Illinois Supreme Court Rules that Plaintiff Is "Aggrieved" Under State Biometrics Statute Despite Alleging No Injury
The Situation: The Illinois Supreme Court recently considered whether a person can sue as an "aggrieved" person under the Illinois Biometrics Information Privacy Act ("BIPA") even if the person has not alleged some actual injury or adverse effect, such as identity fraud or theft of their biometric data, beyond a technical violation of the statute by the defendant.
The Result: The court held that under BIPA, a plaintiff qualifies as an "aggrieved" person, and may seek liquidated damages and injunctive relief, even if he or she has not alleged some actual injury or adverse effect beyond a technical violation of the statute.
Looking Ahead: This ruling may encourage even more litigation under BIPA, which has already generated far more litigation than any other state or federal biometrics statute or standard. The ruling may also impact pending cases in other districts that apply BIPA.
The Illinois Supreme Court found that a plaintiff can pursue damages and injunctive relief under BIPA even without alleging any injury or adverse effect, in a ruling that will quickly increase the already quick pace of filings of these suits. Rosenbach v. Six Flags Entm't Corp. et al., No. 123186, 2019 IL 123186.
BIPA, passed in 2008, requires companies that collect biometric information, such as retina or iris scans, fingerprints, voiceprints, hand scans, or face scans, to obtain written consent and disclose how they use, store, and destroy that data. BIPA is unique in that it includes a private right of action for "aggrieved" individuals. 740 ILCS 14/1 et seq.
For years, BIPA received relatively little attention. In the last couple of years, however, there has been a proliferation of lawsuits, including many against employers who use fingerprint scans in their timekeeping. Defendants have taken various approaches in defending against BIPA claims, including, but not limited to, arguing that: a plaintiff lacks standing or is not an "aggrieved party" under the statute, the presiding court lacks jurisdiction, the personal data at issue does not qualify as "biometric information" under the statute, and the statute is not enforceable or applicable when it comes to out-of-state conduct because of extraterritoriality and the Dormant Commerce Clause. The Illinois Supreme Court's new decision alters the landscape for the "aggrieved party" argument.
Rosenbach's son had a Six Flags season pass that required him to use his thumbprint to gain access to the park. Notably, Rosenbach never alleged that either she or her son had suffered any actual injury, only that she would not have allowed her son to purchase the pass if she had known of the defendant's conduct. The defendants sought dismissal of Rosenbach's action, arguing, in part, that the plaintiff had suffered no actual or threatened injury and therefore lacked standing to sue.
The circuit court denied the motion as to counts I and II, which sought damages and injunctive relief under the Act, but granted the motion as to count III, the unjust enrichment claim. Rosenbach v. Six Flags Entm't Corp. et al., No. 16 CH 13 (Cir. Court, Lake County, IL June 17, 2016). The defendants sought interlocutory review of the circuit court's ruling on counts I and II. The appellate court, in turn, found that a plaintiff is not "aggrieved" within the meaning of the Act and may not pursue either damages or injunctive relief under the Act based solely on a defendant's violation of the statute. Rosenbach v. Six Flags Entm't Corp., et al., 2017 IL App (2d) 170317, ¶ 28. Additional injury or adverse effect must be alleged. The injury or adverse effect need not be pecuniary, the appellate court held, but it must be more than a "technical violation of the Act." Id.
Rosenbach then petitioned the Illinois Supreme Court for leave to appeal. The Court reversed the appellate court's judgment, explaining "defendants' contention that redress under the Act should be limited to those who can plead and prove that they sustained some actual injury or damage beyond infringement of the rights afforded them under the law would require that we disregard the commonly understood and accepted meaning of the term 'aggrieved,' depart from the plain and, we believe, unambiguous language of the law, read into the statute conditions or limitations the legislature did not express, and interpret the law in a way that is inconsistent with the objectives and purposes the legislature sought to achieve. That, of course, is something we may not and will not do." Rosenbach, 2019 IL 123186, at ¶ 38.
With this issue clarified, companies should expect to see litigation focusing on other issues, such as what qualifies as the requisite notice and consent under the Act. For now, and before employers find themselves on the defending end, employers that use hand-scanning or fingerprint technologies for security, timekeeping, or other purposes, or collect other biometric information from their employees, should consider implementing policies and procedures to ensure compliance. Some measures that employers can take to prevent future litigation include:
- Creating a written policy on the retention of any biometric information that sets out permanent destruction measures within the time frame required by law. For example, if biometric information is retained for employee access, the policy should address how quickly the information will be destroyed when an employee is terminated and the initial purpose of storing the information has been satisfied.
- Developing procedures for providing employees notice about the collection of biometric information and obtaining consent prior to receiving or using any biometric information.
- Restricting the disclosure of biometric information until additional consent has been obtained from the employee, and prohibiting the sale or lease of any biometric information retained by the company.
- Developing security measures or revising existing security policies to ensure that biometric information is protected in the same manner that other confidential information is protected.
Three Key Takeaways
- Companies that collect or store biometric identifiers and biometric information should review their policies and practices to ensure compliance with the law. Companies should also make sure to avoid collecting or retaining information unnecessarily.
- This decision, which lowers the bar for alleging injury, is likely to increase the number of lawsuits filed under this law in an already litigious area of the law.
- While the Illinois Supreme Court answered the question of whether a person can be "aggrieved" solely based on the collection and storage of information in a manner that allegedly does not technically comply with BIPA, the decision did not address or resolve many other issues that a plaintiff would need to "win" before liability or class certification can be resolved in the plaintiff's favor.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.