Editor's note: This article has been updated from an earlier version to include additional comments and reaction to the decision.
The Illinois Supreme Court says an Illinois privacy law doesn’t require plaintiffs to prove they were actually harmed before suing businesses and others who scan and store their fingerprints or other so-called biometric identifiers.
And the decision will give a green light to dozens of class action lawsuits already pending against businesses of all sizes in the state’s courts, with even more likely to follow.
On Jan. 25, a unanimous Illinois Supreme Court overturned the decision of a state appellate court. They said the appeals justices were wrong to shut down a class action brought by a mother in Lake County Circuit Court against theme park operator Six Flags Entertainment. She accused the company of violating her rights and those of her teenage son under the Illinois Biometric Information Privacy Act by requiring her son to scan his fingerprint to verify his identity when using his season pass at Six Flags Great America amusement park in Gurnee.
Illinois Supreme Court Chief Justice Lloyd Karmeier
The Illinois Supreme Court opinion was authored by Chief Justice Lloyd Karmeier. The court’s other six justices all concurred.
“When a private entity fails to adhere to the statutory procedures, as defendants are alleged to have done here, ‘the right of the individual to maintain [his or] her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized,’” Karmeier wrote.
“This is no mere ‘technicality.’ The injury is real and significant.”
WHO IS 'AGGRIEVED?'
The decision does not concern the merits of Rosenbach’s accusation against Six Flags. Rather, to date, proceedings have primarily centered on the question of whether Rosenbach had standing to bring the case at all.
Lawyers for Six Flags argued she had never presented evidence the fingerprint scans resulted in any harm to her or her son, as the data was not compromised, shared to a third party or misused.
Rosenbach’s attorneys, however, contended the alleged violation of the law alone should be enough to establish Rosenbach and her son should be considered “aggrieved” under the BIPA law.
A Lake County circuit judge sided with Rosenbach. But on appeal, a three-justice panel of the Illinois Second District Appellate Court sided with Six Flags, saying any violation would have been merely a technical violation of the BIPA law, which “does not equate to alleging an adverse effect or harm.”
Plaintiffs seeking to sue under BIPA, the Second District Appellate justices held, must demonstrate not only that the law was violated, but how they were harmed by the violation.
Rosenbach then appealed to the state Supreme Court.
The high court justices said the Second District court arrived at the wrong answer to the question in rejecting Rosenbach’s case.
The justices said the law should be read to allow anyone to sue any business or organization, if they can allege the company did not abide by any of the requirements of the BIPA law before scanning and storing a fingerprint, retinal scan, facial geometry or other biometric identifiers.
Justices noted a panel of the Illinois First District Appellate Court had already reached a differing conclusion in a 2018 ruling. In that case, justices said a Cook County judge had erred in dismissing a woman’s BIPA lawsuit against a LA Tan franchise in Schaumburg.
The Illinois Supreme Court said the language of the Illinois BIPA law mirrored that in the state’s AIDS Confidentiality Act, which authorized individual plaintiffs to sue anyone who violated their rights under the law.
In that law, “proof of actual damages is not required in order to recover,” the justices said.
“In terms that parallel the AIDS Confidentiality Act, it provides simply that ‘[a]ny person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party,’” Karmeier wrote.
They further said requiring plaintiffs to demonstrate they had actually been harmed by a technical violation of the law would be contrary to the will of the lawmakers who drafted the law.
“In reaching a contrary conclusion, the appellate court characterized violations of the law, standing alone, as merely ‘technical’ in nature,” Karmeier wrote. “Such a characterization, however, misapprehends the nature of the harm our legislature is attempting to combat through this legislation.
“The Act (BIPA) invests in individuals and customers the right to control their biometric information by requiring notice before collection and giving them the power to say no by withholding consent.”
'SUBSTANTIAL POTENTIAL LIABILITY'
They said BIPA law’s purposes are two-fold. First, the law imposes “safeguards to insure that individuals’ and customers’ privacy rights in their biometric identifiers and biometric information are properly honored and protected to begin with, before they are or can be compromised.”
Secondly, the justices said, the law also includes the opportunity for those who feel “aggrieved” to sue.
The justices noted their findings would likely expose businesses and organizations operating in Illinois to “substantial potential liability … ‘for each violation’ of the law whether or not actual damages, beyond violation of the law’s provisions, can be shown.”
