* From last November…
For the last decade, Illinois has had the nation’s most rigorous law protecting citizens’ biometric privacy information. It’s also a heavily litigated piece of legislation that’s pulled high-profile companies like Google and Facebook into class action lawsuits. Now, Six Flags is contesting a suit that threatens to totally defang the statute.
The Biometric Information Privacy Act (BIPA), passed by Illinois lawmakers in 2008, stipulates that a company doing business in the state must obtain explicit written consent from an individual before collecting their biometric identifiers, such as fingerprints. Penalties are set at a $1,000 fine per violation, and $5,000 per violation if an offending company is found to be violating the statute either intentionally or recklessly. The problem is, the state doesn’t prosecute BIPA violations, it only grants individuals the right to sue. Six Flags is trying to make that very difficult.
The case revolves around the question of whether a company can be held liable for violating BIPA if a plaintiff is unable to demonstrate “harm.” Stacy Rosenbach claims that the theme park fingerprinted her 14-year-old son when he was picking up a season pass to the park on a group trip. Rosenbach says she did not give permission for the company to collect and store her son’s fingerprints. Six Flags argues that for Rosenbach to qualify as a “person aggrieved,” she must demonstrate that the collection of her son’s identifiable biometric information resulted in some type of injury.
The Illinois Supreme Court held appellate hearings on the case last week, and according to Law360, at least three of the seven justices hearing the case were skeptical of the arguments made by attorneys representing Six Flags. The initial trial court rejected Six Flags’ argument, but it certified two questions for appeal that revolve around the definition of “aggrieved.” Last December, the Second District Appellate Court agreed with Six Flags, and now the case is in the hands of the states’ highest court. What’s at stake is a legal definition that could affect a similar pending lawsuit against Facebook that could potentially result in billions of dollars worth of fines.
* The Illinois Supreme Court reversed the appellate court today…
In reaching a contrary conclusion, the appellate court characterized violations of the law, standing alone, as merely “technical” in nature. Such a characterization, however, misapprehends the nature of the harm our legislature is attempting to combat through this legislation. The Act vests in individuals and customers the right to control their biometric information by requiring notice before collection and giving them the power to say no by withholding consent. These procedural protections “are particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual’s unique biometric identifiers—identifiers that cannot be changed if compromised or misused.” When a private entity fails to adhere to the statutory procedures, as defendants are alleged to have done here, “the right of the individual to maintain [his or] her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.” This is no mere “technicality.” The injury is real and significant. […]
Other than the private right of action authorized in section 20 of the Act, no other enforcement mechanism is available. It is clear that the legislature intended for this provision to have substantial force. When private entities face liability for failure to comply with the law’s requirements without requiring affected individuals or customers to show some injury beyond violation of their statutory rights, those entities have the strongest possible incentive to conform to the law and prevent problems before they occur and cannot be undone. Compliance should not be difficult; whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded; and the public welfare, security, and safety will be advanced. That is the point of the law. To require individuals to wait until they have sustained some compensable injury beyond violation of their statutory rights before they may seek recourse, as defendants urge, would be completely antithetical to the Act’s preventative and deterrent purposes.
In sum, defendants’ contention that redress under the Act should be limited to those who can plead and prove that they sustained some actual injury or damage beyond infringement of the rights afforded them under the law would require that we disregard the commonly understood and accepted meaning of the term “aggrieved,” depart from the plain and, we believe, unambiguous language of the law, read into the statute conditions or limitations the legislature did not express, and interpret the law in a way that is inconsistent with the objectives and purposes the legislature sought to achieve. That, of course, is something we may not and will not do.
The consequences of this ruling are gonna be huge. Six Flags isn’t the only entity that’s been sued over this law.
…Adding… Illinois PIRG…
The decision is a victory for consumers across Illinois over Facebook and other tech giants, who argue in courts that consumers do not face “harm” from privacy violations and have pushed legislation in recent years to undermine the Illinois law. Consumer and privacy advocates such as Illinois PIRG Education Fund continue to defend BIPA in the courts and in the Illinois General Assembly. Illinois PIRG Education Fund’s national staff is fighting Congressional efforts by Facebook and others to enact a national law that would permanently preempt any existing or prevent any future state actions on data protection.
…Adding… ACLU of Illinois…
Today’s ruling protects Illinoisans’ right to control their own fingerprints, iris scans, and other crucial information about their bodies. This is exactly what the General Assembly had in mind when it enacted BIPA.
Your biometric information belongs to you and should not be left to corporate interests who want to collect detailed information about you for advertising and other commercial purposes. The Court recognized that individuals must have the right to sue companies that unlawfully collect their personal information; otherwise, the companies will not be held accountable.
