January 29, 2019
On January 25, 2019, in Rosenbach v. Six Flags Entertainment Corporation, the Illinois Supreme Court unanimously held that a plaintiff may be “aggrieved” under Illinois’ Biometric Information Privacy Act (“BIPA”)—with statutory standing to sue for significant statutory damages—even without alleging an “actual injury” caused by the BIPA violation.[1] In so holding, the Court reversed the appellate court’s contrary conclusion and—at least for now—appears to have put to rest one outstanding question in several federal and state court proceedings regarding the scope and availability of BIPA’s private right of action. The Court’s decision is likely to lead to an increase in BIPA litigation in Illinois. Other states, including Texas and Washington, have biometric privacy statutes,[2] but the Illinois law is the only one that allows for a private right of action.
BIPA Background
Illinois enacted BIPA in 2008 in response to the increasing use of “biometric-facilitated financial transactions” in Illinois. BIPA regulates the “collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information,” including retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry.[3] Among other requirements, BIPA requires private entities to develop and follow a written, publicly-available policy for the retention and destruction of biometric identifiers, and to provide certain disclosures in writing and obtain a release before acquiring an individual’s biometric identifier or information.[4]
Persons “aggrieved by a violation” of BIPA have a private right of action under the statute and may sue for statutory remedies, including the greater of actual or liquidated damages of $1,000 (for negligent violations) or $5,000 (for intentional or reckless violations).[5]
BIPA’s private right of action has energized the Illinois plaintiffs’ bar, which in the last few years has filed dozens of proposed class action lawsuits against companies for their allegedly improper collection of alleged biometric information. Plaintiffs in these cases have generally fallen into two categories: (1) employees of companies that allegedly utilize biometric information, such as fingerprints, for time keeping purposes; and (2) customers of companies that use alleged biometric information to enhance the consumer experience.
The Rosenbach plaintiff fell into this second group. Plaintiff Stacy Rosenbach—on behalf of her minor son, a customer of Six Flags Entertainment Corporation (“Six Flags”)—sued Six Flags after her son registered for a season pass at the amusement park. Six Flags allegedly captured the thumbprints of season pass holders to facilitate entry into the park and limit loss from the unauthorized use of passes by non-pass-holders. In her suit against Six Flags, Rosenbach alleged that Six Flags violated BIPA by capturing her son’s thumbprint without first providing written notice, obtaining written consent, and publishing a policy explaining how her son’s thumbprint would be used, retained, and destroyed.[6] She alleged no actual harm beyond the violation of BIPA’s requirements.
The Issue in Rosenbach v. Six Flags
The question presented to the Illinois Supreme Court was whether a plaintiff is “aggrieved” under BIPA, and thus potentially eligible for statutory remedies including liquidated damages, when the only injury she alleges is that the defendant collected her biometric identifiers or biometric information without providing the required disclosures and obtaining written consent as required by the Act.[7] The Second District Appellate Court held that a “technical violation” of the statute, without more, did not render a plaintiff “aggrieved” under BIPA. Specifically, the appellate court stated that “there must be an actual injury, adverse effect, or harm in order for the person to be ‘aggrieved,’” and a “technical violation” alone does not suffice.[8] If a “violation” were “actionable” by itself, the appellate court concluded, that “would render the word ‘aggrieved’ superfluous.”[9]
The Court’s Holding
Reversed. The Illinois Supreme Court held that a plaintiff is “aggrieved” under BIPA—and has statutory standing to sue—when the plaintiff alleges a violation of her BIPA rights, even if the violation caused no “actual injury or adverse effect.”[10] In other words, the “[t]he violation, in itself, is sufficient to support the individual’s or customer’s statutory cause of action.”[11]
The Court found that BIPA creates a substantive right to control one’s own biometric information. No-injury BIPA violations are not merely “technicalities,” the Court held, but “real and significant” harms to important rights created by the Illinois legislature.[12] The Court also reasoned that the private right of action and remedies exist to prevent and deter violations of individuals’ BIPA rights. Requiring would-be plaintiffs to wait to sue until they have suffered “actual injury” would defeat these purposes of the statute.[13]
Because the Rosenbach plaintiff alleged violations of his BIPA rights—Six Flags allegedly collected his fingerprints for use in a season pass without providing the statutorily mandated notices or publishing a data retention policy—the Supreme Court reversed the appellate court’s contrary decision and remanded the case to the trial court.
