Actual injury required to state a claim under Illinois Biometric Information Privacy Act
What is BIPA?BIPA was enacted in 2008 in response to concerns that consumers’ fingerprints and other biometric data were being gathered, stored, and possibly sold by Illinois businesses. BIPA’s “Legislative intent” section reveals that, at the time of the statute’s enactment, some businesses were using locations in Illinois “as pilot testing sites for new applications of biometric-facilitated financial transactions, including finger-scan technologies at grocery stores, gas stations, and school cafeterias.” 740 ILCS 14/5. To minimize the risk that Illinois residents’ biometric information could be compromised as a result of those transactions, the Illinois legislature hurriedly drafted and approved BIPA, which regulates the collection, use, and storage of biometric data. Among other things, BIPA requires that companies collecting biometric data inform the subject – typically consumers or employees – that their biometric data is being collected, how it is being used, and when it will be destroyed. Companies are also expected to obtain a written release from any individual whose biometric information is collected. Illinois is one of only a few states with legislation intended to protect citizens’ biometric information, and within that limited group, its law is unique in that it provides a private right of action, including liquidated damages, for any “person aggrieved” by a violation of the statute.
Although BIPA was passed 10 years ago, suits under the statute were nearly nonexistent until recent years. In the last six months, courts have been inundated with class action claims alleging violations of BIPA’s “notice and consent” provisions. These claims have been filed by consumers against businesses and by employees against employers. Notably absent from the vast majority of the claims is any allegation that the defendants improperly sold or shared biometric information, much less that any plaintiff had his or her identity stolen or otherwise suffered an actual injury as a result of a violation of the “notice and consent” provisions.
Despite the lack of injury, named plaintiffs demand substantial statutory damages – BIPA provides “liquidated damages” of $1,000 for every negligent violation of the statute, and $5,000 for every intentional or reckless violation of it – on behalf of each of the putative class members whom they seek to represent.
Rosenbach v. Six Flags EntertainmentThe Second District Court of Appeals recently offered Illinois businesses and employers hope in Rosenbach v. Six Flags Entertainment, 2017 IL App (2d) 170317. In Rosenbach, the plaintiff alleged that Six Flags violated BIPA by collecting her minor son’s fingerprints at a security checkpoint after he purchased a season pass. She claimed that Six Flags failed to provide any written information before recording her son’s fingerprints and that she never consented to the collection of her son’s fingerprints. She did not, however, allege that Six Flags misused, sold, or otherwise shared any of her child’s biometric data.
Six Flags moved to dismiss the claim, arguing that the plaintiff was not a “person aggrieved” under BIPA because she did not allege any actual injury. After the trial court denied the motion, the Second District certified for interlocutory appeal two questions relating to whether a “person aggrieved” by a violation of BIPA must allege some actual harm. Ultimately, the Second District reversed the trial court, explaining that although the law did not define “aggrieved,” an aggrieved party is usually defined as someone who has suffered actual harm. This, the court noted, was consistent with various analogous statutes, under which parties must have suffered some actual injury in order to pursue a claim. Thus, the court held, a mere technical violation of BIPA’s notice and consent provisions that did not result in some actual injury cannot give rise to a claim under BIPA. Instead, a plaintiff must allege an actual injury or adverse effect, such as that his or her biometric data was improperly sold or otherwise shared, to state a claim.
Despite this welcome news, it remains to be seen how the First District Court of Appeals will treat claims for alleged violations of BIPA’s notice and consent provisions in the absence of some identifiable injury.