More than a decade after BIPA’s enactment, we constantly hear new examples of companies that have collected, shared, and misused the personal information of millions being shared without their knowledge or consent. The strong protections of Illinois’s law are more critical than ever.
…Adding… Illinois Chamber of Commerce President and CEO Todd Maisch…
We fear that today’s decision will open the floodgates for future litigation at the expense of Illinois’ commercial health.
- Anonymous - Friday, Jan 25, 19 @ 9:46 am:
A key part of the decision is on page one:
CHIEF JUSTICE KARMEIER delivered the judgment of the court, with opinion.
Justices Thomas, Kilbride, Garman, Burke, Theis, and Neville concurred in the judgment and opinion.
Unanimous. Wow.
- Chicagonk - Friday, Jan 25, 19 @ 9:52 am:
This is a very big decision. BIPA is the only law of it’s kind in the US and I know that there is a lot of lobbying at the federal level to pass a law that would supersede BIPA.
- Shivas - Friday, Jan 25, 19 @ 9:53 am:
According to Law360: “Many of the more than 200 pending cases filed under the statute accuse hotels, supermarkets and other businesses of breaching BIPA — the nation’s only biometric privacy law with a private right of action — by not seeking written consent before requiring employees to use fingerprint-based timekeeping systems.”
In other words, the Illinois plaintiff’s bar owns Springfield in a way that no other state’s plaintiff’s bar owns its state legislature.
- don the legend - Friday, Jan 25, 19 @ 9:54 am:
A win for Illinois citizens.
- @misterjayem - Friday, Jan 25, 19 @ 9:55 am:
“Compliance should not be difficult; whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded; and the public welfare, security, and safety will be advanced. That is the point of the law.”
A unanimous decision, i.e. that’s all she wrote.
– MrJM
- Professor - Friday, Jan 25, 19 @ 9:55 am:
I would like to go back and look at the debates, and see if ‘legislative intent’ beyond the word aggrieved, was ever established.
- wordslinger - Friday, Jan 25, 19 @ 10:02 am:
–In reaching a contrary conclusion, the appellate court characterized violations of the law, standing alone, as merely “technical” in nature. –
Wasn’t familiar with this one beforehand.
What a bizarre ruling by the appellate court; didn’t know they were giving mulligans for “technical” violations of the law.
How is “technical” even a thing, under the law? Isn’t the “harm” a given, when you break the law?
Good on the Supremes for finding for the people, and not Big Brother.
- Anonymous - Friday, Jan 25, 19 @ 10:15 am:
This is a great civil liberties victory. Looking forward to seeing its implications.
- Klaus VonBulow - Friday, Jan 25, 19 @ 10:29 am:
By definition biometrics extends to facial recognition. The facial recognition practices are vast within security and marketing. Does law enforcement currently use this and are they exempt?
- 360 Degree TurnAround - Friday, Jan 25, 19 @ 10:29 am:
Big win for the people. Big loss for the Illinois Chamber of Commerce.
- Anonymous - Friday, Jan 25, 19 @ 10:40 am:
The question of damages needing to be shown is going to have an impact far beyond just cases on biometric info
- Huh? - Friday, Jan 25, 19 @ 10:55 am:
“Does law enforcement currently use this and are they exempt?”
The statute refers repeatedly to “private entity”.
740 ILCS 14/10 provides the definition of “private entity”. The definition excludes State or local government agencies, courts, clerks of the court, justices, and judges. There are other exclusions in 740 ILCSb14/25.
- Huh? - Friday, Jan 25, 19 @ 10:58 am:
Ugh. 740 ILCS 14/25
Freaking fat fingers strike again.
- Hamlet's Ghost - Friday, Jan 25, 19 @ 10:58 am:
Would BIPA apply to harvesting photos from the 10 year challenge to refine facial recognition software?
- RNUG - Friday, Jan 25, 19 @ 11:00 am:
== By definition biometrics extends to facial recognition. The facial recognition practices are vast within security and marketing. ==
Facebook makes heavy use of facial recognition.
As does all the photo search / photo matching software.
Cellphone companies do also. My cell phone supports both facial recognition and fingerprints as security features if you opt to use them. At least in the case of my phone, they are optional features you can choose to turn on, so consent is covered there.
Law enforcement matches your photo for FOID or concealed carry permit with your stored SOS/DMV photo on your driver’s license. Is it consent when your are required to submit the photos?
Lots and lots of implications.
