In a long-awaited decision, the Illinois Supreme Court issued its ruling in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Ill. Jan. 25, 2019), on whether a person “aggrieved” by a violation of the Illinois Biometric Information Privacy Act (“BIPA”) must allege some actual injury or harm beyond a procedural violation to have standing to bring an action under the statute. Since the Court took the appeal in May 2018, businesses have been waiting for the answer to this important question, as the robust wave of Illinois biometric privacy suits against Illinois-based employers and other businesses continued apace and several Illinois courts issued disparate interpretations about what it means to be “aggrieved” under the statute.
In a disappointment to many of the defendants in pending cases, a unanimous Court in Rosenbach reversed the appellate court and ruled that an individual does not have to plead an actual injury or harm, apart from the statutory violation itself, in order to have standing to sue under BIPA. The outcome was not a complete surprise, as previous courts (such as a California federal court and an Illinois appellate court) had ruled or expressed in dicta that mere technical violations of BIPA were sufficient under the statute.
BIPA provides that “[a]ny person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.” The statute does not define the term “aggrieved” and hence the multiple legal arguments and amicus briefs attempting to sway the Court as to its meaning one way or the other.
The Court found the defendant’s contention that the legislature intended to limit a plaintiff’s right to bring a cause of action only to circumstances where he or she has sustained some actual damage to be “untenable.” Instead, the Court looked to prior Illinois decisions and the “commonly understood and accepted meaning” of the term “aggrieved” in stating that it generally means “suffering from an infringement or denial of legal rights.”
“[O]ur General Assembly has codified that individuals possess a right to privacy in and control over their biometric identifiers and biometric information. The duties imposed on private entities…regarding the collection, retention, disclosure, and destruction of a person’s or customer’s biometric identifiers or biometric information define the contours of that statutory right. Accordingly, when a private entity fails to comply with one of [the] requirements, that violation constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach. Consistent with the authority cited above, such a person or customer would clearly be “aggrieved” within the meaning of section 20 of the Act and entitled to seek recovery under that provision.” [citations omitted]
Agreeing with the California court’s interpretation of BIPA in the Facebook litigation, the Court stated further how the legislature attempted to give consumers the right to control their biometric information by requiring notice and consent before collection:
“When a private entity fails to adhere to the statutory procedures, as defendants are alleged to have done here, ‘the right of the individual to maintain [his or] her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.’ This is no mere ‘technicality.’ The injury is real and significant.”
The Court also noted that other than the private right of action in BIPA, no other enforcement mechanism is available, making it clear that the legislature intended for this provision to have “substantial force.” And from a practical perspective, in what is likely to generate controversy, the Court went further and stated that “compliance should not be difficult.” The Court added that the risk to an individual’s biometric privacy outweighs whatever expense a business might incur to comply with the law.
So what does this ruling mean going forward?
It was thought that a decision affirming the appellate court ruling that mere technical violations are not actionable would have dampened the wave of BIPA suits. Given this pro-plaintiff decision, we expect to see a dramatic increase in individual and class action suits relating to the collection of biometric information. The ruling removes one of the principal defenses in state court suits, changing the early calculus for litigation defense in this area.
It may be that defense strategy in BIPA cases will switch focus to class certification issues or the issue of consent (i.e., whether individuals knew that their biometric data would be collected before they accepted the services offered by the businesses involved).
And of course, litigants in federal court have successfully argued that claims involving mere procedural violations of BIPA lack Article III standing and this decision will not prevent them from asserting that defense in federal court again in the future.
Will the legislature step in to amend BIPA? Perhaps. It has debated changes to the statute in the past, such as to rein in the scope of BIPA for employers using biometrics for timekeeping purposes or otherwise limit the scope of the statute and the definition of what biometric collection practices fall under the statute. We will have to wait and see if there is any movement on this front.
We will continue to monitor developments in this area, particularly the altered landscape in the wake of the Rosenbach decision.