In a unanimous decision, the Illinois Supreme Court found that a Six Flags pass holder had a valid claim as an “aggrieved person” under the Illinois Biometric Privacy Act of 2008 (“BIPA”), hence having the right to bring an action for damage under BIPA for actual or liquidated damages, whichever amount is greater, despite not alleging actual harm. The case originally arose out of Six Flags collection of the thumbprints of the plaintiff’s son after he purchased a season pass for the theme park on a school field trip.
BIPA is the most stringent statute in the nation regulating biometric information and applies to the collection, use, safeguarding, handling, storage, retention and destruction of biometric identifiers and biometric information. BIPA creates a private right of action for a person aggrieved by a violation of the statute, with damages ranging from liquidated damages of $1,000 or actual damages for a negligent violation (whichever is greater), to liquidated damages of $5,000 or actual damages for an intentional or reckless violation (whichever is greater). Attorney’s fees and litigation costs or other relief, including an injunction, are also permitted under the statute. The law was enacted in response to the growing use of biometrics in the business and security screening sectors, and in recognition of the fact that biometrics are unlike other unique identifiers used to access finances or other sensitive information.
The plaintiff in this case did not allege that the thumbprints were stolen or misused as a result of their collection by Six Flags. Rather, the complaint alleged Six Flags violated BIPA by:
- Collecting and storing biometric data from the plaintiff’s son without informing her or her son in writing that the information was being collected or stored.
- Failing to inform the plaintiff or her son of the purpose for which the information was collected or length of time it would be kept or used.
- Failing to obtain a written release executed by the plaintiff or her son before collecting the information.
Six Flags argued that the plaintiff did not have a claim under BIPA because plaintiff did not allege that any harm resulted from the collection of her son’s thumbprints, so was not an “aggrieved person” under BIPA with standing to bring the action. In support, the defendant relied on the Illinois Appellate Court’s holding at the appellate level, 2017 IL App (2d) 170317, that indicated a defendant’s technical violation of the statute was not enough for a plaintiff to pursue damages as an aggrieved person under the act. At the appellate level, the court held that an injury or adverse effect must be alleged, and that it need not be pecuniary but must be more than a “technical violation of the Act.”
The court found that an “aggrieved person” under BIPA need not have “sustained actual damage beyond violation of his or her rights under the Act in order to bring an action under it.” The court reasoned that this definition of aggrieved is consistent with definitions of aggrieved in the dictionary, as well as other Illinois court decisions.
The court also looked to the intent of BIPA, stating that the intent of the legislature was to “try to head off such problems before they occur,” by safeguarding privacy rights in biometric information before they can be compromised, as well as subjecting those who do not comply with the law’s requirements to liability. The court reasoned, “[w]hen private entities face liability for failure to comply with the law’s requirements without requiring affected individuals or customers to show some injury beyond violation of their statutory rights, those entities have the strongest possible incentive to conform to the law and prevent problems before they occur and cannot be undone.“ Requiring individuals to sustain injury before they can seek relief “would be completely antithetical to the Act’s preventative and deterrent purposes.”
This decision will likely have far-reaching implications for companies collecting biometric data from a variety of individuals and in a number of contexts. An increasing number of companies are electing to utilize biometric data in a variety of new ways to create efficiencies, such as for timekeeping purposes for employees to clock in and out. The Six Flags case serves as a reminder to ensure strict compliance with BIPA. Included in these requirements is obtaining consent from individuals, establishing a retention schedule and guidelines for destroying biometric identifiers, and informing individuals not only of the collection, but also what it is being used for and how it is being retained (including the length of time that biometric data is being stored). Companies are also required to develop a written policy that establishes guidelines for the collection and destruction of biometric data under BIPA’s requirement.