- former southerner - Friday, Jan 25, 19 @ 11:04 am:
Several months ago I received an email from Canon professional services inviting me to be part of a test group for their new photo sharing website known as Canon Raise. Canon intends to use this site to develop their AI technology. When I followed the link to sign up for the beta there was a highlighted notice NOT to upload any photos that contain residents/citizens of Illinois and I suspect that was because of this Illinois law.
- Anonymous - Friday, Jan 25, 19 @ 11:06 am:
==Law enforcement matches your photo for FOID or concealed carry permit with your stored SOS/DMV photo on your driver’s license. Is it consent when your are required to submit the photos?==
Government entities are likely exempt from this.
As for Facebook, et al, when you sign up you consent to a lot of things. Most people just never read what they’re consenting to.
- Thomas Paine - Friday, Jan 25, 19 @ 11:10 am:
=== see if legislative intent ==+
Oh, give it up professor.
You think lawyers for Six Flags, Facebook, Google and Apple missed that one?
That was one stinging rebuke of the Appellate Court for the Second District, was Judge Joe Birkett involved in that opinion?
- SAP - Friday, Jan 25, 19 @ 11:13 am:
The Act covers facial recognition, but excludes photographs.
- DuPage - Friday, Jan 25, 19 @ 11:16 am:
The $5000 fine. Does it go to the state or the victim? If the state got $5000 times millions of Facebook violations, they could significantly reduce the amount of pension debt.
- RNUG - Friday, Jan 25, 19 @ 11:19 am:
== Most people just never read what they’re consenting to. ==
True. But one of these days I expect someone with serious money that has been harmed to mount a serious legal challenge to the all inclusive / overreaching licensing agreements.
- Lester Holt’s Mustache - Friday, Jan 25, 19 @ 11:52 am:
==We fear that today’s decision will open the floodgates for future litigation at the expense of Illinois’ commercial health.==
#LOLMaisch. If your members stop violating the law to collect biometrics without consent, they won’t have to worry about “future litigation” will they?
- 360 Degree TurnAround - Friday, Jan 25, 19 @ 12:01 pm:
==We fear that today’s decision will open the floodgates for future litigation at the expense of Illinois’ commercial health.==
If I may speak briefly for the people of Illinois, to Todd Maisch’s comment. “Hang in there Todd”.
- @misterjayem - Friday, Jan 25, 19 @ 12:44 pm:
Plus and Illinois’ biometric law calls for “informed consent” — a much higher standard of consent than the ones applied in browsewrap and clickwrap “Terms and Conditions” cases.
– MrJM
- C Ball - Friday, Jan 25, 19 @ 12:46 pm:
@DuPage Those are not fines or penalties but damages for suing; it is $1,000 or actual damage (if greater than $1,000) if negligent; $5,000 or actual (if over $5,000) if intentional or reckless.
- Albany Park Patriot - Friday, Jan 25, 19 @ 1:53 pm:
Can’t I ride the Yankee Clipper in peace?
- thechampaignlife - Friday, Jan 25, 19 @ 1:58 pm:
I am bummed that my Nest Hello video doorbell does not allow me to use the facial recognition to announce who is at the door, because of this law. Is it really biometrics being stored if it is just keeping a snapshot of frequent visitors, and then crunching some numbers based on that? Who will warn me that my mother-in-law is at the door?!
Fingerprints and other markers like that I get. But outlawing photos and math?
- Rich Miller - Friday, Jan 25, 19 @ 2:07 pm:
===Is it really biometrics being stored if it is just keeping a snapshot of frequent visitors, and then crunching some numbers based on that?===
Yes. The problem is how that information is being shared by the company and/or what happens if that info is hacked.
- SAP - Friday, Jan 25, 19 @ 3:13 pm:
From the statute: “Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color.” Merely taking a photo of somebody with your video doorbell system does not look like a violation. If you take the photo and run it through a facial recognition program, you have a problem.
- Anonymous - Friday, Jan 25, 19 @ 3:27 pm:
I’m no law dawg but I’m guessing this will no doubt end up in the SCOTUS ?
- thechampaignlife - Friday, Jan 25, 19 @ 3:38 pm:
===If you take the photo and run it through a facial recognition program, you have a problem.===
That may be true, but the cat is already out of the bag as soon as the photo is taken. Someone could live stream their camera, which anyone in the world could capture, run through facial recognition software, and do whatever nefarious things we think they can do with a photo. I think the bigger issue is thinking a facial profile is authoritative proof of an identity, rather than just a possible match.
- thechampaignlife - Friday, Jan 25, 19 @ 3:39 pm:
I would love to hear John Bambenek’s take.