On January 25, 2019, the Illinois Supreme Court reversed an appellate court decision and held that an “aggrieved” person capable of filing suit under the Illinois Biometric Information Privacy Act (“the Act”) need only allege a technical violation of the statute—no actual injury is necessary. By its decision, the Supreme Court may have opened the floodgates for plaintiffs seeking a fine for each technical violation of the Act, as well as reasonable attorneys’ fees. In the wake of this decision, compliance with the Illinois statute is more important than ever for private entities collecting or storing biometric information.
The Court’s Opinion
In Stacy Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186 (“Rosenbach”), the Illinois Supreme Court undertook to interpret the Illinois Biometric Information Privacy Act (“the Act”). Under the Act, any person “aggrieved” by a violation of its provisions “shall have a right of action… against an offending party” and “may recover for each violation” the greater of either actual damages or liquidated damages. 740 ILSC 14/20. The person may also recover reasonable attorney fees and costs and any other relief that the court deems appropriate, including injunction. Id. The full body of the Act may be read here.
Stacy Rosenbach, acting in her capacity as mother and next friend of her teenaged son Alexander Rosenbach, brought this action against the owner of the theme park after her son was fingerprinted in connection with his purchase of a season pass for the park. The Defendants, Six Flags Entertainment Corporation and its subsidiary Great America LLC, who own and operate the theme park in Gurnee, Illinois, had been using a fingerprinting process for issuing repeat-entry passes to the park since 2014. To fully utilize the Six Flags season pass that his mother had purchased for him, Alexander was asked to scan his thumb into defendants’ biometric data capture system. Stacy Rosenbach would later file suit, claiming that neither her nor her son, who was a minor, were informed in writing or in another way the specifics of the fingerprint collection, and that neither of them had signed any written release or provided any written consent.
The Illinois Supreme Court grappled with the specific issue of whether one bringing action under the Act qualifies as an “aggrieved” person if he or she has not alleged an actual injury or adverse effect beyond a violation of his or her rights under the Act. Below, the appellate court had answered no to this question, reasoning that “a plaintiff who alleges only a technical violation of the statute without alleging injury or adverse effect is not an aggrieved person” within the meaning of the Act.
Reversing the lower court, the Illinois Supreme Court held that a person suing under the Illinois Biometric Information Privacy Act does not need to allege that actual damages resulted from the defendant’s violations. Instead, an individual suing under the Act need only allege that his or her rights under the Act were violated. No real-world harm is required.
The Bigger Picture
Looking ahead, Rosenbach sharply raises the stakes for any private institution choosing to collect biometric information from customers or its own employees. Under the Act, “biometric information” are biometric identifiers used to identify an individual, including retina or iris scans, fingerprints, voiceprints, or a scan of the hand or face geometry. 740 ILCS 14/10. Because plaintiffs need only show a barebones violation of the Act, and not actual damages, collectors of biometric information who are not in strict compliance with the Act are easy targets for suit. Indeed, a recent order from the 1st District Appellate Court illustrates the potential ramifications of Rosenbach for entities using biometric information.
On March 4, 2019, just over a month after the Rosenbach decision, the 1st District Appellate Court ruled in an unpublished opinion that a plaintiff may recover liquidated damages against a tanning salon that was collecting patrons’ fingerprints without permission. Jennifer Rottner v. Palm Beach Tan, Inc., 2019 IL App (1st) 180691-U. Relying exclusively on the Rosenbach decision, the court held that the plaintiff suing the tanning salon, “like [Stacy] Rosenbach, has standing to sue and has adequately stated a claim for liquidated damages under [S]ection 20 of the [a]ct, even if she has alleged only a violation of the [a]ct and not any actual damages beyond violation of law.” Id. at ¶ 12.
And, in addition to not needing to demonstrate actual damages, plaintiffs may be additionally incentivized to file suit under the Act due to a fee-shifting provision that allows an award of attorneys’ fees to a successful plaintiff. Unsurprisingly, additional lawsuits are already being filed in the wake of Rosenbach. On February 21, 2019, less than a month after the Rosenbach decision, a putative class action was brought against Total Airport Services LLC, a Texas-based company operating in O’Hare. The complaint was filed in Illinois court by a former airport customer service worker from Wood Dale, Illinois. She claims that she and at least one hundred (100) other workers were required to use fingerprint scanners to clock in and out of work. According to the complaint, Defendant’s did not provide workers with the proper notices and consent forms when the fingerprint scanning policy was adopted in 2016. Under the Act, private entities could face a fine of $1000 for each negligent violation of a provision. 740 ILCS 14/20(1). Each reckless violation of the Act could cost the private entitle $5000. 740 ILCS 14/20(2). Whether or not it comes as a result of the Rosenbach decision, this lawsuit demonstrates that noncompliance with the Act may come at a great cost to entities utilizing biometric information.