Illinois Supreme Court Finds BIPA Violations Actionable, Even With No “Actual Injury”

January 29, 2019

Click for PDF

On January 25, 2019, in Rosenbach v. Six Flags Entertainment Corporation, the Illinois Supreme Court unanimously held that a plaintiff may be “aggrieved” under Illinois’ Biometric Information Privacy Act (“BIPA”)—with statutory standing to sue for significant statutory damages—even without alleging an “actual injury” caused by the BIPA violation.[1]  In so holding, the Court reversed the appellate court’s contrary conclusion and—at least for now—appears to have put to rest one outstanding question in several federal and state court proceedings regarding the scope and availability of BIPA’s private right of action.  The Court’s decision is likely to lead to an increase in BIPA litigation in Illinois.  Other states, including Texas and Washington, have biometric privacy statutes,[2] but the Illinois law is the only one that allows for a private right of action.

BIPA Background 

Illinois enacted BIPA in 2008 in response to the increasing use of “biometric-facilitated financial transactions” in Illinois.  BIPA regulates the “collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information,” including retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry.[3]  Among other requirements, BIPA requires private entities to develop and follow a written, publicly-available policy for the retention and destruction of biometric identifiers, and to provide certain disclosures in writing and obtain a release before acquiring an individual’s biometric identifier or information.[4]

Persons “aggrieved by a violation” of BIPA have a private right of action under the statute and may sue for statutory remedies, including the greater of actual or liquidated damages of $1,000 (for negligent violations) or $5,000 (for intentional or reckless violations).[5]

BIPA’s private right of action has energized the Illinois plaintiffs’ bar, which in the last few years has  filed dozens of proposed class action lawsuits against companies for their allegedly improper collection of alleged biometric information.  Plaintiffs in these cases have generally fallen into two categories: (1) employees of companies that allegedly utilize biometric information, such as fingerprints, for time keeping purposes; and (2) customers of companies that use alleged biometric information to enhance the consumer experience.

The Rosenbach plaintiff fell into this second group.  Plaintiff Stacy Rosenbach—on behalf of her minor son, a customer of Six Flags Entertainment Corporation (“Six Flags”)—sued Six Flags after her son registered for a season pass at the amusement park.  Six Flags allegedly captured the thumbprints of season pass holders to facilitate entry into the park and limit loss from the unauthorized use of passes by non-pass-holders.  In her suit against Six Flags, Rosenbach alleged that Six Flags violated BIPA by capturing her son’s thumbprint without first providing written notice, obtaining written consent, and publishing a policy explaining how her son’s thumbprint would be used, retained, and destroyed.[6]  She alleged no actual harm beyond the violation of BIPA’s requirements.

The Issue in Rosenbach v. Six Flags

The question presented to the Illinois Supreme Court was whether a plaintiff is “aggrieved” under BIPA, and thus potentially eligible for statutory remedies including liquidated damages, when the only injury she alleges is that the defendant collected her biometric identifiers or biometric information without providing the required disclosures and obtaining written consent as required by the Act.[7]  The Second District Appellate Court held that a “technical violation” of the statute, without more, did not render a plaintiff “aggrieved” under BIPA.  Specifically, the appellate court stated that “there must be an actual injury, adverse effect, or harm in order for the person to be ‘aggrieved,’” and a “technical violation” alone does not suffice.[8]  If a “violation” were “actionable” by itself, the appellate court concluded, that “would render the word ‘aggrieved’ superfluous.”[9]

The Court’s Holding

Reversed.  The Illinois Supreme Court held that a plaintiff is “aggrieved” under BIPA—and has statutory standing to sue—when the plaintiff alleges a violation of her BIPA rights, even if the violation caused no “actual injury or adverse effect.”[10]  In other words, the “[t]he violation, in itself, is sufficient to support the individual’s or customer’s statutory cause of action.”[11]

The Court found that BIPA creates a substantive right to control one’s own biometric information.  No-injury BIPA violations are not merely “technicalities,” the Court held,  but “real and significant” harms to important rights created by the Illinois legislature.[12]  The Court also reasoned that the private right of action and remedies exist to prevent and deter violations of individuals’ BIPA rights.  Requiring would-be plaintiffs to wait to sue until they have suffered “actual injury” would defeat these purposes of the statute.[13]

Because the Rosenbach plaintiff alleged violations of his BIPA rights—Six Flags allegedly collected his fingerprints for use in a season pass without providing the statutorily mandated notices or publishing a data retention policy—the Supreme Court reversed the appellate court’s contrary decision and remanded the case to the trial court.

