In today’s landmark ruling, the Illinois Supreme Court held that private lawsuits seeking statutory damages and injunctions for violation of the Illinois Biometric Information Privacy Act (BIPA) may be pursued by “aggrieved” persons without alleging any actual injury or adverse effect.
BIPA, enacted in Illinois back in 2008, was the seminal state statutory privacy law for individuals’ biometric data. The law protects individuals’ biometric identifiers (a retina or iris scan, voiceprint, or scan of hand or face geometry) and biometric information (any information, regardless of how captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual), all subject to statutory exceptions.
Under BIPA, private entities that possess such biometric data:
- must have a written policy for the retention and destruction of such data within three years of the earlier of the individual’s last interaction or when the purpose of collecting or obtaining the data has been satisfied;
- must not collect or otherwise obtain such data without first (1) notifying the individual in writing of the collection or storage of the data, (2) notifying the individual in writing of why and how long the data is being collected, stored, and used, and (3) obtaining the individual’s written release;
- must not sell, lease, trade, or otherwise profit from such data;
- must not disclose such data without the individual’s consent, or to complete a financial transaction the individual requests or authorizes, or as required by law; and
- must safeguard such data using reasonable care and in a manner at least as protective as the entity’s safeguards for other confidential and sensitive data.
BIPA authorizes private actions by “aggrieved” persons in state or federal courts for statutory damages, attorneys’ fees and costs, and injunctions.
In Rosenbach v. Six Flags Entertainment Corp, the complaint alleged that an amusement park obtained plaintiff’s fingerprint to set up a season pass, without making the BIPA-required notifications or obtaining the plaintiff’s written release. The defendant convinced the Court of Appeals that plaintiff was not an “aggrieved” person under BIPA because there were no allegations of actual harm. But on appeal, the Illinois Supreme Court disagreed, ruling that BIPA allows private actions for statutory damages and injunctions for statutory violations, regardless of any showing of actual injury or adverse effect.
This ruling, as a definitive interpretation of BIPA, will have immediate impact in litigation across the country, including cases pending in federal courts against a variety of companies doing business in Illinois (note that BIPA exempts financial institutions, and their affiliates, subject to the GLBA Safeguards Rule).
The ruling also underscores the need for companies to carefully pursue information governance for any collection, storage, or use of biometric data, including their policies and systems for privacy, data security, and data retention.