On January 25, the Illinois Supreme Court sided with consumers in issuing a unanimous decision that a Six Flags season pass holder could bring a claim under Illinois’ Biometric Information Privacy Act (the “BIPA”) based on the amusement park’s collection of customer fingerprints—even absent allegations of real-world injury.  This opinion provides a boost to the state’s unique privacy law and the hundreds of pending cases involving allegations under the law.  A copy of the full opinion can be found here.

Plaintiff Stacy Rosenbach filed her complaint against Six Flags, alleging that the park had violated the BIPA.  Specifically, she alleged that the park’s fingerprinting process for issuing repeat-entry passes to its park violated the BIPA because neither she nor her minor son (1) were informed in writing or in any other way of the specific purpose and length of term for which his fingerprint had been collected; (2) signed any written release regarding taking of the fingerprint; or (3) consented in writing to the “collection, storage, use, sale, lease, dissemination, disclosure, redisclosure, or trade of, or for [defendants] to otherwise profit from,” her son’s fingerprint or associated biometric identifiers or information.  Rosenbach further alleged that Six Flags had not publicly disclosed what it had done with the information or how long it would be kept and that it did not have any written policy available to the public disclosing its retention schedule or any guidelines for retaining or permanently destroying biometric identifiers and biometric information.  She alleged that she never would have purchased a pass had she known the full extent of the company’s conduct.

The intermediate appellate court held that Rosenbach was not aggrieved within the meaning of the BIPA and could not pursue either damages or injunctive relief based on the allegations in the complaint.  The Court held that she was required to allege additional injury or adverse effect, which need not be pecuniary, but which must be more than a “technical violation of the Act.”

The Illinois high court reversed, holding that Rosenbach could be considered an “aggrieved person” based solely on the premise that her son’s fingerprint was taken without consent.  Specifically, the Supreme Court held that the Illinois legislature did not intend for consumers to have to claim that their data was separately stolen or misused to have standing under the BIPA.  The Court held that to require individuals to wait until they “sustained some compensable injury beyond violation of their statutory rights before they may seek recourse . . . would be completely antithetical to the act’s preventative and deterrent purposes.”  The Court also explained that when a private entity fails to adhere to the statutory procedures, “‘the right of the individual to maintain [his or] her biometric privacy vanishes into thin air,’” citing a recent ruling from a Federal District Court in California involving similar claims against Facebook relating to the collection and storage of user’s facial scans.  The Court dismissed arguments relating to the difficulty of compliance, holding that “whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded.”

The decision will provide support for a flood of recent lawsuits filed under the BIPA, which requires that companies that capture individuals’ biometric information, such as a fingerprint, voice sample, or retina scan, obtain written consent and disclose how they use, store, and destroy that data.  The BIPA is the nation’s only biometric privacy law with a private right of action, and hundreds of pending lawsuits allege that supermarkets, hotels, and other businesses have violated the law, including in the context of requiring employees to use fingerprint-based timekeeping systems.

Troutman Sanders will continue to monitor how state and federal courts analyze consumer data privacy issues such as this, including any developments under the BIPA.