Illinois’s Highest Court Sides With Consumers Over Biometric Data Law Violation

In 2008, Illinois became a pioneer in consumer data privacy law when it passed the Biometric Information Privacy Act (“BIPA”). BIPA was passed to set a standard pursuant to which private entities could collect and work with the personal biometric identifiers and information of individuals. To achieve this goal, BIPA includes five key features:

  • informed consent is required prior to collection
  • there are limited rights for disclosure
  • sets forth retention guidelines and protection obligations
  • prohibits utilizing biometric data for profit
  • creates a private right of action for individuals harmed by BIPA violations which can result in damages of up to $5,000.00 for each violation

In late January 2019, the Illinois Supreme Court rendered a landmark decision, ruling in favor of a consumer in a matter alleging violations under BIPA. The case, Rosenbach v. Six Flags, 2019 IL 123186 (Ill. 2019), was brought after a Six Flags Amusement Park fingerprinted a 14-year-old visitor without the consent of his parents. Six Flags argued that it had no meaningful liability because the plaintiff lacked a tangible injury based on the mere unlawful collection of his biometric data. The Court disagreed and ruled that the damages caused by the violation of an individual’s rights under BIPA are sufficient to demonstrate liability even in the absence of a separate, physical injury. Further, the Court opined that the costs companies will incur from becoming compliant under BIPA are insignificant compared to the “substantial and irreversible harm” that individuals could suffer due to BIPA violations.

The Rosenbach opinion is a monumental decision not just for Illinois, but also for the United States. In Illinois, this ruling has put companies on notice that BIPA compliance is mandatory and that it will be enforced to the most significant extent possible. This raises major compliance concerns not only for companies located in the state of Illinois but also for companies outside of Illinois that do business there. On a national scale, this ruling adds to the widespread conversation concerning the enforcement of stricter consumer data privacy laws. As we have discussed before, law makers in our Nation’s Capital are deciding the best route to take in creating federal legislation on the issue. Meanwhile, states such as Illinois are cementing the goals of consumer privacy by creating and enforcing stricter consumer data privacy laws to protect individual consumers in an increasingly data driven world.

As various jurisdictions continue to implement and enforce data privacy laws, our experienced attorneys at Dickie, McCamey & Chilcote, P.C. will continue to monitor developing data privacy regulations throughout the United States. Our attorneys have advised clients on international and domestic data privacy compliance for years and will continue to do so as the global trend moves toward stricter data privacy regulations. If you have any questions or concerns, please contact us. We will be happy to work with you and to help equip your company for compliance in this constantly evolving area.

The material on this site is for general informational purposes only and is not intended to be, and should not be construed to be, legal advice. There shall be no liability accepted as a result of any improper reliance on the material on this site. A qualified lawyer should always be consulted with regard to any specific legal issue or problem.