Illinois Supreme Court Affirms Biometric Privacy Law, Clearing the Way for Lawsuits

By Jerri-Lynn Scofield, who has worked as a securities lawyer and a derivatives trader. She is currently writing a book about textile artisans.

The Illinois Supreme Court handed down a unanimous decision late last month holding that a plaintiff needn’t prove actual injury or adverse effect to recover under the state’s Biometric Information Privacy Act (BIPA), the bellwether for state-level protection of an individual’s biometric data. This decision clears the way for more than 200 pending lawsuits to proceed, and will spur plaintiffs’ attorneys to pursue no-injury class action lawsuits under BIPA in Illinois.

In Rosenbach v Six Flags , the court decided that a plaintiff only needs to show that a defendant used his biometric data without consent to recover under the statute’s generous terms, $1000 or $5000 for each violation, depending on whether it was negligent or willful; attorneys’ fees and costs, including expert witness fees and other litigation expenses; and injunctive relief – meaning the offending party must stop using the data.

Illinois enacted its landmark BIPA statue in 2008. Three other states have followed with similar statutes. Yet Illinois is the only state that currently provides for a private right of action — meaning an individual can sue to enforce his/her rights. According to Biometric Privacy: Illinois Supreme Court Decision Allows Claims to Proceed Without Showing of Actual Harm, a blog post published by the law firm Foley & Lardner:

Due to the increasingly popular use of biometric data and the potentially liquidated significant damages offered by the statute, the number of BIPA class action claims filed against companies for their allegedly improper collection of biometric data has ballooned in recent years. Plaintiffs in these cases have generally fallen into two categories: (1) employees of companies that allegedly utilize biometric data, such as fingerprints, for time keeping or physical security purposes; and (2) customers of companies that use biometric data to enhance the consumer experience.

Rosenbach Case

A mother brought the action on behalf of her fourteen-year old son, who provided his fingerprint in order to purchase a pass to the Six Flags Amusement Park. The park never asked for nor received his consent.

There was no dispute over the facts. Nonetheless, Six Flags argued that the plaintiff needed to prove some actual injury, and that mere collection of his biometric data was not enough to recover under the statute.

The Illinois Supreme Court roundly rejected the argument that the collection of Rosenbach’s data was merely “technical” in nature:

Such a characterization, however, misapprehends the nature of the harm our legislature is attempting to combat through this legislation. The Act vests in individuals and customers the right to control their biometric information by requiring notice before collection and giving them the power to say no by withholding consent. These procedural protections  “are particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual’s unique biometric identifiers—identifiers that cannot be changed if compromised or misused.”  When a private entity fails to adhere to the statutory procedures, as defendants are alleged to have done here, “the right of the individual to maintain [his or] her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.” This is no mere “technicality.” The injury is real and significant. [citations omitted].

I want to highlight the next paragraph in the opinion, in which underscored a major concern of the state legislature — the Illinois General Assembly- in enacting such strong biometric privacy protection, by zeroing in on a characteristic unique to such identifiers. Once biometric identifiers or information are compromised, an individual cannot change them (as I discussed further here):

This construction of the law is supported by the General Assembly’s stated assessment of the risks posed by the growing use of biometrics by businesses and the difficulty in providing meaningful recourse once a person’s biometric identifiers or biometric information has been compromised. In enacting the law, the General Assembly expressly noted that

“[b]iometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”[citations omitted]

The court emphasized that it was in recognition of these risks that the legislature designed BIPA as it did, relying on two mechanisms to protect biometric privacy:

The strategy adopted by the General Assembly through enactment of the Act is to try to head off such problems before they occur. It does this in two ways. The first is by imposing safeguards to insure that individuals’ and customers’ privacy rights in their biometric identifiers and biometric information are properly honored and protected to begin with, before they are or can be compromised. The second is by subjecting private entities who fail to follow the statute’s requirements to substantial potential liability, including liquidated damages, injunctions, attorney fees, and litigation expenses “for each violation” of the law whether or not actual damages, beyond violation of the law’s provisions, can be shown.[citations omitted]

Consequences

The decision clears the way for more than 200 similar pending cases to proceed and will force companies that either operate in Illinois or have employees there, to re-evaluate how they collect and use biomaterial information. According to Foley & Lardner:

For the past decade, BIPA has become a heavily litigated piece of legislation that has involved class action lawsuits for high-profile companies. BIPA impacts a variety of entities (inclusive of, but not limited to, hospitals, providers, and pharmaceutical and device companies as well as employers that utilize biometric time clocks to record employees working hours or use biometrics for security or identity verification), and many continue to seek guidance on the interpretation of BIPA and how to effectively comply with it. Questions remain as to the applicability of BIPA in many fields and how entities may operate so as to ensure compliance with same in such instances of uncertainty.

