Capitol Fax.com - Your Illinois News Radar » Supreme Court rules against Six Flags on state biometric law
SUBSCRIBE to Capitol Fax      Advertise Here      About     Exclusive Subscriber Content     Updated Posts    Contact Rich Miller
CapitolFax.com
To subscribe to Capitol Fax, click here.
Supreme Court rules against Six Flags on state biometric law

Friday, Jan 25, 2019 - Posted by Rich Miller

* From last November

For the last decade, Illinois has had the nation’s most rigorous law protecting citizens’ biometric privacy information. It’s also a heavily litigated piece of legislation that’s pulled high-profile companies like Google and Facebook into class action lawsuits. Now, Six Flags is contesting a suit that threatens to totally defang the statute.

The Biometric Information Privacy Act (BIPA), passed by Illinois lawmakers in 2008, stipulates that a company doing business in the state must obtain explicit written consent from an individual before collecting their biometric identifiers, such as fingerprints. Penalties are set at a $1,000 fine per violation, and $5,000 per violation if an offending company is found to be violating the statute either intentionally or recklessly. The problem is, the state doesn’t prosecute BIPA violations, it only grants individuals the right to sue. Six Flags is trying to make that very difficult.

The case revolves around the question of whether a company can be held liable for violating BIPA if a plaintiff is unable to demonstrate “harm.” Stacy Rosenbach claims that the theme park fingerprinted her 14-year-old son when he was picking up a season pass to the park on a group trip. Rosenbach says she did not give permission for the company to collect and store her son’s fingerprints. Six Flags argues that for Rosenbach to qualify as a “person aggrieved,” she must demonstrate that the collection of her son’s identifiable biometric information resulted in some type of injury.

The Illinois Supreme Court held appellate hearings on the case last week, and according to Law360, at least three of the seven justices hearing the case were skeptical of the arguments made by attorneys representing Six Flags. The initial trial court rejected Six Flags’ argument, but it certified two questions for appeal that revolve around the definition of “aggrieved.” Last December, the Second District Appellate Court agreed with Six Flags, and now the case is in the hands of the states’ highest court. What’s at stake is a legal definition that could affect a similar pending lawsuit against Facebook that could potentially result in billions of dollars worth of fines.

* The Illinois Supreme Court reversed the appellate court today

In reaching a contrary conclusion, the appellate court characterized violations of the law, standing alone, as merely “technical” in nature. Such a characterization, however, misapprehends the nature of the harm our legislature is attempting to combat through this legislation. The Act vests in individuals and customers the right to control their biometric information by requiring notice before collection and giving them the power to say no by withholding consent. These procedural protections “are particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual’s unique biometric identifiers—identifiers that cannot be changed if compromised or misused.” When a private entity fails to adhere to the statutory procedures, as defendants are alleged to have done here, “the right of the individual to maintain [his or] her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.” This is no mere “technicality.” The injury is real and significant. […]

Other than the private right of action authorized in section 20 of the Act, no other enforcement mechanism is available. It is clear that the legislature intended for this provision to have substantial force. When private entities face liability for failure to comply with the law’s requirements without requiring affected individuals or customers to show some injury beyond violation of their statutory rights, those entities have the strongest possible incentive to conform to the law and prevent problems before they occur and cannot be undone. Compliance should not be difficult; whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded; and the public welfare, security, and safety will be advanced. That is the point of the law. To require individuals to wait until they have sustained some compensable injury beyond violation of their statutory rights before they may seek recourse, as defendants urge, would be completely antithetical to the Act’s preventative and deterrent purposes.

In sum, defendants’ contention that redress under the Act should be limited to those who can plead and prove that they sustained some actual injury or damage beyond infringement of the rights afforded them under the law would require that we disregard the commonly understood and accepted meaning of the term “aggrieved,” depart from the plain and, we believe, unambiguous language of the law, read into the statute conditions or limitations the legislature did not express, and interpret the law in a way that is inconsistent with the objectives and purposes the legislature sought to achieve. That, of course, is something we may not and will not do.

The consequences of this ruling are gonna be huge. Six Flags isn’t the only entity that’s been sued over this law.

…Adding… Illinois PIRG…

The decision is a victory for consumers across Illinois over Facebook and other tech giants, who argue in courts that consumers do not face “harm” from privacy violations and have pushed legislation in recent years to undermine the Illinois law. Consumer and privacy advocates such as Illinois PIRG Education Fund continue to defend BIPA in the courts and in the Illinois General Assembly. Illinois PIRG Education Fund’s national staff is fighting Congressional efforts by Facebook and others to enact a national law that would permanently preempt any existing or prevent any future state actions on data protection.

