Late last month, an Illinois appellate court reversed a lower court’s dismissal of biometric privacy claims against a tanning salon franchisee that had collected the plaintiff’s fingerprint to allow entry in its own salon and any L.A. Tan salon location nationwide. (Sekura v. Krishna Schaumburg Tan, Inc., 2018 IL App (1st) 180175 (Ill. App. Sept. 28, 2018)). The plaintiff alleged that the tanning salon violated the Biometric Information Privacy Act (BIPA), which regulates the collection, retention, and disclosure of personal biometric identifiers and biometric information, by collecting her fingerprints without obtaining the required written release and providing the required disclosure concerning its retention policy, and further by disclosing her fingerprints to a third-party vendor. [Note: In 2016, in a separate suit, the same plaintiff settled BIPA claims with L.A. Tan Enterprises, Inc., operator (directly and through franchisees) of L.A. Tan tanning salons].
In allowing the suit to go forward, the appellate court held that a litigant may sue for a violation of BIPA without proving additional harm. BIPA expressly provides that “any person aggrieved by a violation” of the statute may pursue money damages and injunctive relief against the offending party. Notably, the Sekura court distinguished the Rosenbach decision – the only Illinois state appellate panel to rule on the “aggrieved” party issue under BIPA, and which held that a person “aggrieved” by a violation of the Act must allege an injury or harm in addition to the violation of the Act. In Sekura, the court held that even it were to follow its sister court’s decision in Rosenbach, the plaintiff’s allegations that the tanning salon disclosed her fingerprint to a third-party vendor constituted harm enough to make plaintiff an “aggrieved” party.
“To be clear, we find that the statutory violations to plaintiff’s privacy constituted harm even without disclosure, but the disclosure in the case at bar makes it distinguishable from Rosenbach.”
Interestingly, the Sekura court also stated that the plaintiff’s allegations of mental anguish over what would happen to her biometric data if the tanning salon went bankrupt also constituted an injury or adverse effect.
The outcome of Sekura is in line with the Dixon case from this summer, where an Illinois federal court followed Rosenbach yet still declined to dismiss a BIPA suit brought by a former employee who asserted BIPA and negligence claims against a senior living center, among others, over the scanning of her fingerprints onto an employee biometric timekeeping device and the alleged disclosure of the data to an out-of-state vendor. The Dixon court noted that the allegation that the defendant disclosed plaintiff’s fingerprint data to its third-party vendor without informing her distinguished this case from others in which alleged violations of BIPA were determined insufficiently concrete.
Looking ahead, it remains to be seen how courts will interpret the meaning of “aggrieved” under BIPA (and how such interpretation will affect class certification issues). Regardless, we will likely see more plaintiffs’ lawyers drafting complaints, where factually appropriate, to allege third-party disclosure of biometric data and mental anguish claims to overcome standing and statutory challenges. Some clarity will presumably arrive soon, as this past May the Illinois Supreme Court accepted the appeal of the Rosenbach decision where the high court will answer the question of whether a person “aggrieved” by a violation of BIPA must allege some injury or harm beyond a procedural violation (Note: the appeal is fully briefed, including numerous amicus briefs submitted in support of both parties; oral argument has not been scheduled).
Still, even if the Illinois Supreme Court returns a business-friendly ruling that an aggrieved party must show a harm beyond a procedural violation of BIPA, we will likely be left with a dichotomy of sorts – what we might call Rosenbach claims and Rosenbach+ claims. The current appeal will likely resolve issues of pure procedural violations (Rosenbach claims), where plaintiffs are generally on notice about the collection and use of biometric data but do not allege any purported harms beyond violations of statutory rights under BIPA, but may not answer exactly what is a concrete harm under the statute. Indeed, as we’ve seen in the Sekura decision, litigants have adapted since the decision and have managed, in several instances, to survive dismissal motions by asserting that employers or companies not only failed to follow BIPA’s procedural notice and consent requirements but also disclosed biometric data to outside vendors for processing without consent (Rosenbach+ claims). It is the latter harm (and now perhaps even claims of mental anguish as well) where courts may distinguish Rosenbach to allow BIPA suits to survive dismissal. Ultimately, perhaps the Sekura decision will be appealed and joined with the Rosenbach appeal, but we will have to wait and see.
We will continue to monitor these emerging developments in biometric privacy litigation, including the important biometric privacy litigation still ongoing in California.