by Charles N. Insler
The Biometric Information Privacy Act (BIPA) establishes safeguards and procedures relating to the retention, collection, disclosure, and destruction of biometric data. Passed in October 2008, BIPA is intended to protect a person’s unique biological traits – the data encompassed in a person’s fingerprint, voice print, retinal scan, or facial geometry. This information is the most sensitive data belonging to an individual. Unlike a PIN code or a social security number, once biometric data is compromised, “the individual has no recourse, is at [a] heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.” 740 ILCS 14/5(c). For this reason, BIPA provides a private right of action for “[a]ny person aggrieved by a violation of this Act . . . .” 740 ILCS 14/20.
The question facing Illinois courts had been how best to interpret the meaning of “aggrieved.” Was an individual aggrieved if the defendant violated the statute or did the individual need to have sustained “some actual injury or harm, apart from the statutory violation itself, in order to sue under the Act[?]” Rosenbach v. Six Flags Entm't Corp., 2019 IL 123186, ¶23. Illinois’s appellate courts had reached conflicting decisions on this question, with the First District holding that a bare statutory violation was sufficient to confer standing under BIPA, Sekura v. Krishna Schaumburg Tan, Inc., 2018 IL App (1st) 180175, ¶77, and the Second District holding that BIPA required a person aggrieved by a violation of the Act to allege an actual harm and not simply a technical violation. Rosenbach v. Six Flags Entm't Corp., 2017 IL App (2d) 170317, ¶28.
On January 25, 2019, the Illinois Supreme Court resolved this split and held that a person is aggrieved in the legal sense “when a legal right is invaded by the act complained of . . . .” Rosenbach, 2019 IL 123186, ¶30. In other words, the “violation [of the statute], in itself, is sufficient to support the individual’s or customer’s statutory cause of action.” Id., at ¶33 (emphasis added). The underlying goals of BIPA supported this result. Id. at ¶¶24-37. If the purpose of BIPA was to safeguard biometric identifiers and information before the data was compromised, then individuals must be permitted to enforce those protective rights as soon as they became aware of a defendant’s failure to properly protect their biometric data. See id. at ¶37. To hold otherwise and require “individuals to wait until they have sustained some compensable injury beyond violation of their statutory rights . . . would be completely antithetical to the Act’s preventative and deterrent purposes.” Id.
The Supreme Court’s ruling is likely to further embolden lawsuits asserting bare violations of the statute and have an immediate impact on businesses in Illinois. After all, even a “technical” violation of the statute produces a “real and significant” injury. Id. at ¶34. The effect of the law is already being seen beyond the courtroom. BIPA is believed to be behind Nest’s decision not to offer facial recognition on doorbells operating in Illinois and Google’s decision not to allow Illinois users to matched their selfies with faces depicted in works of art. Ally Marotti, Illinois Supreme Court Rules Against Six Flags in Lawsuit Over Fingerprint Scans. Here’s Why Facebook and Google Care, Chicago Tribune (Jan. 25, 2019). Companies in Illinois may want to hold on: after the Six Flags decision they could be in for a wild ride.
More information about BIPA and the cases interpreting the statute can be found here.