By Kelly Wong

Illinois Biometric Information Privacy Act

Due to advancements within the biometric identification technology sector; businesses are beginning to incorporate the use of this technology into their products and services. Biometric identification technology consists of fingerprint identification, retina scans, and facial recognition technology. Due to the unknown ramifications of the use of biometric information, Illinois enacted the Biometric Information Privacy Act (“BIPA”) to ensure an individual’s personal information is securely collected and stored. BIPA mandates that an entity must give notice to an individual and obtain consent prior to collecting biometric information. The act states that if an individual is “aggrieved by” a violation of BIPA, then the person has a private right of action in a state circuit court or as a supplemental claim in federal district court. There have been several class-action lawsuits brought under BIPA, and the courts have been at odds as to how to interpret the “aggrieved by” standard. The question that is presented is: to what extent does a person need to be harmed under the statute to bring an action? Is it enough that there has been a technical violation of BIPA, or must there be more, such as a data breach?

Rosenbach v. Six Flags

Rosenbach v. Six Flags arose because Six Flags amusement park acquired a young child’s biometric information, his thumbprint, without his informed consent and without disclosure of the company’s practices regarding the collection use, and retention of this information. The plaintiff argued that he was aggrieved by the technical violation, the collection of biometric information without notice or consent, and was therefore entitled to damages. On appeal in the Illinois Appellate Court, the court proffered that the plaintiff could not be an “aggrieved” person because he had not suffered an “actual injury” and had only suffered a technical violation of the Act. However, in January 2019 the Supreme Court of Illinois rejected the interpretation of the Illinois Appellate Court and found that the violation itself was an invasion of statutory rights and would make a person “aggrieved” under the Act. In other words, the violation itself impairs an individual’s right to privacy of their biometric information. This ruling dispenses the need to prove an actual injury beyond a technical violation to be entitled to damages or injunctive relief.

How will the Six Flags Ruling Affect Rivera v. Google and other claims brought under BIPA?

Plaintiffs in Rivera v. Google alleged that Google violated BIPA by collecting facial recognition data without express informed consent. Google filed a motion to dismiss arguing that the plaintiffs did not suffer an injury-in-fact to confer standing under Article III of the U.S. Constitution. In December 2018, the U.S. District Court for the Northern District of Illinois sided with Google and granted their motion to dismiss, finding that although Google had collected biometric information without plaintiff’s consent, that in and of itself was not sufficient to be an injury-in-fact.

The recent Six Flags ruling will not affect Rivera v. Google since the Supreme Court decision in Spokeo is binding. Specifically, Spokeo, Inc. v, Robins held that plaintiffs must allege more than a statutory violation to establish Article III standing. The defense that technical violations of BIPA do not lead to Article III standing will likely be continued to be used by defendants who are taken to federal court.

Given Six Flags recent decision finding that a technical violation is an actual injury, it should be expected that there will be an influx of litigation arising in Illinois state courts from a lack of informed consent. Accordingly, the holding will eliminate the defense that a plaintiff is not aggrieved by a technical violation of the statute. As a result, defendants will have to be more creative when constructing a defense and will likely argue that there is implicit consent or construe meanings from other areas of the statute. Despite the Six Flags holding contradicting Spokeo, individuals who are affected by the invasion of privacy rights no longer need to prove actual harm to establish a prima facie case under BIPA. Not only does this holding take into consideration the unchangeable and unique characteristic of biometrics deserving of heightened privacy protection (fingerprints, iris, facial recognition, etc.), but also strives to enforce those rights by allowing a plaintiff to have recourse in the event of a technical violation of biometric statutory rights. Thus, the Six Flags holding waits not for harmful effects to materialize, but instead preemptively bars all instances of data breach and misuse.

Student Bio: Kelly Wong is a second-year student at Suffolk University Law School. She is currently a staff member of the Journal of High Technology Law. She graduated from the College of the Holy Cross in 2017 with a Bachelor of Arts in Economics.

Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.