By Gerald L. Maatman, Jr., Thomas E. Ahlering, and Alex W. Karasik

Seyfarth Synopsis: The Illinois Supreme Court held in its first ever ruling concerning the state’s Biometric Information Privacy Act (“BIPA”) that a person need not have sustained actual damage beyond technical violations of BIPA in order to pursue claims for damages.  The Illinois Supreme Court’s ruling will likely greatly increase the potential exposure for companies in actions alleging violations of the Act, and makes strict compliance with the Act significantly important.

For businesses in Illinois (and potentially in states with similar statues), the ruling in Rosenbach v. Six Flags Entertainment Corp., No. 123186, 2019 Ill. Lexis 7 (Ill. Jan. 25, 2019), serves as a loud warning shot that they must immediately take steps to strictly comply with BIPA’s requirements, or risk facing costly class action litigation.  As determined by the Illinois Supreme Court, “[w]hatever expenses a business might incur to meet the law’s requirements are likely to be insignificant,” in light of the potential for “liability for failure to comply with [BIPA’s] requirements.”  Id. at *21.

***

BIPA Background

Despite being barely over a decade old, BIPA litigation was rather stagnant for its first ten years, until a flurry of lawsuits were filed under this law in 2018.  The BIPA prohibits an entity from collecting, capturing, purchasing or otherwise obtaining a person’s “biometric identifier” or “biometric information,” unless it satisfies certain notice, consent, and data retention requirements.  At the time BIPA was passed into law, the thought of an entity utilizing fingerprint or facial recognition for employee identification was typically reserved for high-net-worth entities or those with dire need for added levels of security.  In today’s workplace, businesses small and large across nearly every industry are using fingerprint or facial recognition for both employee and customer identification.

The BIPA outlines several requirements for the collection and use of biometric information by private entities. Private entities collecting a person’s biometric information musty (1) inform the person in writing that his or her biometric information is being collected; (2) explain the purpose and length of time for which the information will be used; and (3) receive written consent.

The BIPA also creates a limited right of action for “person[s] aggrieved by a violation” of its terms. A “person aggrieved” by a negligent violation of the BIPA may recover “liquidated damages of $1,000 or actual damages, whichever is greater.”  A “person aggrieved” by an intentional or reckless violation of the BIPA may recover “liquidated damages of $5,000 or actual damages, whichever is greater.”

Case Background

Since 2014, Defendants, operators of an amusement park in Illinois, have used a fingerprinting process when issuing repeat-entry passes to the park.  Id. at *2.  Plaintiff alleged that this system scans pass holders’ fingerprints; collects, records and stores biometric identifiers and information gleaned from the fingerprints; and then stores that data in order to quickly verify customer identities upon subsequent visits by having customers scan their fingerprints to enter the theme park.  She further alleged that in 2014, while the fingerprinting system was in operation, her 14-year-old son visited the amusement park on a school field trip, where his thumbprint was used to gain access as a season pass holder.

Plaintiff filed a three count complaint alleging Defendants violated the BIPA by: (1) collecting, capturing, storing, or obtaining biometric identifiers and biometric information from Plaintiff’s son and other members of the proposed class without informing them or their legally authorized representatives in writing that the information was being collected or stored; (2) not informing them in writing of the specific purposes for which Defendants were collecting the information or for how long they would keep and use it; and (3) not obtaining a written release executed by Plaintiff, her son, or members of the class before collecting the information.  Id. at *6.

Defendants moved to dismiss the complaint, arguing among many things, that plaintiff had suffered no actual or threatened injury and therefore lacked standing to sue.  Id. at *6-7.  The Circuit Court granted Defendants’ motion to dismiss Count III, but denied its motion as to Counts I and II.  Defendants thereafter sought interlocutory review of the Circuit Court’s ruling, which the Illinois Appellate Court granted.

