The Illinois Supreme Court has ruled that consumers don’t have to show particular harm to sue companies under the state’s biometric privacy law.
The Jan. 25 ruling opens the door for plaintiffs in more than 100 cases pending in Illinois courts to seek damages. Dozens of restaurants, manufacturers, hospitals, and retailers have been sued over the last three years including United Airlines Inc., Wendy’s International Inc., Hooters Inc., Life Time Fitness Inc., Caesars Entertainment Group, and Roundy’s Supermarkets Inc.
In the case before the court, an Illinois mother complained that Six Flags Entertainment Corp. scanned her 14-year-old son’s thumbprint without her consent.
In a 7-0 ruling, the high court reversed an appeals court decision that held plaintiffs must demonstrate injury or adverse effect, in addition to evidence of a privacy violation, to have standing to sue under the Illinois Biometric Information Privacy Act (BIPA). The state’s high court said the statute and legislative history require no proof of special harm to allege misuse of biometric data.
“To require individuals to wait until they have sustained some compensable injury beyond violation of their statutory rights before they may seek recourse, as defendants urge, would be completely antithetical to the Act’s preventative and deterrent purposes,” Chief Justice Lloyd A. Karmeier wrote on behalf of the court.
The court showed little patience for employers and businesses that misuse biometric information.
“Compliance should not be difficult; whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded,” Karmeier wrote.
First in the Nation
Illinois was the first state to enact a law governing the privacy of biometric data, such as fingerprints, retinal scans, and scans of facial geometry. Employers and businesses are limited under the law in how they can collect and use biometric information. The law requires written notice to and consent from individuals to collect and store their biometric data.
While other states have enacted similar restrictions, the Illinois statute is the only one that grants aggrieved parties a private right of action. Penalties for violating the law can be substantial—$1,000 per negligent violation and $5,000 per willful or reckless violation.
Lead plaintiffs’ counsel David M. Oppenheim called the ruling “a good day for the plaintiffs” and consumers confronting an increasingly complex and shadowy digital privacy landscape. Oppenheim, a partner at Bock, Hatch, Lewis & Oppenheim LLC in Chicago, said the ruling would “encourage companies to take reasonable and entirely non-burdensome steps” to ensure biometrics are protected.
Alan Butler, senior counsel for the Electronic Privacy Information Center, said the ruling preserves privacy rights as intended by the Illinois legislature.
“As the Court explains, it is simply not correct to say that violations of BIPA and other privacy laws are mere ‘technicalities.’ The core purpose of the law is to ensure that individuals have the right to control their biometric information,” said Butler, who filed a friend of the court brief in the case.
The ruling supercharges plaintiff groups in dozens of lawsuits by sweeping away the most prevalent defense strategy.
“The defense bar has been fighting for years in both the courts and the legislature to gut the law,” Jay Edelson, founder of Chicago-based Edelson PC and lead counsel in two dozen class actions under BIPA, told Bloomberg Law in an email. “Like all of their attempts before, this one failed.”
The ruling had an immediate impact on pending cases.
Edelson’s boutique class action firm reached a handful of settlements just hours before the high court’s ruling. Details of the agreements will be announced shortly, Edelson said. He added that the class members would achieve “terrific relief”—in some cases over $1,000 each.
Edelson also said the ruling could prove problematic for Facebook Inc., which was accused of BIPA violations in a federal court in California.
Plaintiff Frederick Gullen, represented by Edelson, claims Facebook used a facial recognition scan to capture biometric data without his consent. Last April a district court ruled against Gullen, but the matter has been appealed to the Ninth Circuit. Edelson said Facebook premised its defense on the same “injury or adverse effect” logic argued by Six Flags.
“This means that we expect a good ruling from the Ninth Circuit and hope to try that case this year,” he said.
Employers Watching Closely
Six Flags didn’t immediately respond to a request for comment, but a business group watching the case spoke out against the opinion.
“We are disappointed with the decision and are currently reviewing it in detail to assess the full ramifications of it,” Angelo Amador, executive director of the National Restaurant Association’s Restaurant Law Center, told Bloomberg Law.
The association, which filed a friend of the court brief supporting Six Flags, has estimated 88 percent of the active cases in Illinois involve challenges to an employer’s use of a biometric device.
Attorneys focusing on privacy compliance said the ruling highlights the need for careful use of biometric systems because even technical violations of BIPA would now trigger the penalty features of the law.
“I take issue with that paragraph about compliance not being difficult,” Jeffrey Neuburger, a partner at Proskauer Rose LLP in New York, said. “One thing businesses deal with every day is the application of old law to new technology and new business models. For a judge to say compliance should not be difficult is not really right. They have no idea what’s really happening.”
The court’s ruling turns BIPA into a “gotcha statute” based on any failures to employ “magic words when using technology that incorporates biometrics,” Justin Kay, a partner in the Chicago office of Drinker Biddle & Reath, said.
Kay predicted a mad dash to courthouses in the aftermath of the Six Flags ruling, but also a renewed effort in the Illinois legislature to amend the statute.
The case is Rosenbach v. Six Flags Entertainment Corp., Ill., No. 123186, opinion 1/25/19.
To read more from Privacy & Data Security Law News pleaseOR Request Trial
(Corrects 16th paragraph to say settlements came before the high court's ruling. )