Illinois is only one of a select few states that have enacted legislation providing protections against the “compromise” of an individual’s biometric information. The Biometric Information Privacy Act, 740 ILCS 14/1 et seq. [“the Act”] imposes strict rules on how a private entity can collect, store, and share personal biometric information about an individual. The Act defines “biometric information” as any information, regardless of how it is captured, converted, stored, or shared, with based on an individual’s biometric identifier, such as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry, which is used to identify an individual. The Act expressly authorizes “any person” who has been “aggrieved by a violation of this Act” to bring suit for statutory damages or actual damages, whichever is greater, in addition to attorneys’ fees and injunctive relief.
Recently, the Illinois Supreme Court heard oral argument in Rosenbach v. Six Flags Entertainment Corp. on whether standing under the statute requires an “injury or adverse effect” in addition to a violation of the Act, or whether a technical violation of the Act is sufficient to establish a right of action under the statute.
In Rosenbach, Plaintiff brought suit on behalf of a proposed class against Six Flags amusement park after Six Flags required her minor son to scan his thumbprint to access a season pass. Plaintiff alleged she neither consented to the fingerprint scan, nor received information about Six Flags’ collection and storage of her son’s data, which was required under the Act. Actual harm or disclosure of biometric data was not alleged.
Arguing that a person who suffers no actual harm has not been “aggrieved,” the defendants moved to dismiss the complaint. The trial court denied the motion to dismiss but later certified two questions for appeal relating to whether a “person aggrieved by a violation of [the] Act” must allege some actual harm.
The Second District Appellate Court agreed with Six Flags and held that a “person aggrieved” by a violation of the Act must allege actual harm, which the court found absent in Rosenbach. Plaintiff appealed to the Illinois Supreme Court, which heard oral argument on November 20, 2018.
Approximately two months before oral argument in Rosenbach, the Illinois First District Appellate Court issued a ruling seemingly at odds with the Second District holding in Rosenbach.
In Sekura v. Krishna Schaumburg Tan, Inc., the First District reversed dismissal of Plaintiff’s claimed violation of the Act where the plaintiff had alleged that the defendant collected her fingerprints without providing the statutorily required disclosures and later disclosing her fingerprints to an out-of-state third-party vender. Relying on the plain language of the Act and its legislative history and purpose, the First District held that the defendant’s violation of the Act was sufficient to satisfy the statute’s “aggrieved by” requirement and that no additional harm was required.
In particular, the plain language of the Act only states that any person “aggrieved by a violation of this Act” may sue, not that a person aggrieved by a violation—plus some additional harm—may sue. Thus, the First District reasoned that the drafters could have included an “actual injury” requirement, but didn’t. Moreover, the court noted that the Act provides for either “liquidated damages” or “actual damages,” thereby establishing that actual damages [i.e. actual harm] are not necessarily required to obtain relief under the Act.
The Sekura court also considered the legislative purpose and history of the Act, which are specifically incorporated into the statute. After reviewing this history, the First District concluded that the entire purpose of the Act is to prevent any harm from occurring in the first place, thereby reassuring the public, who will then be willing to participate in this new technology. Waiting until the harm has already occurred is too late because, as the drafters found, once a person’s biometric identifiers have been compromised, there is simply “no recourse” for prevention. Put another way, “replacing a biometric identifier is not like replacing a lost key or a misplaced identification card or a stolen access code. The Act’s goal is to preventirreparable harm from happening and to put in place a process and rules to reassure an otherwise skittish public.” The First District in Sekura found that forcing a member of the public to wait until after actual harm has already occurred in order to sue would confound the very purpose of the Act.
The Sekura court also went an extra step to distinguish the Second District’s holding in Rosenbach. According to the court, even if Rosenbach had been correctly decided and an additional “injury or averse effect” is required, Sekura found that test met. Unlike the Plaintiff in Rosenbach, the Plaintiff in Sekura had alleged an “injury or adverse effect”, specifically [1] injury to her legal right to privacy of her own biometric information by disclosure to an out-of-state third party vendor; and [2] mental anguish. By contrast, Plaintiff in Rosenbach merely alleged that Six Flags collected her son’s biometric data without consent or disclosure, but not that the data was disclosed to third parties or caused some other injurious effect.
The Illinois Supreme Court is now poised to decide and harmonize these two decisions. In last week’s oral argument, several of the justices appeared skeptical of Six Flags’ argument that specific actual harm, in addition to a violation of the Act, is required to satisfy the “aggrieved by” language of the statute. Comments from several of the justices seemed to echo the court’s reasoning in Sekura, namely, that the purpose of the Act is to prevent actual harm from happening in the first place, and that forcing an individual to wait to sue until such harm is actually realized may be too late. Similar to the Second District, another Justice suggested that the harm envisioned by the Act is the initial violation of the statute in failing to perform the legally required prerequisite of obtaining consent and providing written and public disclosure about use, storage, and destruction of one’s sensitive data.
The Illinois Supreme Court’s decision in Rosenbach is likely to have important consequences as to who can bring claims for violations of the Act, and when such claims may be brought. If consumers have to show they were actually harmed by a private entity’s violation of the Act, arguably the scope of its protections will be significantly reduced. Indeed, should the Court affirm the Second District Appellate Court’s decision, such a ruling potentially would have a chilling effect on a consumer’s ability to sue, and likely have the residual effect of disincentivizing private companies from safeguarding such information in the first place.
On the other hand, should the Illinois Supreme Court more closely follow the reasoning in Sekura, the decision willresult in greater opportunity for consumers to sue companies that violate the Act in the first instance, and require companies to develop new or additional policies and procedures to ensure that they are adhering to the Act’s consent and disclosure requirements.
Stay tuned for further updates…