The Illinois Supreme Court issued its long-awaited ruling in Rosenbach and reversed the appellate court’s decision that technical violations of the Illinois Biometric Information Privacy Act (“BIPA” or “Act”) without “some actual injury or harm” are not actionable:
Contrary to the appellate court’s view, an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act.
Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, ¶ 40.
With this ruling, the Illinois Supreme Court has likely unleashed another wave of class action litigation. These class actions could transfer millions of dollars from companies that do business in Illinois into the pockets of the plaintiffs’ class action bar. While no one can dispute BIPA’s good intentions, biometric technology has evolved far beyond 2008, when the law was enacted. The biometric equipment in use today transforms the biometric identifier into an encrypted mathematical algorithm that renders it unreadable and unidentifiable. These safeguards prevent the harms contemplated by BIPA. In Rivera Judge Edmond Chang explained that laws such as BIPA (with their statutory damages and fee-shifting) are an imperfect fit and cannot keep pace with technological advances: “The difficulty in predicting technological advances and their legal effects is one reason why legislative pronouncements with minimum statutory damages and fee-shifting might reasonably be considered a too-blunt instrument for dealing with technology.” Rivera, 162018 WL 6830332, fn. 20 (N.D. Ill. Dec. 29, 2018).
Rosenbach is not a positive development for Illinois’ business economy, especially when no BIPA lawsuit has pled any unauthorized disclosure of biometric data to the public, any illegal hacking, or other actual injury. Unless the Illinois legislature promptly amends BIPA, these BIPA class actions have the potential to bankrupt some Illinois businesses and discourage future business investment in Illinois.
BIPA’s History and Key Provisions
In 2008, Illinois became the first state to regulate a private entity’s collection, use, storage, transmission, and destruction of “biometric identifiers” such as retina or iris scans, fingerprints, voiceprints, or hand or facial geometry scans. BIPA also protects “biometric information,” which includes “any information . . . based on an individual’s biometric identifier used to identify an individual.”
Section 15 of BIPA prohibits a private entity from collecting a person’s or customer’s “biometric identifier” or “biometric information” unless it first informs them of the “specific purpose and length of term for which [it] is being collected, stored and used” and obtains their executed release or consent. Section 15 also requires private entities to develop a written policy that establishes a retention schedule and guidelines for the timely destruction of biometric data in compliance with BIPA.
Section 20 gives any “person aggrieved” by a violation of the Act a private “right of action” to sue for statutory damages of $1,000 per negligent violation, $5,000 per intentional violation, actual damages (if greater than the statutory damages), injunctive relief, attorney’s fees and costs.
Class Actions and Rosenbach
The consumer class actions began in 2015. The employer class actions followed two years later in 2017, nine years after BIPA’s enactment. Rosenbach is a putative consumer class action. Stacy Rosenbach, as mother and next friend of Alexander Rosenbach, filed suit against Six Flags after her son visited the amusement park on a school field trip. Ms. Rosenbach learned that Six Flags scanned her son’s thumbprint to allow him access to the amusement park on a season pass. The lawsuit did not allege any actual harm to her son. It alleged that Six Flags failed to inform Alexander or his mother of the specific purpose and length of term for which his fingerprint had been collected, and failed to obtain his written consent or hers prior to collecting it.
When Six Flags’ initial motion to dismiss was denied, the amusement park sought interlocutory review of the denial. On appeal, the appellate court sided with Six Flags and held that plaintiff must allege some actual harm—not just a violation of the Act—to be a “person aggrieved by a violation of this Act.” If every technical violation of BIPA was actionable, it would render “superfluous” the requirement that a person be “aggrieved by a violation of this Act.” Rosenbach v. Six Flags Entertainment Corp., 2017 IL App (2d) 170317, ¶ 23.
The Illinois Supreme Court rejected the appellate court’s ruling that actual injury is a prerequisite to the recovery of statutory damages under BIPA. It said this was “antithetical to the Act’s preventative and deterrent purposes” and held that a violation of BIPA’s notice and consent provisions was a “real and significant” injury:
When a private entity fails to adhere to the statutory procedures, as defendants are alleged to have done here, “the right of the individual to maintain [his or] her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.” This is no mere “technicality.” The injury is real and significant.
Id. at ¶34 (citation omitted).
Call to Action: Lessons Learned From the FACTA Class Action Debacle
In Rottner, No. 15 CH 16695 (Ill. Cir. Ct. Dec. 20, 2016), Circuit Judge Mikva struck the liquidated damages prayer for relief and explained that the legislative intent of BIPA was not to bankrupt companies:
[T]he legislative intent was not to put companies out of business but to keep companies in compliance with the law.
Id., July 12, 2016 Tr. of Proceedings, pp. 17:21-18:3.
The Fair and Accurate Credit Transactions Act of 2003 (“FACTA”) is an excellent example of how the business community united when hit with a plethora of seven-figure class actions based on technical violations and no actual injury. In the FACTA cases, class action attorneys sued retailers under FACTA for not having coordinated with their credit card vendors to ensure that sales receipts redacted both a customer’s credit card number and the expiration date. Because of a grammatical misinterpretation of the statute, most businesses redacted one but not the other. The business community responded in a communal uproar, contacted their legislators, and were successful in getting FACTA amended. Here, the Illinois Supreme Court may be construing BIPA in a manner that the Illinois legislature did not intend or foresee in 2008—just as many courts misread FACTA contrary to Congress’ intent.
Given the Rosenbach ruling, Illinois companies and those who do business in Illinois will want to lobby the Illinois legislature to amend BIPA. For example, biometric data is not covered by a number of analogous data breach notification laws if it is encrypted or otherwise altered such that the data is unreadable. In many BIPA cases, the biometric scanner transformed the finger scan into an encrypted mathematical algorithm that is unreadable and unidentifiable. Crippling liability for mere technical violations could not be what the legislature intended.
This “call to action” also applies to companies currently in compliance with BIPA. Companies may want to periodically audit their compliance at each facility or store in Illinois, as the slightest misstep could result in class actions, despite years of compliance.