In recent years, the use of biometrics in business has been growing. In the employment context, for example, some employers use biometric time clocks, which allow employees to “clock in” with a fingerprint or iris scan. Unlike a password or social security number, however, an individual’s biometric identifier or information cannot be changed or replaced if compromised. In the event of a data breach, individuals may have no recourse against identity theft, due to the biologically unique nature of biometrics.
Recognizing this risk, in 2008 the Illinois legislature passed the Illinois Biometric Information Privacy Act (“BIPA”), which regulates private entities’ collection, retention, disclosure, and destruction of biometric identifiers and information. A biometric identifier is a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric information is more broad, and refers to any information “based on an individual’s biometric identifier used to identify an individual.”
The Act even creates a private right of action for any person “aggrieved” by a BIPA violation. Over the last year, litigants have taken advantage of this right of action, and filed numerous class actions under BIPA. An issue that arises early on in these cases is whether the plaintiffs have standing. That is, whether they have been “aggrieved,” such that they have a right to sue under the statute. Just before the new year, an Illinois appellate court considered the standing issue in Rosenbach v. Six Flags Entertainment Corporation and addressed what it takes to be an “aggrieved person”.
In Rosenbach, the defendants took fingerscans of the plaintiff’s son when he purchased a season pass for the theme park Six Flags. The defendants collected, recorded, and stored this biometric data as part of their security process for entry into the theme park. However, the plaintiff alleged defendants did not obtain written consent before scanning her son’s finger or disclose their plan for the collection, storage, use, or destruction of season pass-holder fingerprint scans. The plaintiff’s only alleged injury was that she would not have allowed her son to purchase the season pass had she known of the defendants’ conduct.
In an interlocutory appeal, the appellate court was asked to answer certified questions regarding what it means to be an aggrieved person under the statute. The court held that a person is aggrieved, and therefore has a right to sue under BIPA, only if he or she has suffered some actual injury or adverse effect. This is similar to the U.S. Supreme Court’s Spokeo standard for Article III standing, which requires a plaintiff’s injury-in-fact to be both concrete and particularized. A technical violation of BIPA, without more, does not give a plaintiff a right to sue under the statute. Having answered the certified questions before it, the appellate court remanded the case for further litigation.
Although the Rosenbach opinion is not yet released for publication, it may be a useful indicator of how courts will scrutinize BIPA claims. Illinois businesses that use or plan to use biometric identifiers and information should be mindful of BIPA’s requirements so as not to invite litigation. Before collecting biometric identifiers or information, a private entity must:
- Inform the subject in writing that a biometric identifier or information is being collected or stored;
- Inform the subject in writing of the purpose and length of time for which the biometric identifier or information is being collected, stored, and used; and
- Receive a written release from the subject.
Private entities that possess biometric identifiers or information must also develop a publicly available written policy setting forth a retention schedule and guidelines for permanent destruction.
The statute’s strict penalties underscore the importance of complying with BIPA’s requirements. A successful plaintiff may recover up to $1,000 for negligent violations and $5,000 for intentional violations, as well as attorneys’ fees and costs. In order to avoid these harsh damages, which may be compounded in a class action, businesses that use or seek to use biometrics should consult counsel to ensure compliance.