The Illinois Supreme Court has just passed down a landmark ruling that affirms the right of private individuals to sue companies like Google and Facebook if they collect their biometric data without their written consent, even if there was no “harm” to the individuals. The ruling in the case of Rosenbach v. Six Flags Entertainment Corp. involves an interpretation of the controversial Illinois biometric data law, which is formally known as the Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”).
The court case involving the biometric privacy law
In this case, the mother of a 14-year-old minor sued the Six Flags theme park for improperly collecting the fingerprints of her son in order to issue a season pass for the park. While visitors to the park were told that they would need to provide fingerprints, and the context of the season pass program implied that consent would need to be given, Six Flags did not explicitly receive written consent from the minor before issuing the season pass. In the lawsuit, Six Flags specifically acknowledged that no written consent was obtained – however, and this is the major point to keep in mind, Six Flags also argued that the case did meet legal standards for demonstrating “harm.” In other words, there was no data breach, there was no hack, and there was no physical or psychological harm that occurred to the boy as a result of giving the fingerprints.
But the court ruling is so important because the Illinois Supreme Court filed a unanimous opinion that “harm to privacy” meets the legal definition required for “harm.” In other words, simply by violating the personal privacy of an individual, a corporation can cause harm – and there is no need to prove that any other malicious or pernicious events have occurred.
Privacy advocates, as might be assumed, cheered the ruling of the Illinois Supreme Court that says no harm is required to sue under the Illinois Biometric Information Privacy Act (“BIPA”). In fact, the ACLU came out and stated that this landmark ruling should serve as a basis for a similar federal privacy law. Moreover, privacy advocates such as the Electronic Frontier Foundation (EFF) called this a “crucial privacy victory.”
Key elements of the Illinois biometric data law
According to the terms of the Illinois biometric data law, which was the first of its kind in the nation when it was introduced back in 2008, all businesses in the state of Illinois must follow very strict rules whenever they are collecting, storing and sharing biometric data of customers and clients. First and most importantly, companies must obtain written consent, rather than just verbal consent or implied consent. Secondly, companies must have in place policies for the retention and destruction of biometric data, including information clearly telling customers how and why their biometric data is being stored and then establishing a retention schedule. And, finally, companies must have secure safeguards in place to protect that biometric data. Any private entity, when information is being collected, must notify individuals of the specific purpose and length of this data collection and obtain a written release.
According to Justin Kay, a partner in the Chicago office of law firm Drinker Biddle & Reath. “The issue for the court to decide in Rosenbach was whether the Illinois Biometric Information Privacy Act would be a ‘gotcha’ statute, based on the failure of businesses to use magic words when using technology that incorporates biometrics. With their ruling today, it is.
“A company that tells you verbally they are going to take your fingerprint for access control or security purposes — or that doesn’t tell you, but you know, based on the context — but that fails to inform you in writing that they are doing exactly what it is obvious they are doing, is still on the hook for thousands of dollars in statutory damages. Indeed, they could have military-level encryption and security protocols to safeguard your fingerprint information, but because they did not provide that information in a publicly available policy, they are subject to suit.”
Companies doing business in the state of Illinois have already faced challenges under this law. For example, there have been over 110 lawsuits brought against businesses in Illinois since the law went into effect in 2008. The majority of these cases have involved lawsuits against companies that use fingerprints to track their employees.
However, the highest profile of these lawsuits have involved tech companies – most notably, Google and Facebook – because it is precisely these companies that are using AI-powered facial recognition tools and biometric data in order to sort photos and recognize faces in photos that have been uploaded to these platforms. Thus, both Google and Facebook have already led efforts to weaken and water down some of the provisions of the Illinois legislation, such that they do not have to obtain written consent every time they use facial recognition technology.
From the perspective of these major tech companies, legislation such as BIPA (and similar biometric laws that has been passed in Washington State and Texas) is not just inconvenient and time-consuming, it also provides a way for everyday citizens to claim damages any time they have been “aggrieved” or “harmed” by biometric technology. That’s because the Illinois law specifically grants a “private right of action” (i.e. the right to sue a company) to citizens, enabling them to claim damages of up to $1,000 if their biometric identifiers (such as fingerprints or facial scans) are used in any way that causes harm to them.
Implications of the landmark ruling on biometric data
Until this court ruling, “harm” had always been interpreted to mean the leak of confidential and sensitive information, such as might occur in a data breach or hack. However, the Illinois Supreme Court adopted a much more privacy-friendly interpretation of “harm.”
The lesson is clear – businesses must be much more careful in biometric data collection. Any business that stores, transmits and protects biometric data must take specific steps to obtain written consent from customers. And they must clearly tell them the length of term that any biometric identifier is being used.
Not surprisingly, Illinois businesses and lobbying groups are already warning of a potential chilling effect for any company doing business in the state – including Google and Facebook. The Illinois Chamber of Commerce, for example, has warned that this ruling could open the door to many class action lawsuits. Even more dangerously, it might open the door to individual citizens suing Facebook and Google for up to $1,000 if they have ever used those platforms’ photo-recognition tools.
At the very least, this important court ruling on biometric data is going to set the new standard nationwide. Only three U.S. states – Illinois, Washington and Texas – currently have laws on the books related to biometric data. However, a handful of other states – Michigan, New Hampshire, Alaska and Montana – have pending legislation related to biometric data. Based on this ruling, they might be willing to also give a private right to action to its own citizens, thereby holding tech companies to the same rigorous standard as Illinois.
“Just as the Illinois statute served as a model for many of those proposals and was cited by legislators, the Supreme Court’s interpretation here is likely to have an impact on how those laws are drafted,” says Kay.
For supporters of data privacy concerned by the fast-and-loose approach to data privacy shown by tech giants like Facebook and Google, that has to be very encouraging news.