What to Expect
[1] 2019 IL 123186 (Ill. Jan. 25, 2019).
[2] See Tex. Bus. & Com. Code § 503.001 et seq.; Wash. Rev. Code § 19.375.010 et seq.
[3] 740 Ill. Comp. Stat. 14/5(a), (b), (g).
[4] 740 Ill. Comp. Stat. 14/15(a), (b).
[5] 740 Ill. Comp. Stat. 14/20.
[6] Rosenbach, 2019 IL 123186 at ¶¶ 4-9.
[7] Id. ¶ 14.
[8] Rosenbach v. Six Flags Entm’t Corp., 2017 IL App (2d) 170317, at ¶ 20 (Ill. App. Ct. 2017).
[9] Id. at ¶ 23.
[10] Rosenbach, 2019 IL 123186 at ¶ 33.
[11] Id. ¶ 33.
[12] Id. ¶ 34.
[13] Id. ¶ 37.
[14] 740 Ill. Comp. Stat. 14/10.
[15] Id.
[16] Id.
[17] 740 Ill. Comp. Stat. 14/15(b).
[18] 740 Ill. Comp. Stat. 14/15(c).
[19] 740 Ill. Comp. Stat. 14/15(a).
[20] 740 Ill. Comp. Stat. 14/15(e).
[21] Compare e.g., Monroy v. Shutterfly, 2017 WL 4099846, *8 n.5 (N.D. Ill. Sept. 15, 2017) (collection and violation of privacy interest create Article III standing for BIPA claimant) with Santana v. Take-Two Interactive Software, Inc., 717 F. App’x 12, 17 (2d Cir. 2017) (collection of biometrics without adequate notices creates no “risk of real harm” and therefore does not create Article III standing for BIPA claimant) and Rivera v. Google, Inc., No. 16-cv-02714, 2018 WL 6830332, at *6 (N.D. Ill. Dec. 29, 2018) (alleged privacy violation does not create Article III standing for BIPA claimant).
[22] S.B. 3053, 2018 Reg. Sess. (Ill. 2018).
Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues. For further information, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Privacy, Cybersecurity and Consumer Protection or Labor and Employment practice groups, or the authors:
Jason C. Schwartz – Washington, D.C. (+1 202-955-8242, [email protected])
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, [email protected])
Erin Morgan – Washington, D.C. (+1 202-887-3577, [email protected])
Please also feel free to contact any of the following practice group leaders and members:
Privacy, Cybersecurity and Consumer Protection Group:
Alexander H. Southwell – Co-Chair, New York (+1 212-351-3981, [email protected])
M. Sean Royall – Dallas (+1 214-698-3256, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
Christopher Chorba – Los Angeles (+1 213-229-7396, [email protected])
Richard H. Cunningham – Denver (+1 303-298-5752, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, [email protected])
Kristin A. Linsley – San Francisco (+1 415-393-8395, [email protected])
H. Mark Lyon – Palo Alto (+1 650-849-5307, [email protected])
Shaalu Mehra – Palo Alto (+1 650-849-5282, [email protected])
Karl G. Nelson – Dallas (+1 214-698-3203, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, [email protected])
Labor and Employment Group:
Catherine A. Conway – Co-Chair, Los Angeles (+1 213-229-7822, [email protected])
Jason C. Schwartz – Co-Chair, Washington, D.C. (+1 202-955-8242, [email protected])
© 2019 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.