Enacted in 2008, Illinois’ Biometric Information Privacy Act (BIPA)was the first meaningful legislation passed to protect an individual’s biometric data, i.e. information reflective of one’s unique physical or behavioral characteristics, such as a fingerprint or voice patterns. 740 ILCS 14/1et seq. Despite being considered the gold standard for biometric privacy protections for over a decade (since Illinois enacted BIPA in 2008, both Texas and Washington have adopted similar laws, and California will see its version of the legislation go into effect in January 2020.In addition, Congress and other state legislatures including Florida, Arizona, Massachusetts, and New York, are also considering bills to provide similar protections), litigation over individuals’ biologically unique identifying information was slow to take off. This is likely due in part to an ever-evolving understanding of the potential uses, good and bad, of these important markers. Another contributing factor was that it had been unclear who would have standing to bring a claim under BIPA, which created a right of action for “[a]ny person aggrieved by a violation of this Act,” but it did not indicate what would constitute such an aggrievement. 740 ILCS 14/20. A recent decision of the Illinois Supreme Court addressed that issue, and coule open the door for potential liabilities based even on technical violations of the BIPA. Rosenbach v. Six Flags Entm’t Corp., 2019 IL 123186 (Jan. 25, 2019).
In Rosenbach, it was undisputed that an amusement park violated BIPA when it collected, recorded, and stored Plaintiff’s 14-year-old son’s fingerprints to verify his identity as a season pass holder without Plaintiff’s informed written consent.Id. The issue was whether that technical violation, in and of itself and without any actual injury or harm, gave Plaintiff standing to bring a claim under the Act on behalf of her son and a class of similarly situated individuals. The Supreme Court appreciated the sensitive and unalterable nature of the data at issue and noted the legislature’s concern that “[t]he full ramifications of biometric technology are not fully known.” Id.See also740 ILCS 14/5(f). It held Plaintiff had been aggrieved by the violations and could bring a cause of action against the amusement park to seek liquidated damages and injunctive relief. “When a private entity fails to adhere to the statutory procedures, as defendants are alleged to have done here, “the right of the individual to maintain [his or] her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.” Id. This is no mere “technicality.” The injury is real and significant. Rosenbach, citing Patel v. Facebook Inc., 290 F. Supp. 3d 948, 953 (N.D. Cal. 2018).
Though the statute was arguably vague as to when a cause of action could be sustained under BIPA, details of what information it seeks to protect, and how it will do so, are spelled out in the Act itself. Illinois’ statute defines a biometric identifier as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” 740 ILCS 14/10.The statute also provides a lengthy list of what is not considered a biometric identifier, including writing samples, photographs, human biological samples, demographic data, tattoo descriptions, physical descriptions (such as height, weight, hair color, or eye color), donated organs, blood, or images/films from medical treatment (such as an X-ray, MRI, PET scan, mammography, etc.). Id.
In Illinois, before a private entity can collect or obtain a person’s biometric identifier, it must inform the subject in writing that biometric information is being stored or collected, inform the subject in writing for what purpose and for how long that information is being stored, collected and used; and receive a written release from the subject. 740 ILCS 14/15(b).If a private entity wants to disseminate that biometric information (absent a warrant, subpoena, legal requirement, etc.), it needs an additional level of consent from the subject permitting the disclosure. 740 ILCS 14/15(d). BIPA also explicitly provides that, “No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person’s or a customer’s biometric identifier or biometric information.” 740 ILCS 14/15(c).
It is now clear that“an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act.”Rosenbach at 40.These damages include 1) liquidated damages of $1,000 or actual damages, whichever is greater, for each violation; 2) liquidated damages of $5,000 or actual damages, whichever is greater, for each intentional or reckless violation; 3) reasonable attorneys’ fees and costs; and 4) other relief, including, but not expressly limited to, an injunction. 740 ILCS 14/20.Private entities who collect and disseminate biometric data must continue to be vigilant in the protection of individuals’ right to privacy over their sensitive personal data or risk running afoul of BIPA.