…Adding… ACLU of Illinois…

Today’s ruling protects Illinoisans’ right to control their own fingerprints, iris scans, and other crucial information about their bodies. This is exactly what the General Assembly had in mind when it enacted BIPA.

Your biometric information belongs to you and should not be left to corporate interests who want to collect detailed information about you for advertising and other commercial purposes. The Court recognized that individuals must have the right to sue companies that unlawfully collect their personal information; otherwise, the companies will not be held accountable.

More than a decade after BIPA’s enactment, we constantly hear new examples of companies that have collected, shared, and misused the personal information of millions being shared without their knowledge or consent. The strong protections of Illinois’s law are more critical than ever.

…Adding… Illinois Chamber of Commerce President and CEO Todd Maisch…

We fear that today’s decision will open the floodgates for future litigation at the expense of Illinois’ commercial health.

       

32 Comments
  1. - Anonymous - Friday, Jan 25, 19 @ 9:46 am:

    A key part of the decision is on page one:

    CHIEF JUSTICE KARMEIER delivered the judgment of the court, with opinion.
    Justices Thomas, Kilbride, Garman, Burke, Theis, and Neville concurred in the judgment and opinion.

    Unanimous. Wow.


  2. - Chicagonk - Friday, Jan 25, 19 @ 9:52 am:

    This is a very big decision. BIPA is the only law of it’s kind in the US and I know that there is a lot of lobbying at the federal level to pass a law that would supersede BIPA.


  3. - Shivas - Friday, Jan 25, 19 @ 9:53 am:

    According to Law360: “Many of the more than 200 pending cases filed under the statute accuse hotels, supermarkets and other businesses of breaching BIPA — the nation’s only biometric privacy law with a private right of action — by not seeking written consent before requiring employees to use fingerprint-based timekeeping systems.”

    In other words, the Illinois plaintiff’s bar owns Springfield in a way that no other state’s plaintiff’s bar owns its state legislature.


  4. - don the legend - Friday, Jan 25, 19 @ 9:54 am:

    A win for Illinois citizens.


  5. - @misterjayem - Friday, Jan 25, 19 @ 9:55 am:

    “Compliance should not be difficult; whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded; and the public welfare, security, and safety will be advanced. That is the point of the law.”

    A unanimous decision, i.e. that’s all she wrote.

    – MrJM


  6. - Professor - Friday, Jan 25, 19 @ 9:55 am:

    I would like to go back and look at the debates, and see if ‘legislative intent’ beyond the word aggrieved, was ever established.


  7. - wordslinger - Friday, Jan 25, 19 @ 10:02 am:

    –In reaching a contrary conclusion, the appellate court characterized violations of the law, standing alone, as merely “technical” in nature. –

    Wasn’t familiar with this one beforehand.

    What a bizarre ruling by the appellate court; didn’t know they were giving mulligans for “technical” violations of the law.

    How is “technical” even a thing, under the law? Isn’t the “harm” a given, when you break the law?

    Good on the Supremes for finding for the people, and not Big Brother.


  8. - Anonymous - Friday, Jan 25, 19 @ 10:15 am:

    This is a great civil liberties victory. Looking forward to seeing its implications.


  9. - Klaus VonBulow - Friday, Jan 25, 19 @ 10:29 am:

    By definition biometrics extends to facial recognition. The facial recognition practices are vast within security and marketing. Does law enforcement currently use this and are they exempt?


  10. - 360 Degree TurnAround - Friday, Jan 25, 19 @ 10:29 am:

    Big win for the people. Big loss for the Illinois Chamber of Commerce.


  11. - Anonymous - Friday, Jan 25, 19 @ 10:40 am:

    The question of damages needing to be shown is going to have an impact far beyond just cases on biometric info


  12. - Huh? - Friday, Jan 25, 19 @ 10:55 am:

    “Does law enforcement currently use this and are they exempt?”

    The statute refers repeatedly to “private entity”.

    740 ILCS 14/10 provides the definition of “private entity”. The definition excludes State or local government agencies, courts, clerks of the court, justices, and judges. There are other exclusions in 740 ILCSb14/25.


  13. - Huh? - Friday, Jan 25, 19 @ 10:58 am:

    Ugh. 740 ILCS 14/25

    Freaking fat fingers strike again.


