The Illinois Biometric Information Privacy Act set off a wave of private litigation in the United States. The Act establishes a private right of action for any person “aggrieved” by a violation of the Act, which regulates how private entities collect, retain, disclose and destroy biometric identifiers or biometric information. Successful plaintiffs are entitled to their actual damages or liquidated damages of US$1,000 for negligent violations or US$5,000 for intentional violations.
Recently, however, the Appellate Court of Illinois tapped the breaks by requiring the plaintiff to have suffered some pecuniary or non-pecuniary damages in order to be “aggrieved“. [Don’t know what pecuniary/non-pecuniary refer to? See note at the end of this post.]
Why should Canadians care?
Canadian readers will note that, with the exception of the Province of Quebec, Canada does not have federal or provincial privacy laws that specifically target biometric information. However, general private sector privacy legislation can be used to seek monetary awards (usually after a complaints procedure has been exhausted). At least at present, the general trend seems to be for Canadian courts to provide damages for non-pecuniary damage without putting the plaintiff to much of a burden of proof (if any). However, courts may begin to turn to the debates in the U.S. over standing if there is a rush to the courts to claim damages under existing laws or if Parliament or provincial legislatures begin experimenting with statutory damages.
What is the Biometric Information Privacy Act?
The Biometric Information Privacy Act covers “biometric identifiers” and “biometric information“. Biometric identifiers are retina or iris scans, fingerprints, handprints, voiceprints, or facial geometry scans. Biometric information is any information that is based on a biometric identifier used to identify an individual.
The Act imposes certain requirements on private entities (not public authorities) when collecting, using, disclosing or even possessing biometrics. Those obligations include:
- notifying the individual of the collection and storage of the biometrics;
- providing an explanation of the purpose for the collection, use and storage;
- identifying the retention period for the use and storage; and
- obtaining a written release for the collection, use and storage.
There are other obligations as well relating to the manner of storage and maximum periods of retention and other matters.
No Strict Liability – Plaintiff must suffer damage
In Rosenbach v. Six Flags Entertainment Corp., the plaintiff (who was suing on behalf of her minor son) alleged that the defendant had taken a thumbprint of her son without complying with the Biometric Information Privacy Act. The plaintiff’s son had purchased a season pass to the defendant’s theme park. The thumbprint was to be used in connection with the season pass in order to enter the park. The plaintiff alleged that the defendant had not made the appropriate disclosures and had not obtained her consent to the thumbprint of her minor son. However, the plaintiff did not allege any damage other than that she would not have consented to the collection of the thumbprint had she known of the defendant’s practices.
The Second District Appellate Court of Illinois concluded that a plaintiff seeking a remedy under the Biometric Information Privacy Act must have suffered some pecuniary or non-pecuniary damage in order to be entitled to a remedy under the private right of action. The court concluded that the statute was not meant to be one of strict liability. In order to be “aggrieved”, the person must have suffered some harm. A technical violation of the Act would not necessarily result in any harm.
You can read the court’s decision in Rosenbach v. Six Flags Entertainment Corp. here.
The Biometric Information Privacy Act can be found here.
The law firm Ropes & Gray have an interesting client alert that you can find here.
Note: Curious as to what pecuniary and non-pecuniary mean? Without getting into the details, pecuniary damages are essentially those that can be quantified in monetary terms – for example, out of pocket expenses. Non-pecuniary damages are for injuries such as distress and pain and suffering.