Violations of the BIPA law could bring statutory damages of $1,000-$5,000 per violation. In Six Flags case, for instance, that could be multiplied against any number of season pass holders who have scanned fingerprints for use with the season pass without first granting express written permission, or without obtaining written notice from the theme park operator concerning how the company would store and ultimately destroy the fingerprint scan when it is no longer required to store it.
The decision could also have huge implications for any of the dozens of employers also being sued under BIPA for allegedly violating their employees’ rights by scanning their fingerprints for use with biometric punch clocks. For some companies, that could include hundreds or even thousands of employees, each counting as a potential violation of the law.
But justices said expressed no concern over the potential costs.
“Other than the private right of action authorized in section 20 of the Act, no other enforcement mechanism is available,” Karmeier wrote. “It is clear that the legislature intended for this provision to have substantial force.
“When private entities face liability for failure to comply with the law’s requirements without requiring affected individuals or customers to show some injury beyond violation of their statutory rights, those entities have the strongest possible incentive to conform to the law and prevent problems before they occur and cannot be undone.
“Compliance should not be difficult; whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded; and the public welfare, security, and safety will be advanced. That is the point of the law.”
CLASH WITH SCOTUS?
Reaction to the ruling came immediately, with lawyers for business saying the decision will be a “door-opener for plaintiffs to assert these types of claims.”
Gerald Maatman, an attorney with Seyfarth Shaw LLP in Chicago, said he expects the ruling will lead directly to more BIPA class actions in Illinois.
Justin Kay, an attorney with the firm of Drinker Biddle & Reath, in Chicago, echoed that sentiment.
"The issue for the court to decide in Rosenbach was whether the Illinois Biometric Information Privacy Act would be a 'gotcha' statute, based on the failure of businesses to use magic words when using technology that incorporates biometrics,” Kay said, in a prepared statement. “With their ruling today, it is.”
But he said the impact will go further yet, potentially impacting an untold range of other cases.
“The ruling manifests that the Illinois Supreme Court interprets the concept of standing to sue in a far more expansive manner than the U.S. Supreme Court …or the court of other states in construing the laws of their states,” Maatman said.
He said the decision will open “the doors of Illinois courthouses to more claims due to the more liberal standing requirements laid down in the Rosenbach decision.”
A spokesperson for the Illinois Trial Lawyers Association declined comment on the decision, saying ITLA was not involved in the case.
However, immediately following the decision, trial lawyer Jay Edelson, principal of the Edelson P.C. firm in Chicago, which was among the first and remains among the most prolific law firms filing BIPA-related cases, posted on Twitter, saying: “A great day for those who care about biometric privacy rights in Illlinois!”
The ACLU of Illinois also praised the ruling. The organization said it had helped draft the Illinois BIPA law, and had filed a friend of the court brief with the Illinois Supreme Court in support of Rosenbach's position.
The Illinois Supreme Court "recognized that individuals must have the right to sue companies that unlawfully collect their personal information; otherwise, the companies will not be held accountable," said Rebecca Glenberg, Senior Staff Counsel at the ACLU of Illinois, in a prepared statement.
"More than a decade after BIPA’s enactment, we constantly hear new examples of companies that have collected, shared, and misused the personal information of millions being shared without their knowledge or consent. The strong protections of Illinois’s law are more critical than ever.”
Maatman and attorney Robert Cattanach, of the firm of Dorsey & Whitney, said the decision could be ticketed for an appeal to the U.S. Supreme Court.
Both Maatman and Cattanach said they believe the Illinois Supreme Court’s decision could conflict with the U.S. Supreme Court’s findings in the 2016 decision, Spokeo v Robins.
In that case, Cattanach said, the U.S. Supreme Court held “that absent some cognizable harm, individuals complaining of privacy violations had no standing to bring actions against entities alleged to have violated their privacy.”
The Rosenbach decision did not address Spokeo.
“If allowed to stand … the Illinois Court’s ruling would signal a significant sea change in how courts allow claims without actual damages to proceed, and open the floodgates to class actions claiming privacy violations even without any showing of actual harm," Cattanach said, in a prepared statement.
Kay said he also suspects the ruling will spur even stronger calls to change the BIPA statute and "rein in the scope" of the law. Prior efforts to do so have failed in the Illinois General Assembly.
Rosenbach was represented before the Illinois Supreme Court by attorney Phillip Bock, of the firm of Bock Hatch Lewis & Oppenheim, of Chicago.
Six Flags was represented by attorney Kathleen O’Sullivan, of the firm of Perkins Coie, of Seattle.
Bock and Six Flags did not reply to requests for comment from the Cook County Record.