  14. - Hamlet's Ghost - Friday, Jan 25, 19 @ 10:58 am:

    Would BIPA apply to harvesting photos from the 10 year challenge to refine facial recognition software?


  15. - RNUG - Friday, Jan 25, 19 @ 11:00 am:

    == By definition biometrics extends to facial recognition. The facial recognition practices are vast within security and marketing. ==

    Facebook makes heavy use of facial recognition.

    As does all the photo search / photo matching software.

    Cellphone companies do also. My cell phone supports both facial recognition and fingerprints as security features if you opt to use them. At least in the case of my phone, they are optional features you can choose to turn on, so consent is covered there.

    Law enforcement matches your photo for FOID or concealed carry permit with your stored SOS/DMV photo on your driver’s license. Is it consent when your are required to submit the photos?

    Lots and lots of implications.


  16. - former southerner - Friday, Jan 25, 19 @ 11:04 am:

    Several months ago I received an email from Canon professional services inviting me to be part of a test group for their new photo sharing website known as Canon Raise. Canon intends to use this site to develop their AI technology. When I followed the link to sign up for the beta there was a highlighted notice NOT to upload any photos that contain residents/citizens of Illinois and I suspect that was because of this Illinois law.


  17. - Anonymous - Friday, Jan 25, 19 @ 11:06 am:

    ==Law enforcement matches your photo for FOID or concealed carry permit with your stored SOS/DMV photo on your driver’s license. Is it consent when your are required to submit the photos?==

    Government entities are likely exempt from this.

    As for Facebook, et al, when you sign up you consent to a lot of things. Most people just never read what they’re consenting to.


  18. - Thomas Paine - Friday, Jan 25, 19 @ 11:10 am:

    === see if legislative intent ==+

    Oh, give it up professor.

    You think lawyers for Six Flags, Facebook, Google and Apple missed that one?

    That was one stinging rebuke of the Appellate Court for the Second District, was Judge Joe Birkett involved in that opinion?


  19. - SAP - Friday, Jan 25, 19 @ 11:13 am:

    The Act covers facial recognition, but excludes photographs.


  20. - DuPage - Friday, Jan 25, 19 @ 11:16 am:

    The $5000 fine. Does it go to the state or the victim? If the state got $5000 times millions of Facebook violations, they could significantly reduce the amount of pension debt.


  21. - RNUG - Friday, Jan 25, 19 @ 11:19 am:

    == Most people just never read what they’re consenting to. ==

    True. But one of these days I expect someone with serious money that has been harmed to mount a serious legal challenge to the all inclusive / overreaching licensing agreements.


  22. - Lester Holt’s Mustache - Friday, Jan 25, 19 @ 11:52 am:

    ==We fear that today’s decision will open the floodgates for future litigation at the expense of Illinois’ commercial health.==

    #LOLMaisch. If your members stop violating the law to collect biometrics without consent, they won’t have to worry about “future litigation” will they?


  23. - 360 Degree TurnAround - Friday, Jan 25, 19 @ 12:01 pm:

    ==We fear that today’s decision will open the floodgates for future litigation at the expense of Illinois’ commercial health.==

    If I may speak briefly for the people of Illinois, to Todd Maisch’s comment. “Hang in there Todd”.


  24. - @misterjayem - Friday, Jan 25, 19 @ 12:44 pm:

    == Most people just never read what they’re consenting to. ==

    True. But one of these days I expect someone with serious money that has been harmed to mount a serious legal challenge to the all inclusive / overreaching licensing agreements.

    Plus and Illinois’ biometric law calls for “informed consent” — a much higher standard of consent than the ones applied in browsewrap and clickwrap “Terms and Conditions” cases.

    – MrJM


  25. - C Ball - Friday, Jan 25, 19 @ 12:46 pm:

    @DuPage Those are not fines or penalties but damages for suing; it is $1,000 or actual damage (if greater than $1,000) if negligent; $5,000 or actual (if over $5,000) if intentional or reckless.


  26. - Albany Park Patriot - Friday, Jan 25, 19 @ 1:53 pm:

    Can’t I ride the Yankee Clipper in peace?


  27. - thechampaignlife - Friday, Jan 25, 19 @ 1:58 pm:

    I am bummed that my Nest Hello video doorbell does not allow me to use the facial recognition to announce who is at the door, because of this law. Is it really biometrics being stored if it is just keeping a snapshot of frequent visitors, and then crunching some numbers based on that? Who will warn me that my mother-in-law is at the door?!

