The Illinois Supreme Court has just passed down a landmark ruling that affirms the right of private individuals to sue companies like Google and Facebook if they collect their biometric data without their written consent, even if there was no “harm” to the individuals. The ruling in the case of Rosenbach v. Six Flags Entertainment Corp. involves an interpretation of the controversial Illinois biometric data law, which is formally known as the Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”).
The court case involving the biometric privacy law
In this case, the mother of a 14-year-old minor sued the Six Flags theme park for improperly collecting the fingerprints of her son in order to issue a season pass for the park. While visitors to the park were told that they would need to provide fingerprints, and the context of the season pass program implied that consent would need to be given, Six Flags did not explicitly receive written consent from the minor before issuing the season pass. In the lawsuit, Six Flags specifically acknowledged that no written consent was obtained – however, and this is the major point to keep in mind, Six Flags also argued that the case did meet legal standards for demonstrating “harm.” In other words, there was no data breach, there was no hack, and there was no physical or psychological harm that occurred to the boy as a result of giving the fingerprints.
But the court ruling is so important because the Illinois Supreme Court filed a unanimous opinion that “harm to privacy” meets the legal definition required for “harm.” In other words, simply by violating the personal privacy of an individual, a corporation can cause harm – and there is no need to prove that any other malicious or pernicious events have occurred.
Privacy advocates, as might be assumed, cheered the ruling of the Illinois Supreme Court that says no harm is required to sue under the Illinois Biometric Information Privacy Act (“BIPA”). In fact, the ACLU came out and stated that this landmark ruling should serve as a basis for a similar federal privacy law. Moreover, privacy advocates such as the Electronic Frontier Foundation (EFF) called this a “crucial privacy victory.”
Key elements of the Illinois biometric data law
According to the terms of the Illinois biometric data law, which was the first of its kind in the nation when it was introduced back in 2008, all businesses in the state of Illinois must follow very strict rules whenever they are collecting, storing and sharing biometric data of customers and clients. First and most importantly, companies must obtain written consent, rather than just verbal consent or implied consent. Secondly, companies must have in place policies for the retention and destruction of biometric data, including information clearly telling customers how and why their biometric data is being stored and then establishing a retention schedule. And, finally, companies must have secure safeguards in place to protect that biometric data. Any private entity, when information is being collected, must notify individuals of the specific purpose and length of this data collection and obtain a written release.
According to Justin Kay, a partner in the Chicago office of law firm Drinker Biddle & Reath. “The issue for the court to decide in Rosenbach was whether the Illinois Biometric Information Privacy Act would be a ‘gotcha’ statute, based on the failure of businesses to use magic words when using technology that incorporates biometrics. With their ruling today, it is.
“A company that tells you verbally they are going to take your fingerprint for access control or security purposes — or that doesn’t tell you, but you know, based on the context — but that fails to inform you in writing that they are doing exactly what it is obvious they are doing, is still on the hook for thousands of dollars in statutory damages. Indeed, they could have military-level encryption and security protocols to safeguard your fingerprint information, but because they did not provide that information in a publicly available policy, they are subject to suit.”