On January 25, 2019, in a closely watched case, the Illinois Supreme Court ruled that a plaintiff need not allege or demonstrate actual harm to have standing to pursue a claim under the Illinois Biometric Information Privacy Act (“BIPA”). Rosenbach v. Six Flags Ent. Corp., No. 123186.[1]
The Court reasoned that technical non-compliance with BIPA is sufficient to confer standing for the following reasons:
Through the Act, our General Assembly has codified that individuals possess a right to privacy in and control over their biometric identifiers and biometric information. The duties imposed on private entities by section 15 of the Act (740 ILCS 14/15 (West 2016)) regarding the collection, retention, disclosure, and destruction of a person’s or customer’s biometric identifiers or biometric information define the contours of that statutory right. Accordingly, when a private entity fails to comply with one of [BIPA’s] requirements, that violation constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach. … [S]uch a person or customer would clearly be ‘aggrieved’ within the meaning of [the BIPA] and entitled to seek recovery under that provision. No additional consequences need be pleaded or proved. The violation, in itself, is sufficient to support the individual’s or customer’s statutory cause of action.
(emphasis added.)
This ruling has significant implications for employers with Illinois operations, as it compromises their ability to obtain dismissals of cases that turn on technical statutory violations (e.g., where biometric information was not disclosed to third parties). First, in the class action context, alleged damages amounts that are disproportionate to the nature of violations can potentially add up quickly. Indeed, BIPA provides for liquidated damages of $1,000 for each negligent violation, and $5,000 for each willful violation (it also allows a prevailing employee to recover attorneys’ fees, expert witness fees, and litigation costs and expenses). Second, BIPA is considered one of the most stringent biometric data protection laws in the country. Third, approximately 200 BIPA class actions are reportedly pending in Illinois, and this decision is likely to fuel a new wave of BIPA class actions. Thus, employers would be well-advised to immediately examine whether they are complying with all of BIPA’s technical requirements.
[1] We previously blogged about developments in this case here. As we noted, BIPA governs how Illinois employers can collect and use biometric information from consumers and employees. BIPA requires that prior to a company’s collection of biometric information, it must: (i) notify the consumer or employee in writing that his or her biometric information is being collected; (ii) obtain a written release from the consumer or employee enabling it to collect and store the information; and (iii) promulgate a written policy setting forth a retention schedule and guidelines for destroying the information.