standing

Subscribe to standing

In a long-awaited decision, the Illinois Supreme Court issued its ruling in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Ill. Jan. 25, 2019), on whether a person “aggrieved” by a violation of the Illinois Biometric Information Privacy Act (“BIPA”) must allege some actual injury or harm beyond a procedural violation to have standing to bring an action under the statute.  Since the Court took the appeal in May 2018, businesses have been waiting for the answer to this important question, as the robust wave of Illinois biometric privacy suits against Illinois-based employers and other businesses continued apace and several Illinois courts issued disparate interpretations about what it means to be “aggrieved” under the statute.

In a disappointment to many of the defendants in pending cases, a unanimous Court in Rosenbach reversed the appellate court and ruled that an individual does not have to plead an actual injury or harm, apart from the statutory violation itself, in order to have standing to sue under BIPA. The outcome was not a complete surprise, as previous courts (such as a California federal court and an Illinois appellate court) had ruled or expressed in dicta that mere technical violations of BIPA were sufficient under the statute.

Late last month, an Illinois appellate court reversed a lower court’s dismissal of biometric privacy claims against a tanning salon franchisee that had collected the plaintiff’s fingerprint to allow entry in its own salon and any L.A. Tan salon location nationwide.  (Sekura v. Krishna Schaumburg Tan, Inc., 2018 IL App (1st) 180175 (Ill. App. Sept. 28, 2018)).  The plaintiff alleged that the tanning salon violated the Biometric Information Privacy Act (BIPA), which regulates the collection, retention, and disclosure of personal biometric identifiers and biometric information, by collecting her fingerprints without obtaining the required written release and providing the required disclosure concerning its retention policy, and further by disclosing her fingerprints to a third-party vendor. [Note: In 2016, in a separate suit, the same plaintiff settled BIPA claims with L.A. Tan Enterprises, Inc., operator (directly and through franchisees) of L.A. Tan tanning salons].

An Illinois district court remanded to state court for lack of standing a biometric privacy suit brought by employees over the collection and storage of individuals’ fingerprints allegedly in violation of the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 (“BIPA”). (Aguilar v. Rexnord, LLC, No. 17 CV 9019 (N.D. Ill. July 3, 2018)).  This decision echoes other recent rulings where federal courts have found a lack of Article III standing in disputes where employees claimed procedural violations of BIPA over the knowing collection of fingerprints for timekeeping purposes, absent any claims of wrongful sharing or disclosure.  See e.g., Howe v. Speedway LLC, No. 17-07303 (N.D. Ill. May 31, 2018) (even if failing to provide certain disclosures and obtain his written authorization prior to collecting and storing plaintiff’s fingerprints may constitute a violation of BIPA, such procedural violations did not cause an injury in fact where the employee was aware of the nature and purpose of collection); Goings v. UGN, Inc., No. 17-9340 (N.D. Ill. June 13, 2018) (remanding BIPA claims for lack of Article III standing because claims were too abstract and employee was aware he was providing fingerprint data to his employers and did not claim any non-consensual disclosure of such data). 

As 2017 drew to an end, we noted the continuing flood of Illinois biometric privacy suits filed over the past year.  There are literally dozens of cases pending, most in Illinois state courts, alleging violation of Illinois’s Biometric Information Privacy Act (BIPA), which regulates the collection, retention, and disclosure of personal biometric identifiers and biometric information.  The suits initially targeted the use of biometrics on social media platforms, but, perhaps reflecting the increased use of biometrics in the workplace, have increasingly been asserted against businesses that collect biometric data to authenticate customers or employees.

While federal courts have weighed in on whether litigants have standing for asserting procedural violations of BIPA, it was not clear if mere procedural violations of BIPA’s consent and data retention requirements, without any showing of actual harm or data misuse, were actionable under the statute (i.e., whether persons pleading procedural violations are “aggrieved” under the statute, as BIPA expressly provides that “any person aggrieved by a violation” of the BIPA may pursue money damages and injunctive relief against the offending party).

As the year came to a close, an Illinois appellate court may have cooled the New Year’s Eve celebrations of BIPA class action lawyers a bit, as the court issued a decision which could provide defendants with a shield against BIPA suits.  The court ruled that if a party alleges only a technical violation of BIPA without alleging any injury or adverse effect, then such a party is not “aggrieved” under the Act and may not seek remedies (i.e., monetary damages or injunctive relief).  (Rosenbach v. Six Flags Entertainment Corp., No. 2-17-0317, 2017 IL App (2d) 170317 (Ill. App. Dec. 21, 2017)).