Technical Failure Leads to Private Causes of Action Under Illinois' Biometric Information Privacy Act
We love convenience. Unlocking phones or door locks at the touch of a finger or a glance. Having a fool-proof and secure way of identifying others with minimal effort or chance of error. Not having to remember the myriad of secured passwords because of biometric authentication. However, for those using a system that relies on gathering, maintaining, and using biometrics, from a fingerprint to a face, they must be careful. Even without an actual breach of biometric identifiers, failure to comply with proper standards may lead to disastrous results. Recently, the Illinois Supreme Court ruled in Rosenbach v. Six Flags Entertainment Corporation that even though no "actual injury" occurred, a technical failure to comply with Illinois' Biometric Information Privacy Act or "BIPA" would be enough to create private causes of action. This single decision is now rippling through federal courts across the United States, including those within the 9th Circuit.
What Happened to Six Flags?
Plaintiffs alleged a violation of BIPA by Six Flags due to their implementation of their season pass holder system for their park located in Illinois. Under this system, Six Flags would get the thumbprint of an individual, hand them a season pass holder card, and by virtue of the card and the thumbprint, would be permitted access into the location. Six Flags had not suffered a breach that exposed any of the data of its season pass holders, and that was not a subject of the lawsuit. However, Plaintiffs argued that the lack of an "actual injury" did not matter here.
The lawsuit was based heavily on BIPA, passed by Illinois in 2008. BIPA requires that any business collecting biometric information within Illinois:
- Inform individuals in writing that their biometric information is being collected or stored;
- Inform individuals in writing about the purposes for collecting the information or for how long it would be kept; and
- Obtain a written release authorizing the collection of information.
Violations of BIPA are subject to private actions, with businesses being liable for up to $5,000.00 per aggrieved consumer.
The complaint alleged that Six Flags did none of these–but the court has not yet ruled if a violation occurred. Previous lawsuits and other defendants had argued that an "actual injury" needed to occur for the private cause of action to arise. This line of argument was unsuccessful. The text of the statute did not specifically mention such, and the Illinois Supreme Court refused to read that requirement in. As such, the Court held that the private action created by BIPA does not require that an actual injury is suffered, such as a data breach or a theft of the biometric information, but that allegations that technical violation of the law occurred are enough to bring action.
Why the Focus on Actual Injury?
To date, only two other states have passed biometric privacy laws–Texas and Washington–and neither includes the private right to action present in BIPA. However, other states, like California, have privacy laws that address biometric information and give rights to residents regarding biometric data.
It should be noted that only BIPA contains a private cause of action without an actual injury requirement. This has caused a problem for multi-state businesses doing business in Illinois because:
- Businesses tend to have standard procedures when collecting biometric data; and
- Illinois residents do not need to wait for a data breach or an injury resulting from a failure to comply.
This makes BIPA ripe for class action claims, as businesses using biometric data may not have collection efforts compliant with the requirements of BIPA if they are doing business across the United States.
What to Watch For?
Biometric data is still a relatively new term used in law. Generally, a definition of biometric data includes hand scans, fingerprints, retina scans, eye scans, and facial geometry scans.
Some of these inclusions seem to be listed specifically to thwart schemes taken from the plot of a Mission Impossible film. However, facial geometry is proving to be a heavy point of contention. Facial geometry, unlike fingerprints or hand prints, is more easily accessible, and due to social media, arguments have been made that there is no privacy as to a person's facial geometry. Companies like Apple, Facebook, Google, and Amazon have developed programs and systems allowing the identification of people through a facial analysis, and have already caught the ire of Illinois plaintiffs suing under BIPA.
This single identifier has spurred lobbying efforts to either exclude facial identifiers or otherwise curtail and limit biometric privacy bills across the United States.
Expect more class actions to occur from Illinois plaintiffs regarding BIPA, and for lobbying to continue and intensify across the United States to curtail or adjust biometrics laws. Importantly, any entity that does not keep biometric data policies in mind risks hefty penalties.
Kyle Janecek is an associate in the firm’s Privacy & Data Security practice, and supports the team in advising clients on cyber related matters, including policies and procedures that can protect their day-to-day operations. For more information on how Kyle can help, contact him at [email protected].