Illinois Supreme Court Rules No "Actual Harm" Needed to File Suit Under Biometric Law
Client Alert | 5 min read | 02.05.19
On January 25, 2019, the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp. ruled unanimously that plaintiffs do not need to allege “some actual injury or adverse effect” in order to challenge alleged violations of Illinois’ Biometric Information Privacy Act (BIPA). BIPA governs how companies collect, retain, disclose, and destroy Illinois consumers’ biometric information, such as fingerprints, facial scans, and retina or iris scans. In so ruling, the Court reversed a 2017 decision from the Illinois Court of Appeals, which held that plaintiffs could not maintain BIPA claims or recover the automatic liquidated damages—$1,000 for each negligent violation, $5,000 for each reckless or intentional violation—based purely on “technical” violations that caused no “actual harm.” To the contrary, the Supreme Court expressly held that the loss of an individual’s right to control her “biometric privacy” is a “real and significant” injury on its own—whether or not that loss has any real-world effect.
The highly anticipated decision has far-reaching implications for companies that collect and retain biometric data from their consumers or employees. The last few years have seen an explosion in class-action litigation under BIPA, with more than 200 such cases currently pending—a trend that is likely to intensify. Since the appellate court’s 2017 decision, many defendants have prevailed by arguing that the plaintiffs had not suffered any “actual injury or adverse effect” arising from the statutory violations they alleged. The Supreme Court’s decision effectively takes this no-injury defense off the table—not only in state court, but potentially in federal court, as well.
What the Court Held
By way of background, BIPA specifically prohibits any private entity from collecting, capturing, purchasing, receiving through trade, or otherwise obtaining a person’s biometric identifier or biometric information unless the entity first (1) informs the subject in writing that a biometric identifier or biometric information is being collected or stored; (2) informs the subject in writing of the specific purpose and length of term of such collection, storage, and use; and (3) receives a written release from the subject.
BIPA provides a private right of action for anyone “aggrieved” by a violation of BIPA. Other than this private right of action, no other enforcement mechanism is available. Not surprisingly, the question of what it means to be “aggrieved” has become the subject of intense controversy.
In Rosenbach v. Six Flags, Stacy Rosenbach sued the amusement park under BIPA for collecting her son’s fingerprints during a school field trip without first obtaining his written consent. Since at least 2014, the park had used fingerprinting to issue repeat-entry passes in an effort to streamline the process. Neither Rosenbach nor her son signed any written release consenting to the fingerprint collection.
Six Flags argued that Rosenbach could not bring suit under BIPA because her son was not “aggrieved”: he had not suffered any actual injury as a result of having his fingerprints collected and stored, and a technical violation of the statute, without more, is not actionable. On appeal, the Illinois Court of Appeals sided with Six Flags, holding that the statutory term “aggrieved” required “some actual injury, adverse effect, or harm.”
The Illinois Supreme Court disagreed, finding no evidence in the statute’s text that the legislature intended to “limit a plaintiff’s right to bring a cause of action to circumstances where he or she has sustained some actual damage, beyond violation of the rights conferred by the statute, as a result of the defendant’s conduct.” The Court took note of several other statutes in which the Illinois legislature explicitly required plaintiffs to allege actual damage apart from a technical violation. The Court also analogized BIPA to the AIDS Confidentiality Act, which made violations actionable without “proof of actual damages.”
The Court further held that the Illinois legislature had intended to codify an individual legal “right to privacy in and control over biometric identifiers and biometric information.” The Court cited the legislature’s findings regarding the risks posed by the growing use of biometrics, noting that, unlike other identifiers such as social security numbers, biometrics are unique to the individual and cannot be changed. Therefore, according to the legislature, “once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.” For these reasons, the Court held that, to qualify as “aggrieved,” a plaintiff need not allege “some actual injury or adverse effect” beyond a violation of the privacy rights codified by BIPA; rather, the loss of such privacy was itself a “real and significant” injury giving rise to a cause of action.
What Comes Next
The Rosenbach decision seemingly deprives defendants of the useful “no-injury” defense to BIPA claims, at least in Illinois state court. Companies will still be able to make similar arguments in federal court, relying on the U.S. Supreme Court’s holding in Spokeo, Inc. v. Robins that plaintiffs must allege “concrete harm” in order to establish standing to proceed in federal court under Article III.
But there is a split among federal courts regarding the necessity of “actual harm” to sustain a BIPA claim in federal court. Just last month, Google obtained dismissal in Rivera v. Google, a BIPA class action filed in the Northern District of Illinois, by arguing that the plaintiffs had failed to allege how Google’s scans of their facial geometry in pictures uploaded to Google Photos had caused them “concrete injury.” But a number of other federal decisions have rejected such arguments, finding that an alleged “invasion of privacy rights” under BIPA, without more, is enough to ground Article III standing. For example, in In re Facebook Biometric Information Privacy Litigation—one of the highest-profile BIPA class actions to date—the Northern District of California has repeatedly rejected Facebook’s arguments that the plaintiffs must establish some “actual injury” apart from the platform’s alleged collection and retention of their facial scans. (The district court’s decision granting class certification is currently on appeal before the Ninth Circuit.)
What’s more, even where defendants have succeeded in dismissing BIPA claims from federal court, many plaintiffs have gotten a second bite at the apple by simply re-filing in Illinois state court. In fact, the Rivera plaintiffs recently did exactly this, re-filing their dismissed suit against Google in state court. Given the Illinois Supreme Court’s reasoning in Rosenbach—which cited approvingly the In re Facebook decisions finding standing—these “no-injury” arguments are not likely to succeed in Illinois state court, even though the Illinois constitution has a standing requirement that is similar to Article III.
Based on Rosenbach, the major battleground for BIPA litigation going forward is likely to be Illinois state court. Expect to see the next round of such litigation focus on the meaning of other BIPA provisions and requirements: for example, (1) what types of information qualify as “biometric identifiers” under the statute; (2) how much information must be provided to consumers or employees in order to satisfy “informed consent”; (3) what constitutes a “negligent” violation of the statute for purposes of awarding liquidated damages; and (4) whether companies can demonstrate “implied” consent as a defense to liability. Class certification will also be an active and hotly contested issue, as more cases proceed past the pleading stage towards summary judgment and trial. The Rosenbach decision, in short, simply marks the end to the first chapter of BIPA litigation; many of the thorniest, and most crucial, issues are yet to be resolved.
Insights
Client Alert | 2 min read | 11.14.24
SEC ESG Enforcement Is Still Alive
On November 8, 2024 the SEC announced a settled enforcement action against Invesco Advisers, Inc. for making misleading statements about its integration of environmental, social, and governance (ESG) factors into the firm’s investment decisions. Invesco agreed to pay a $17.5 million civil penalty to settle the matter. This enforcement action makes it clear that, even though the SEC dissolved its ESG Task Force, the Commission continues to monitor firms’ statements and representations for misleading statements about ESG.
Client Alert | 8 min read | 11.12.24
Client Alert | 3 min read | 11.11.24
Allegations of a Litany of Lyin’: Penn State Settles Claims of Cybersecurity Noncompliance
Client Alert | 1 min read | 11.08.24
A Common-Sense Change to the Continuous SAM Registration Requirement at FAR 52.204 7