Court Overturns Decision in Illinois’ Landmark Biometric Privacy Case

The Illinois State Supreme Court has reversed a decision in the case brought by a mother against Six Flags after the amusement park captured her son’s thumbprint without written permission, as required under the state’s biometrics law. This reversal could significantly change how courts allow privacy claims to proceed even if plaintiffs cannot demonstrate they suffered actual harm. It could also dramatically impact future privacy legislation in the U.S. Illinois’ Biometric Privacy Information Act (BIPA) was enacted in 2008 to help regulate “the collection, use, safeguarding, handling, storage, retention and destruction of biometric identifiers and information.” It is arguably the strongest biometrics law in the nation. A lower court found defendants in BIPA cases must prove actual injury or damage beyond just violation of the law. The State Supreme Court disagreed, finding an individual need not allege actual injury beyond his or her rights to be entitled to seek damages and relief. The case has been remanded to the circuit court for further proceedings. The plaintiff, Stacy Rosenbach, filed suit on behalf of her son, Alexander Rosenbach, a minor, because they were not informed in writing of the specific purpose and length of time for which Rosenbach’s fingerprint had been collected and they did not sign a written release consenting to the collection. And, the opinion noted, even though Rosenbach has not been back to the park since 2014, Six Flags has kept his biometric identifiers and has not disclosed what it is doing with the information or how long it will be kept. Six Flags did not respond to a request for comment. The amusement park sought dismissal because the plaintiff hadn’t suffered any injury—and the lower court agreed. At issue is what exactly it means to be “aggrieved.” BIPA does not include a precise definition, so the courts are left to interpret what the state legislature wanted to achieve. In his opinion on the case, Illinois Supreme Court Chief Justice Lloyd Karmeier pointed to the state’s AIDS Confidentiality Act, which does not specifically define “aggrieved” either, but says, “[any] person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.” Joseph Jerome, policy counsel at the Center for Democracy and Technology, called this a “really pivotal opinion,” adding, “With respect to BIPA, companies have been skirting the letter of the law and pushing the line that their violations weren't harming individuals.” Woodrow Hartzog, professor of law and computer science at Northeastern University, agreed, noting the opinion could impact future surveillance and data rules in the U.S. “Many have argued for years that privacy harms extend far beyond things like identity theft and extreme mental anguish,” Hartzog added. “This case recognizes that people are harmed when companies interfere with people’s ability to maintain their biometric privacy.” The ruling comes at a time when the use of consumer biometrics like fingerprints, retina/iris scans or voiceprints—often with little or no regulation—is increasing among government agencies, airlines, cruise lines and retailers. Unlike many other states, the Illinois law gives individuals the right to control their biometric information. In what Jerome called “the key line from the opinion,” Karmeier wrote: “When a private entity fails to adhere to statutory procedures, as defendants are alleged to have done here, the right of the individual to maintain [his or] her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized. This is no mere technicality. The injury is real and significant.” Karmeier also cited the risks posed by the use of biometrics and “the difficulty in providing meaningful recourse once a person’s biometric identifiers or biometric information has been compromised.” In addition, the opinion quoted the Illinois General Assembly, which, in enacting BIPA, said, “Biometrics … are biologically unique to the individual; therefore, once compromised, the individual has no recourse … [and the] full ramifications of biometric technology are not fully known.” BIPA imposes safeguards and subjects private entities that violate the law to potential liability. It’s this liability that incentivizes private entities to comply. “Compliance should not be difficult; whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded,” Karmeier added. Jerome said the decision will likely encourage Six Flags to settle the case. “As surveillance technologies become increasingly pervasive and the data ecosystem become more difficult to avoid, it is critical that the oppressive effects of surveillance tools and manipulative technologies are legally recognized,” Hartzog added. “This opinion is a great step towards a more complete and effective privacy regime.”