* From last November…
For the last decade, Illinois has had the nation’s most rigorous law protecting citizens’ biometric privacy information. It’s also a heavily litigated piece of legislation that’s pulled high-profile companies like Google and Facebook into class action lawsuits. Now, Six Flags is contesting a suit that threatens to totally defang the statute.
The Biometric Information Privacy Act (BIPA), passed by Illinois lawmakers in 2008, stipulates that a company doing business in the state must obtain explicit written consent from an individual before collecting their biometric identifiers, such as fingerprints. Penalties are set at a $1,000 fine per violation, and $5,000 per violation if an offending company is found to be violating the statute either intentionally or recklessly. The problem is, the state doesn’t prosecute BIPA violations, it only grants individuals the right to sue. Six Flags is trying to make that very difficult.
The case revolves around the question of whether a company can be held liable for violating BIPA if a plaintiff is unable to demonstrate “harm.” Stacy Rosenbach claims that the theme park fingerprinted her 14-year-old son when he was picking up a season pass to the park on a group trip. Rosenbach says she did not give permission for the company to collect and store her son’s fingerprints. Six Flags argues that for Rosenbach to qualify as a “person aggrieved,” she must demonstrate that the collection of her son’s identifiable biometric information resulted in some type of injury.
The Illinois Supreme Court held appellate hearings on the case last week, and according to Law360, at least three of the seven justices hearing the case were skeptical of the arguments made by attorneys representing Six Flags. The initial trial court rejected Six Flags’ argument, but it certified two questions for appeal that revolve around the definition of “aggrieved.” Last December, the Second District Appellate Court agreed with Six Flags, and now the case is in the hands of the states’ highest court. What’s at stake is a legal definition that could affect a similar pending lawsuit against Facebook that could potentially result in billions of dollars worth of fines.
* The Illinois Supreme Court reversed the appellate court today…
In reaching a contrary conclusion, the appellate court characterized violations of the law, standing alone, as merely “technical” in nature. Such a characterization, however, misapprehends the nature of the harm our legislature is attempting to combat through this legislation. The Act vests in individuals and customers the right to control their biometric information by requiring notice before collection and giving them the power to say no by withholding consent. These procedural protections “are particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual’s unique biometric identifiers—identifiers that cannot be changed if compromised or misused.” When a private entity fails to adhere to the statutory procedures, as defendants are alleged to have done here, “the right of the individual to maintain [his or] her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.” This is no mere “technicality.” The injury is real and significant. […]
Other than the private right of action authorized in section 20 of the Act, no other enforcement mechanism is available. It is clear that the legislature intended for this provision to have substantial force. When private entities face liability for failure to comply with the law’s requirements without requiring affected individuals or customers to show some injury beyond violation of their statutory rights, those entities have the strongest possible incentive to conform to the law and prevent problems before they occur and cannot be undone. Compliance should not be difficult; whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded; and the public welfare, security, and safety will be advanced. That is the point of the law. To require individuals to wait until they have sustained some compensable injury beyond violation of their statutory rights before they may seek recourse, as defendants urge, would be completely antithetical to the Act’s preventative and deterrent purposes.
In sum, defendants’ contention that redress under the Act should be limited to those who can plead and prove that they sustained some actual injury or damage beyond infringement of the rights afforded them under the law would require that we disregard the commonly understood and accepted meaning of the term “aggrieved,” depart from the plain and, we believe, unambiguous language of the law, read into the statute conditions or limitations the legislature did not express, and interpret the law in a way that is inconsistent with the objectives and purposes the legislature sought to achieve. That, of course, is something we may not and will not do.
The consequences of this ruling are gonna be huge. Six Flags isn’t the only entity that’s been sued over this law.
…Adding… Illinois PIRG…
The decision is a victory for consumers across Illinois over Facebook and other tech giants, who argue in courts that consumers do not face “harm” from privacy violations and have pushed legislation in recent years to undermine the Illinois law. Consumer and privacy advocates such as Illinois PIRG Education Fund continue to defend BIPA in the courts and in the Illinois General Assembly. Illinois PIRG Education Fund’s national staff is fighting Congressional efforts by Facebook and others to enact a national law that would permanently preempt any existing or prevent any future state actions on data protection.
…Adding… ACLU of Illinois…
Today’s ruling protects Illinoisans’ right to control their own fingerprints, iris scans, and other crucial information about their bodies. This is exactly what the General Assembly had in mind when it enacted BIPA.
Your biometric information belongs to you and should not be left to corporate interests who want to collect detailed information about you for advertising and other commercial purposes. The Court recognized that individuals must have the right to sue companies that unlawfully collect their personal information; otherwise, the companies will not be held accountable.
More than a decade after BIPA’s enactment, we constantly hear new examples of companies that have collected, shared, and misused the personal information of millions being shared without their knowledge or consent. The strong protections of Illinois’s law are more critical than ever.
…Adding… Illinois Chamber of Commerce President and CEO Todd Maisch…
We fear that today’s decision will open the floodgates for future litigation at the expense of Illinois’ commercial health.