On December 21, 2017, the Illinois Appellate Court for the Second District became the first to address the issue of whether a plaintiff can recover for technical violations of the BIPA, even if the complaint does not allege that the plaintiff suffered any harm, loss or injury.  It held that a plaintiff is not “aggrieved” within the meaning of the Act and may not pursue either damages or injunctive relief under the Act based solely on a defendant’s violation of the statute.  Additional injury or adverse effect must be alleged.  The injury or adverse effect need not be pecuniary, the Appellate Court held, but it must be more than a technical violation of the Act.  Plaintiff thereafter petitioned the Illinois Supreme Court for leave to appeal, which was granted.

The Illinois Supreme Court’s Decision

On January 25, 2019, in a highly anticipated ruling, the Illinois Supreme Court reversed the Illinois Appellate Court and remanded the case back to the Circuit Court for further proceedings.  After summarizing the BIPA, the Illinois Supreme Court began its analysis by zeroing in its statutory construction, noting that Defendants had read the Act as evincing an intention by the legislature to limit a plaintiff’s right to bring a cause of action to circumstances where he or she has sustained some actual damage, beyond violation of the rights conferred by the statute, as the result of the defendant’s conduct.  Id. at *13-14.  The Illinois Supreme Court rejected this argument as untenable, noting that when the General Assembly has wanted to impose such a requirement in other situations, it has made that intention clear.  Id.

Next, the Illinois Supreme Court held that a person who suffers actual damages as the result of the violation of his or her rights would meet this definition of course, but sustaining such damages is not necessary to qualify as “aggrieved.”  Id. at *16.  Rather, “[a] person is prejudiced or aggrieved, in the legal sense, when a legal right is invaded by the act complained of or his pecuniary interest is directly affected by the decree or judgment.”  Id.  Accordingly, based on this construction, the Illinois Supreme Court held that a when a private entity fails to comply with one of the BIPA’s Section 15’s requirements, that violation constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach.  Id. at *17-18.  Further, it opined that “[n]o additional consequences need be pleaded or proved. The violation, in itself, is sufficient to support the individual’s or customer’s statutory cause of action.”  Id. at *18.

Finally, the Illinois Supreme Court explained that the BIPA vests in individuals and customers the right to control their biometric information by requiring notice before collection and giving them the power to say no by withholding consent.  Id.  It explained that these procedural protections are particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual’s unique biometric identifiers — identifiers that cannot be changed if compromised or misused.  Id. at *18-19 (citations and quotation marks omitted).  The Illinois Supreme Court further opined that “[w]hen a private entity fails to adhere to the statutory procedures, as [D]efendants are alleged to have done here, the right of the individual to maintain [his or] her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.  This is no mere ‘technicality.’  The injury is real and significant.”  Id. at *19 (citations and quotation marks omitted).

The Illinois Supreme Court concluded its opinion by holding that contrary to the Appellate Court’s view, an individual need not allege some actual injury or adverse effect beyond violation of his or her rights under the Act in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages and injunctive relief pursuant to BIPA.  Id. at *22.  Therefore, it reversed the judgment of the Appellate Court and remanded to the Circuit Court for further proceedings.

What This Means For Businesses

The decision will make it significantly easier for individuals to assert causes of action and seek damages for mere non-compliance with the BIPA’s requirements – absent any allegations of harm or injury.  In that regard, the decision makes it of the utmost importance that companies take strict measures to comply with the BIPA’s requirements.  As stated by the Illinois Supreme Court, “[w]hatever expenses a business might incur to meet the law’s requirements are likely to be insignificant,” in light of the potential for the significant “liability for failure to comply with [the BIPA’s] requirements.”  Id. at *21.

By Gerald L. Maatman, Jr. and Thomas E. Ahlering

 Seyfarth Synopsis:  As the number of class action lawsuits alleging violations of the Illinois Biometric Information Privacy (“BIPA”) has exploded in the last six months, defendants have been eagerly awaiting guidance from an Illinois appellate court regarding what a Plaintiff must allege in order to have a viable right of action under the statute. In Rosenbach v. Six Flags, 2017 IL App (2d) 170317 (Ill. App. Ct., Dec. 21, 2017), the Illinois Appellate Court for the Second District issued the first such ruling in this area, holding that a Plaintiff must allege an actual injury to be “aggrieved” under the Act in order to seek statutory damages and injunctive relief. 

