About four years ago, the plaintiffs’ bar began filing cases asserting claims under the then-little-heard-of Illinois Biometric Information Privacy Act (BIPA), which regulates the collection, use, and storage of “biometric information” and “biometric identifiers”—things like finger scans and face scans.

Defendants’ immediate response to these lawsuits was to attack the claims for failing to satisfy a threshold standing issue: while the plaintiffs may have alleged that they did not receive certain BIPA-mandated disclosures or that they did not execute the BIPA-mandated written release, they failed to allege any additional harm separate and apart from those technical violations.

That, according to the defendants, meant that the plaintiffs lacked a “concrete” injury (as required by Article III) and were not “aggrieved” (the statutory requirement for filing suit).

Move to State Court

While not every court accepted these arguments, enough early federal decisions did (in particular, the Article III argument) that the plaintiffs’ bar, rather than litigate the Article III issue in federal court, turned to state court to file their lawsuits. In state court, defendants repeated their argument that the plaintiffs’ claims still failed to satisfy the statutory standing requirement that the plaintiff was “aggrieved.”

This argument worked its way through the state courts, and in late January, the Illinois Supreme Court rendered its decision. Invoking its interpretation of other statutes, the dictionary definition of the term “aggrieved,” and consumer privacy policy considerations, the Illinois Supreme Court ruled in Rosenbach v. Six Flags Entertainment Corporation that the failure to comply with BIPA’s technical requirements alone is sufficient to state a claim, and that “no additional consequences need be pleaded or proved.”

This decision’s establishment of such a low bar for filing a lawsuit will have a significant impact on the many BIPA lawsuits already pending, spur additional BIPA lawsuits, and generate further discussions regarding amending the statute following two failed efforts in recent years to do so.

What Should You Tell Businesses in Illinois Using Biometric Technology?

The Illinois Supreme Court’s Rosenbach decision creates a very expensive trap for those who use biometrics. All attorneys advising entities doing business in Illinois should urge their clients to conduct a rapid internal audit to determine whether they, or any agent or contractor, are using or exploring the use of biometrics for any reason.

If the answer is yes, the next step is to:

  • verify that that either in-house or outside counsel was involved in the program and approved its implementation, and
  • double-check to ensure that the program remains compliant.

It is important to understand that BIPA impacts a wide range of business, not just tech companies.

While it is true that some of the earliest (and most well-publicized) BIPA-claims involved well-known tech companies and their alleged use of face-scanning technology, the most frequent basis for a lawsuit has been the allegedly unlawful use of finger-scanning biometric time clocks. Biometric time clocks are used by many businesses, including many small businesses that likely do not have in-house counsel carefully monitoring legal developments in this area.

What is BIPA?

As noted above, BIPA regulates the collection, use, and storage of “biometric identifiers” and “biometric information,” which are defined respectively as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” (with narrow exclusions for such things as samples used for medical or scientific purposes) and “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.”

The technical requirements plaintiffs typically allege were violated are:

  1. the prohibition of the collection of biometric identifiers or information without obtaining a signed, written release informing the person of the collection, the specific purpose for collection, and the length of time the identifiers or information will be retained; and
  2. the requirement that anyone in possession of identifiers or information develop and adhere to a publicly available written policy establishing a retention and destruction schedule under which the identifiers or information will be retained for no longer than the earlier of when the original purpose for their collection is satisfied, or three years.

The statute also:

  1. Prohibits of the sale, lease, or profit from the identifiers or the information and the disclosure of them except in narrow circumstances (such as with the person’s consent); and
  2. Requires anyone in possession of such identifiers or information to safeguard them using the reasonable standard of care for the industry and requires that such safeguards to be at least “the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.”

As defendants are quick to point out in many of these lawsuits, plaintiffs rarely (if ever) assert that identifiers or information were not adequately protected or were stolen or compromised—the outcomes BIPA was designed to protect against.

What Happened in Rosenbach?

Rosenbach reached the Illinois Supreme Court as a pair of certified questions asking whether an individual is aggrieved where the only injury alleged is that a person was not provided with the required disclosures and that the identifiers or information were collected without obtaining the written release.

The person in Rosenbach was a 14-year-old boy who, in order to obtain a season pass to visit an amusement park in Illinois, provided a thumb-scan that was used to verify his identity when he patronized the park. He was not provided with the written disclosures described above and did not execute a release. He filed a purported class action lawsuit two years later based on the lack of the disclosures and release, but did not allege any adverse consequences arising from not receiving them, and did not allege that his thumb-scan data had been shared, compromised, or misused.

The defendant moved to dismiss, arguing that the plaintiff was not “aggrieved” because there were no allegations of actual injury. The trial court disagreed and denied the motion, but eventually agreed to certify the issue to the appellate court, which sided with the defendant, finding that an “aggrieved” person must allege some “actual harm.”

The appellate court disagreed with the trial court, reasoning that “if the Illinois legislature intended to allow for a private cause of action for every technical violation of the Act, it could have omitted the word ‘aggrieved’ and stated that every violation was actionable. A determination that a technical violation of the statute is actionable would render the word ‘aggrieved’ superfluous.”

Unanimous Ruling Reverses Appellate Court

The supreme court started by comparing and contrasting the language used in other acts and determined that BIPA follows the model employed by the AIDS Confidentiality Act, which does not require proof of actual damages to recover. The court found support for this interpretation in the “standard definitions” of “aggrieved” found in dictionaries.

The court found further support in BIPA’s preamble, reasoning that the public policy considerations identified therein (e.g., that things like one’s face and fingerprints cannot be changed if compromised) demonstrated that the legislature intended to:

  • impose safeguards to ensure that consumer privacy rights and preferences are honored and protected, and
  • subject private entities who fail to follow those safeguards to “substantial potential liability

In the court’s view, the risk of ruinous liability for a technical violation was actually a positive because “entities have the strongest possible incentive to conform to the law and prevent problems before they occur and cannot be undone,” and, in any event, “[c]ompliance should be easy.”

The Illinois Supreme Court’s decision does not mean that the plaintiff in Rosenbach has won, but rather only that he has not lost at the threshold and can pursue his claim. The case will now be returned to the trial court, where the parties will litigate the merits and whether a class can be certified.

Author Information

Justin O. Kay is a partner in the Chicago office of Drinker Biddle & Reath LLP and is a vice chair of the firm’s Class Actions Team. His practice focuses on defending complex civil matters in federal court, state court, and before federal agencies. Justin advises companies on compliance with the Illinois Biometric Information Privacy Act, and speaks, writes, and is quoted frequently in the press regarding developments in laws regulating biometrics.