A year ago, I wrote about how the Illinois Biometric Information Privacy Act set off a wave of private litigation in the United States. A key issue that was being litigated was whether a plaintiff could seek liquidated damages and injunctive relief for a “mere” violation of the statute. In other words, did the plaintiff have to have suffered some actual harm in order to sue?
This was the issue in Rosenbach v. Six Flags Entertainment Corp. In that case, the plaintiff (who was suing on behalf of her minor son) alleged that the defendant had taken a thumbprint of her son without complying with the Illinois Biometric Information Privacy Act. Her son bought a season pass and the pass plus a fingerprint was used as a method of identification in order to enter the park. The plaintiff said that Six Flags failed to make appropriate disclosure or obtain parental consent; however, she did not allege any other damages. In my January 2018 post, I wrote about how the Appellate Court in Illinois concluded that some damage was required. A technical violation was not enough.
The Supreme Court of Illinois reversed this decision on January 25, 2019. The decision turned on what “aggrieved” means. Section 20 of the statute says that any person aggrieved by a violation has a right of action. The court noted that the term “aggrieved” was not defined. Therefore, the court said that the term should have its popularly understood meaning. Further, if the term has a settled legal meaning in similar contexts, then the legislature should be presumed to have meant the same thing.
After looking at other statutes and decisions, the court held that a person is aggrieved when a a legal right is invaded. The individual may or may not have suffered any monetary loss.
The court also had a few words to say about the appellate court’s characterization of the alleged violations as merely “technical” in nature, which privacy advocates will cheer. The court, citing a previous decision of the United States District Court in Patel v. Facebook Inc. that the nature of privacy rights are such that, if procedural protections are not complied with by companies, the result can be privacy rights “vanishing into thin air”.
The Act vests in individuals and customers the right to control their biometric information by requiring notice before collection and giving them the power to say no by withholding consent. […] These procedural protections “are particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual’s unique biometric identifiers—identifiers that cannot be changed if compromised or misused.” […] When a private entity fails to adhere to the statutory procedures, as defendants are alleged to have done here, “the right of the individual to maintain [his or] her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.” […] This is no mere “technicality.” The injury is real and significant.2019 IL 123186 at para. 34
The Supreme Court’s decision follows two other cases that came to the same conclusion: Sekura v. Krishna Schabmrug Tan, Inc. and In re Facebook Biometric Information Privacy Rights Litigation.