The decision represents a significant victory for employers because defendants in both federal and state courts – facing potentially catastrophic damages under the statute for implementation of biometric technology for various purposes, including timekeeping practices – have made similar arguments that plaintiffs alleging mere technical violations of the statute are not “persons aggrieved,” thereby entitling plaintiffs to statutory damages and injunctive relief.  The decision in Rosenbach provides clarity as to the viability of certain potential employer defenses in BIPA class actions, particularly at the motion to dismiss stage.  Most notably, the decision will almost certainly serve to shift the tide in favor of employers facing BIPA class actions.

***

The Illinois Appellate Court’s Decision

In Rosenbach, Plaintiff, as the mother of her minor son, brought a class action on behalf of herself and all others similarly-situated, alleging that Defendants Six Flags Entertainment Corp. (“Six Flags”) and Great America LLC (“Great America”) violated the BIPA when her son purchased a season pass for Great America theme park and defendants fingerprinted him using a biometric scanner without obtaining written consent or disclosing their plan for the collection, storage, use, or destruction of his biometric identifiers or information.  Rosenbach,  2017 IL App (2d) 170317, *1.  Defendants moved to dismiss on the grounds that Plaintiff was not a “person aggrieved by a violation” of the BIPA as required by the statute in order for a Plaintiff to have a right of action because Plaintiff alleged mere technical violations of the statute.  Id. (quoting 740 ILCS 14/20).

The trial court denied the motion to dismiss, but later certified two questions for appellate review relating to whether a person aggrieved by a violation of the BIPA must allege some actual harm, including: (1) whether an individual is an aggrieved person under section 20 of BIPA and may seek statutory damages authorized under the BIPA when the only injury he or she alleges is a violation that a defendant collected his or her biometric identifiers and/or biometric information without providing him or her the disclosures and obtaining written consent; and (2) whether an individual is an aggrieved person under section 20 of the BIPA and may seek injunctive relief authorized under the BIPA when the only injury he or she alleges is a violation that a defendant collected his or her biometric identifiers and/or biometric information without providing him or her the disclosures and obtaining written consent.  Id. *3.

The Illinois Appellate Court answered both questions in the negative and held that a Plaintiff must allege an actual injury to be “aggrieved” under the Act.  In so holding, the Illinois Appellate Court analyzed the plain language of the statute and consulted various definitions of “aggrieved,” including Black’s Law Dictionary, to find that “there must be actual injury, adverse effect, or harm in order for [a] person to be ‘aggrieved.’”  Id.

It further noted:

Likewise, if the Illinois legislature intended to allow for a private cause of action for every technical violation of the Act, it could have omitted the word “aggrieved” and stated that every violation was actionable. A determination that a technical violation of the statute is actionable would render the word “aggrieved” superfluous. Therefore, a plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person under section 20 of the Act.

Id. *4.

In sum, the primary holding of the case is that “[i]f a person alleges only a technical violation of the Act without alleging any injury or adverse effect, then he or she is not aggrieved and may not recover under any of the provisions in section 20.”  Id. *5.

Analysis And Implications For Employers

The Illinois Appellate Court’s decision constitutes a significant victory for employers facing BIPA class actions.

Most notably, the Illinois Appellate Court held that a Plaintiff cannot proceed on a claim for either statutory damages or injunctive relief for mere technical violations of the statute.  This holding is key for employers because class actions brought under the BIPA frequently consist of cookie cutter complaints which merely allege technical violations of the BIPA (i.e., failure to obtain written consent, failure to maintain a “publically available” biometric privacy plan, and failure to provide notice of biometric retention and destruction policies) and not an actual injury (i.e., identity theft).

While the decision represents a significant decision at this juncture in favor of employers, we anticipate that the Plaintiffs’ class action bar will continue to attempt craft creative arguments to circumvent this ruling and find a way to argue that an individual is an “aggrieved person” for purposes of the BIPA.

Accordingly, employers should remain vigilant and ensure that they are in compliance with the BIPA’s requirements to ensure that a mere “technical” violation of the statute does not result in something which could constitute an actual injury entitling an individual to pursue statutory damages and injunctive relief.