    Fingerprints and other markers like that I get. But outlawing photos and math?


  28. - Rich Miller - Friday, Jan 25, 19 @ 2:07 pm:

    ===Is it really biometrics being stored if it is just keeping a snapshot of frequent visitors, and then crunching some numbers based on that?===

    Yes. The problem is how that information is being shared by the company and/or what happens if that info is hacked.


  29. - SAP - Friday, Jan 25, 19 @ 3:13 pm:

    From the statute: “Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color.” Merely taking a photo of somebody with your video doorbell system does not look like a violation. If you take the photo and run it through a facial recognition program, you have a problem.


  30. - Anonymous - Friday, Jan 25, 19 @ 3:27 pm:

    I’m no law dawg but I’m guessing this will no doubt end up in the SCOTUS ?


  31. - thechampaignlife - Friday, Jan 25, 19 @ 3:38 pm:

    ===If you take the photo and run it through a facial recognition program, you have a problem.===

    That may be true, but the cat is already out of the bag as soon as the photo is taken. Someone could live stream their camera, which anyone in the world could capture, run through facial recognition software, and do whatever nefarious things we think they can do with a photo. I think the bigger issue is thinking a facial profile is authoritative proof of an identity, rather than just a possible match.


  32. - thechampaignlife - Friday, Jan 25, 19 @ 3:39 pm:

    I would love to hear John Bambenek’s take.


Sorry, comments for this post are now closed.


* Isabel’s afternoon roundup
* Save the date!
* Energy Storage Can Minimize Major Price Spikes
* Trial gives glimpse into how Madigan managed his members
* Pritzker announces $72 million in medical debt relief for nearly 53K Illinois residents
* AG Raoul warns Mayor Johnson to reverse police reform budget cuts or risk sanctions
* Madigan trial roundup: Defense attacks credibility of ex-ComEd executive
* Senate President puts hold on bill to protect key aquifers from carbon sequestration
* Showcasing The Retailers Who Make Illinois Work
* Open thread
* Isabel’s morning briefing
* SUBSCRIBERS ONLY - Today's edition of Capitol Fax (use all CAPS in password)
* Live coverage
* Selected press releases (Live updates)
* Trump border czar pick has message for Pritzker: 'Game on'
* Yesterday's stories

Support CapitolFax.com
Visit our advertisers...

...............

...............

...............

...............

...............

...............


Loading


Main Menu
Home
Illinois
YouTube
Pundit rankings
Obama
Subscriber Content
Durbin
Burris
Blagojevich Trial
Advertising
Updated Posts
Polls

Archives
November 2024
October 2024
September 2024
August 2024
July 2024
June 2024
May 2024
April 2024
March 2024
February 2024
January 2024
December 2023
November 2023
October 2023
September 2023
August 2023
July 2023
June 2023
May 2023
April 2023
March 2023
February 2023
January 2023
December 2022
November 2022
October 2022
September 2022
August 2022
July 2022
June 2022
May 2022
April 2022
March 2022
February 2022
January 2022
December 2021
November 2021
October 2021
September 2021
August 2021
July 2021
June 2021
May 2021
April 2021
March 2021
February 2021
January 2021
December 2020
November 2020
October 2020
September 2020
August 2020
July 2020
June 2020
May 2020
April 2020
March 2020
February 2020
January 2020
December 2019
November 2019
October 2019
September 2019
August 2019
July 2019
June 2019
May 2019
April 2019
March 2019
February 2019
January 2019
December 2018
November 2018
October 2018
September 2018
August 2018
July 2018
June 2018
May 2018
April 2018
March 2018
February 2018
January 2018
December 2017
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
April 2017
March 2017
February 2017
January 2017
December 2016
November 2016
October 2016
September 2016
August 2016
July 2016
June 2016
May 2016
April 2016
March 2016
February 2016
January 2016
December 2015
November 2015
October 2015
September 2015
August 2015
July 2015
June 2015
May 2015
April 2015
March 2015
February 2015
January 2015
December 2014
November 2014
October 2014
September 2014
August 2014
July 2014
June 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
July 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004

Blog*Spot Archives
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005

Syndication

RSS Feed 2.0
Comments RSS 2.0




Hosted by MCS SUBSCRIBE to Capitol Fax Advertise Here Mobile Version Contact Rich Miller