What to Expect

  • Expect more class action litigation on BIPA claims from the Illinois plaintiffs’ bar.   Companies that do business in Illinois and collect or use biometric identifiers or biometric information should examine their policies for BIPA compliance.
  • Biometric identifier is defined to mean “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.[14]  Writing samples, signatures, photographs, demographic data, physical descriptions, and biological samples used for scientific testing are not biometric identifiers.[15]
  • Biometric information is any information “based on an individual’s biometric identifier used to identify an individual.”[16]
  • BIPA Basics: 
    • Private entities may not collect biometric information or identifiers (“biometrics”) without first:  (1) providing written notice of the collection that describes the purpose and terms of the collection and storage, and (2) obtaining written consent.[17]
    • Private entities may not sell, rent, or disclose biometrics without prior written consent.[18]
    • Private entities also must develop and make publicly available a data retention policy that sets forth a “retention schedule and guidelines for permanently destroying [biometrics] when the initial purpose for collecting or obtaining [them] has been satisfied or within 3 years of the individual’s last interaction with the private entity, whichever occurs first.”[19]
    • Private entities must store and protect biometrics according to the reasonable standard of care of the entities’ industry and in a manner that is as protective or more protective than the manner in which the entity stores and protects other sensitive information.[20]
  • Expect additional developments in the federal courts regarding whether BIPA plaintiffs have Article III standing.  Post-Rosenbach, BIPA plaintiffs need not allege an “actual injury” beyond the statutory violation to state a claim under the statute.  But to satisfy the Article III standing requirements necessary to pursue a claim in federal court, plaintiffs may need to allege more than a statutory violation.  To date, federal courts have been split on what type of injury, short of economic harm, may be sufficient to create Article III standing for BIPA plaintiffs.[21]
  • Expect additional litigation over the scope of Illinois’ standing doctrine.  Amici for Six Flags urged the Illinois Supreme Court to consider an alternate ground for affirmance:  that Rosenbach lacked standing to sue under the Illinois constitution.  The Court did not address the issue.  In lieu of a statutory standing argument, more BIPA defendants may press a state constitutional standing argument in an effort to void plaintiffs’ claims.
  • Look for additional changes in BIPA’s terms.  This year, the Illinois State Senate will consider a bill narrowing the impact of BIPA.[22]

[1] 2019 IL 123186 (Ill. Jan. 25, 2019).

[2] See Tex. Bus. & Com. Code § 503.001 et seq.; Wash. Rev. Code § 19.375.010 et seq.

[3] 740 Ill. Comp. Stat. 14/5(a), (b), (g).

[4] 740 Ill. Comp. Stat. 14/15(a), (b).

[5] 740 Ill. Comp. Stat. 14/20.

[6] Rosenbach, 2019 IL 123186 at ¶¶ 4-9.

[7] Id. ¶ 14.

[8] Rosenbach v. Six Flags Entm’t Corp., 2017 IL App (2d) 170317, at ¶ 20 (Ill. App. Ct. 2017).

[9] Id. at ¶ 23.

[10] Rosenbach, 2019 IL 123186 at ¶ 33.

[11] Id. ¶ 33.

[12] Id. ¶ 34.

[13] Id. ¶ 37.

[14] 740 Ill. Comp. Stat. 14/10.

[15] Id.

[16] Id.

[17] 740 Ill. Comp. Stat. 14/15(b).

[18] 740 Ill. Comp. Stat. 14/15(c).

[19] 740 Ill. Comp. Stat. 14/15(a).

[20] 740 Ill. Comp. Stat. 14/15(e).

[21] Compare e.g., Monroy v. Shutterfly, 2017 WL 4099846, *8 n.5 (N.D. Ill. Sept. 15, 2017) (collection and violation of privacy interest create Article III standing for BIPA claimant) with Santana v. Take-Two Interactive Software, Inc., 717 F. App’x 12, 17 (2d Cir. 2017) (collection of biometrics without adequate notices creates no “risk of real harm” and therefore does not create Article III standing for BIPA claimant) and Rivera v. Google, Inc., No. 16-cv-02714, 2018 WL 6830332, at *6 (N.D. Ill. Dec. 29, 2018) (alleged privacy violation does not create Article III standing for BIPA claimant).

[22] S.B. 3053, 2018 Reg. Sess. (Ill. 2018).

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues.  For further information, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Privacy, Cybersecurity and Consumer Protection or Labor and Employment practice groups, or the authors:

Jason C. Schwartz – Washington, D.C. (+1 202-955-8242, [email protected])
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, [email protected])
Erin Morgan – Washington, D.C. (+1 202-887-3577, [email protected])

Please also feel free to contact any of the following practice group leaders and members:

Privacy, Cybersecurity and Consumer Protection Group:
Alexander H. Southwell – Co-Chair, New York (+1 212-351-3981, [email protected])
M. Sean Royall – Dallas (+1 214-698-3256, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
Christopher Chorba – Los Angeles (+1 213-229-7396, [email protected])
Richard H. Cunningham – Denver (+1 303-298-5752, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, [email protected])
Kristin A. Linsley – San Francisco (+1 415-393-8395, )
H. Mark Lyon – Palo Alto (+1 650-849-5307, [email protected])
Shaalu Mehra – Palo Alto (+1 650-849-5282, [email protected])
Karl G. Nelson – Dallas (+1 214-698-3203, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, [email protected])

Labor and Employment Group:
Catherine A. Conway – Co-Chair, Los Angeles (+1 213-229-7822, [email protected])
Jason C. Schwartz – Co-Chair, Washington, D.C. (+1 202-955-8242, [email protected])

© 2019 Gibson, Dunn & Crutcher LLP
Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.