by a violation of its provisions has the right to act against an offending party and “may recover for each violation” the greater of liquidated damages or actual damages, reasonable attorney fees and costs, and any other relief, including an injunction, that the court deems appropriate.”
Facts: Defendants owned an amusement park in Gurnee, Illinois. To allow repeat-entry passes, Defendants used a system that “scans pass holders’ fingerprints; collects, records and stores ‘biometric’ identifiers and information gleaned from the fingerprints; and then stores that data in order to quickly verify customer identities upon subsequent visits by having customers scan their fingerprints to enter the theme park.”
According to Plaintiffs, and contrary to the BIPA, they weren’t “informed in writing or in any other way of the specific purpose and length of term for which his fingerprint had been collected. Neither of them signed any written release regarding taking of the fingerprint, and neither of them consented in writing to the collection, storage, use sale, lease, dissemination, disclosure, redisclosure, or trade of, or for [defendants] to otherwise profit from, Alexander’s thumbprint or associated biometric identifiers or information.” In addition, Defendants “have not publicly disclosed what was done with the information or how long it will be kept, nor do they have any written policy made available to the public that discloses [defendants’] retention schedule or guidelines for retaining and then permanently destroying biometric identifiers and biometric information.” The plaintiff sought damages under the BIPA and asserted a common-law action for unjust enrichment.
Procedural posture: The circuit court denied the damages and injunctive relief under the BIPA, granted the unjust enrichment claim, and dismissed it with prejudice.
Defendants sought interlocutory review of the circuit court’s ruling before Illinois Supreme Court.
The following two questions of law were identified by the circuit court:
(1) “[w]hether an individual is an aggrieved person under §20 of the Illinois Biometric Information Privacy Act, 740 ILCS 14/20, and may seek statutory liquidated damages authorized under §20(l) of the Act when the only injury he alleges is a violation of §l5(b) of the Act by a private entity who collected his biometric identifiers and/or biometric information without providing him the required disclosures and obtaining his written consent as required by §15(b) of the Act,” and
(2) “[w]hether an individual is an aggrieved person under §20 of the Illinois Biometric Information Privacy Act, 740 ILCS 14/20, and may seek injunctive relief authorized under §20(4) of the Act, when the only injury he alleges is a violation of §15(b) of the Act by a private entity who collected his biometric identifiers and/or biometric information without providing him the required disclosures and obtaining his written consent as required by §15(b) of the Act.”
In December 2017, the appellate court granted review of the circuit court’s order and answered both certified questions in the negative. In its view, a plaintiff is not “aggrieved” within the meaning of the BIPA and may not pursue either damages or injunctive relief under the Act based solely on a “technical violation of the Act.” Additional injury or adverse effect (not necessarily pecuniary) must be alleged. 2017 IL App (2d) 170317, Id.¶28.
Reviewing the case de novo, the Supreme Court, reached the opposite conclusion and found no actual injury in order to be considered an “aggrieved person”. The Supreme Court explained that “to be aggrieved simply “means having a substantial grievance; a denial of some personal or property right.” Glos v. – 10 – People, 259 Ill. 332, 340 (1913). A person who suffers actual damages as the result of the violation of his or her rights would meet this definition of course, but sustaining such damages is not necessary to qualify as “aggrieved.” Rather, “[a] person is prejudiced or aggrieved, in the legal sense, when a legal right is invaded by the act complained of or his pecuniary interest is directly affected by the decree or judgment.” (Emphasis added.) Id.¶31.
When a private entity fails to comply with one of the BIPA requirements, that violation already “constitutes an invasion, impairment, or denial of the statutory rights of any person” whose biometric information is subject to the breach. “Consistent with the authority cited above, such a person or customer would clearly be “aggrieved” within the meaning of section 20 of the Act (id. § 20) and entitled to seek recovery under that provision. No additional consequences need be pleaded or proved. The violation, in itself, is sufficient to support the individual’s or customer’s statutory cause of action.” “The injury is real and significant.”
Rosenbach v. Six Flags is available at http://www.illinoiscourts.gov/Opinions/SupremeCourt/2019/123186.pdf
More on privacy issues in biometric is available at http://www.technethics.com/privacy-issues-in-biometrics/
More cases on data privacy cases and standing: here, here,here, and here.
For more information on this and for advice on privacy and data protection, contact Francesca Giannoni-Crystal