Can a consumer sue if a company took that consumer’s biometric information without first getting the consumer’s informed consent? Yes, said the Illinois Supreme Court in a January 25, 2019 unanimous opinion in Rosenbach v. Six Flags Entertainment Corporation. This decision is a clear win for consumer privacy. (Disclosure: I served as co-counsel on an amicus brief filed in the case on behalf of Illinois PIRG Education Fund, the ACLU, the ACLU of Illinois, the Center for Democracy & Technology, the Chicago Alliance Against Sexual Exploitation, the Electronic Frontier Foundation, and Lucy Parsons Labs.)
At issue in the case was how to interpret the word “aggrieved” in Illinois’ Biometric Information Privacy Act (BIPA). The statute creates an express private right of action for “[a]ny person aggrieved by a violation of this Act.” The law prohibits private entities from collecting a person’s biometric information (like a fingerprint) unless it first informs the individual in writing that biometric information will be collected, the specific purpose for the collection, the length of time that the information will be stored, and receives a written release from the individual. In Rosenbach, there was no question that Six Flags had collected the plaintiff’s thumbprint without getting informed consent, but the plaintiff did not allege any harm beyond the violation of his statutory privacy rights.
BIPA does not define “aggrieved,” so the court looked to the definition that was “embedded in [Illinois’] jurisprudence when the Act was adopted”—to be “aggrieved . . . simply ‘means having a substantial grievance; a denial of some personal or property right.” In the court’s opinion, this definition is consistent with the “plain and ordinary meaning” of “aggrieved,” which one dictionary defined as “suffering from an infringement or denial of legal rights.”
According to the court, the Illinois legislature, when it passed BIPA, “codified that individuals possess a right to privacy in and control over their biometric identifiers and biometric information.” The court found that arguing that such violations of the law are merely “technical” in nature “misapprehends the nature of the harm [the Illinois] legislature is attempting to combat through this legislation.” The loss of the individuals’ right to maintain his or her biometric privacy is a “real and significant” injury and is not a mere “technicality.”
In addition, the court concluded that its reading of the statute was also supported by the legislature’s identification of the “risks posed by the growing use of biometrics by businesses and the difficulty in providing meaningful recourse once a person’s biometric identifiers or biometric information has been compromised.” Thus, the strategy pursued by the legislature was to “head off such problems before they occur.”
Importantly, the court noted that subjecting private entities that fail to follow the statute’s requirements to “substantial potential liability” is integral to the implementation of the legislature’s objectives. Other than a private right of action, no other enforcement mechanism is available. Thus, “[i]t is clear that the legislature intended for this provision to have substantial force.”
This passage highlights the court’s reasoning particularly well:
When private entities face liability for failure to comply with the law’s requirements without requiring affected individuals or customers to show some injury beyond violation of their statutory rights, those entities have the strongest possible incentive to conform to the law and prevent problems before they occur and cannot be undone. Compliance should not be difficult; whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded; and the public welfare, security, and safety will be advanced. That is the point of the law. To require individuals to wait until they have sustained some compensable injury beyond violation of their statutory rights before they may seek recourse, as defendants urge, would be completely antithetical to the Act’s preventative and deterrent purposes.
The full opinion is available here. Additional commentary from the Electronic Frontier Foundation is available here and from the Center for Democracy & Technology is available here.