To avoid exposure to lawsuits under BIPA, any entity with Illinois employees or that operates in Illinois and collects, stores, or uses biometric identifiers or information — whether that of its employees or its customers, guests, or visitors — they must ensure that they adopt and implement written policies and procedures regarding their collection, retention, disclosure, and destruction of this data to ensure that they are sufficient to comply with the strict standards and requirements of BIPA. Having these policies by themselves, however, is not enough. It is critical that entities, especially in an employer/employee context, provide notice to individuals that their biometric information is being collected, stored, and/or used. For employers, this can be part of the onboarding process, where a signed affirmation of receipt of the notice can be made a condition of employment. Doing so will help secure a strong defense to any claim that an employee lacked adequate BIPA notice. Developing policies and procedures that place individuals on notice of an entity’s collection/storage and use of biometric information is especially critical in light of the new precedent set by the Illinois Supreme Court, which opens the doors for more than 200 pending similar cases filed under the statute that accuse other businesses, including hotels and research entities, of violating BIPA for collecting biometric data without the accompanying disclosures or written consent. In addition, entities that do, or will have a need to, possess biometric data should immediately take steps to evaluate their need for collecting such information and assess whether there is an alternative way to accomplish business objectives without possessing this data. If it is determined that biometric identifiers must be used, entities should have a clear understanding of how their biometric software works. Organizations should consider agreements with third-party vendors, outlining the vendor’s responsibilities that at least certifies the vendor will comply with all applicable laws, and that the vendor will not disclose the information to third parties without written consent.

Clouds on the Horizon?

The Illinois Supreme Court decision is a strong win for biometric privacy, as groups such as the Electronic Frontier Foundation – which filed a friend of the court brief in support of the plaintiff’s position – recognize, according to Victory! Illinois Supreme Court Protects Biometric Privacy. It will no doubt lead some if not many companies to revise their biometric policies, so as to minimize their potential liability. Yet as this recent note, In Federal Court, Article III Standing Remains a Defense to Illinois Biometric Privacy Claims, from the Proskauer law firm argues, the path for plaintiffs to prevail in federal court may not be so clear:

Last Friday, the Illinois Supreme Court ruled in the long-awaited Rosenbach case that an individual does not have to plead an actual injury or harm, apart from the statutory violation itself, in order to have statutory standing to sue under the Illinois Biometric Information Privacy Act (BIPA). The Illinois Supreme Court ruling will allow procedural BIPA violations to proceed (and multiply) in state court – and has reportedly already prompted parties to settle such actions. However, recent rulings in federal court have offered a divergent interpretation of the related, but different Article III standing issue.

For example, several weeks prior to the Rosenbach decision, two decisions from the District Court for the Northern District of Illinois offered insight into the federal standing threshold for BIPA claims. While largely limited to their facts, the decisions present a defensive strategy for fending off BIPA claims in federal court. Faced with this latest batch of rulings, expect forum shopping by plaintiffs with more cases filed in state court and some careful calculations from defendants in deciding on removal and other litigation strategies.

I will not parse those standing arguments in detail here, except to say that federal courts may still bounce these claims on the basis that the plaintiffs lack standing to sue. For the non-lawyers, this means that a particular plaintiff may not be able to pursue a claim in federal court, as federal courts are courts of limited jurisdiction, and cannot hear every possible case.

And, I might add, that there is at least a theoretical possibility that a plaintiff might bring a case in state court, and that the defendant might remove the case to federal court. Business interests lobbied heavily for the Class Action Fairness Act (2005), which made it much easier for defendants to remove class actions to federal court; state courts, in general, are believed to be more favorable to plaintiffs than federal courts (a bias that will no doubt continue to apply, as Trump succeeds in sitting more federal judges.) Once a case has been removed to federal court, the defendant might then move to have the case dismissed on the basis that the plaintiff lacked standing, even though the plaintiff had originally filed the case in state court and was only in federal court because the defendant had removed the case to federal court.

The United States Court of Appeals for the Seventh Circuit — which includes Illinois — rejected the “dubious strategy” of a defendant removing to federal court and then moving to dismiss for the plaintiff’s lack of standing, in a 2018 case, Collier v. S P Plus Corp (see also this further discussion in the Wolf Popper law firm’s blog, Defendants Can’t Have It Both Ways: Seventh Circuit Rejects “Dubious Strategy” of Removing to Federal Court and then Seeking Dismissal for Lack of Standing under Spokeo). The court’s language was unusually strong. This decision would seemingly dissuade defendants from pursuing such a strategy in Illinois. Yet I I wouldn’t necessarily bet that other circuits, or the United States Supreme Court, will in future decide the issue in the same way.