Illinois’s Highest Court Sides With Consumers Over Biometric Data Law Violation
In 2008, Illinois became a pioneer in consumer data privacy law when it passed the Biometric Information Privacy Act (“BIPA”). BIPA was passed to set a standard pursuant to which private entities could collect and work with the personal biometric identifiers and information of individuals. To achieve this goal, BIPA includes five key features:
- informed consent is required prior to collection
- there are limited rights for disclosure
- sets forth retention guidelines and protection obligations
- prohibits utilizing biometric data for profit
- creates a private right of action for individuals harmed by BIPA violations which can result in damages of up to $5,000.00 for each violation
In late January 2019, the Illinois Supreme Court rendered a landmark decision, ruling in favor of a consumer in a matter alleging violations under BIPA. The case, Rosenbach v. Six Flags, 2019 IL 123186 (Ill. 2019), was brought after a Six Flags Amusement Park fingerprinted a 14-year-old visitor without the consent of his parents. Six Flags argued that it had no meaningful liability because the plaintiff lacked a tangible injury based on the mere unlawful collection of his biometric data. The Court disagreed and ruled that the damages caused by the violation of an individual’s rights under BIPA are sufficient to demonstrate liability even in the absence of a separate, physical injury. Further, the Court opined that the costs companies will incur from becoming compliant under BIPA are insignificant compared to the “substantial and irreversible harm” that individuals could suffer due to BIPA violations.
The Rosenbach opinion is a monumental decision not just for Illinois, but also for the United States. In Illinois, this ruling has put companies on notice that BIPA compliance is mandatory and that it will be enforced to the most significant extent possible. This raises major compliance concerns not only for companies located in the state of Illinois but also for companies outside of Illinois that do business there. On a national scale, this ruling adds to the widespread conversation concerning the enforcement of stricter consumer data privacy laws. As we have discussed before, law makers in our Nation’s Capital are deciding the best route to take in creating federal legislation on the issue. Meanwhile, states such as Illinois are cementing the goals of consumer privacy by creating and enforcing stricter consumer data privacy laws to protect individual consumers in an increasingly data driven world.
Jason L. Ott, Esq.
Derrick L. Maultsby, Jr.