Keeping a Finger on BIPA

Published On February 5, 2019 | By Kandi Parsons and Armin Tadayon | Litigation, Privacy
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

On January 25, 2019, the Illinois Supreme Court unanimously ruled that infringement of a right afforded under the state’s Biometric Information Privacy Act (“BIPA”), even absent harm, is sufficient for a plaintiff to allege a violation of the law. The Court found the legislature provided for liability under BIPA for a statutory violation and that losing control of one’s biometric privacy is a real and significant injury. A key question in litigation involving BIPA and other privacy laws around the country has been whether tangible harm—beyond a statutory violation—is required for legal action. The Illinois Supreme Court’s determination that such harm is not required will impact some of the 200 pending BIPA cases and will almost certainly increase the number of law suits filed under BIPA, which provides for statutory damages and attorneys’ fees. What remains uncertain is whether the ruling will be a harbinger for litigation under other privacy laws or if the decision will spur action by the Illinois legislature, which has previously tried to amend BIPA.

Background

In Rosenbach v. Six Flags Entm’t Corp., Six Flags required the Plaintiff’s 14-year-old son to provide a scan of his thumb in order to register his season pass. In response, Rosenbach sued Six Flags under BIPA, alleging Six Flags failed to inform them of the specific purpose and time for which the biometric information was collected, and failed to obtain written consent to its collection, use, or storage. BIPA provides a private right of action for any person “aggrieved” by a violation of the Act. Six Flags moved to dismiss the suit on the ground that Rosenbach had not suffered an actual or threatened injury. The Illinois Appellate Court agreed, holding an individual suffering a mere technical violation of the act, without any injury or adverse effect, is not “aggrieved” within the meaning of BIPA.

Illinois Supreme Court’s Unanimous Decision

The Court concluded that “to require individuals to wait until they have sustained some compensable injury beyond violation of their statutory rights before they may seek recourse … would be completely antithetical to [BIPA’s] preventative and deterrent purposes.”

On appeal, the Illinois Supreme Court concluded that the legislature intended to give individuals a right to privacy in their biometric information, control over their biometric information, and for any person aggrieved by a violation of BIPA to have a right of action. The Court found that the appellate court had misapprehended the nature of the harm the legislature was attempting to combat and that, when an entity fails to adhere to the statutory procedures, the right of the individual to maintain his or her biometric privacy vanishes and the harm the legislature sought to prevent is realized. This loss of control, according to the Court, is no mere “technicality.” Rather, it is a real and significant injury.

About The Authors

Kandi counsels clients on privacy and data security issues, online and general advertising, and marketing practices, including COPPA compliance, student privacy, and the Internet of Things. Kandi advises companies on collecting, protecting, and using consumer data and helps them develop and implement comprehensive privacy and security programs. Drawing on her tenure at the FTC, Kandi assists clients in responding to FTC and state AG enforcement actions. Prior to joining ZwillGen, Kandi spent eight years in the FTC’s Division of Privacy and Identity Protection. While at the FTC, Kandi served on detail for six months to the United States Senate, Committee on Commerce, Science, and Transportation.

Leave a Reply

Your email address will not be published. Required fields are marked *