One small word can have a huge impact, as evidenced by a recent Illinois Supreme Court ruling. In Rosenbach v. Six Flags Entertainment Corp., the word is “aggrieved,” the interpretation of which now means that any private entity collecting biometric information from individuals in Illinois that has not provided adequate notice can be sued, even if the plaintiff can’t prove harm.
“When you have crushing liability like this for technical violations it incentivizes lawsuits regardless of the care a company takes,” said Justin Kay, a partner at law firm DrinkerBiddle. “[C]ompanies will be reluctant to use biometric technology because there will be more lawsuits, lawsuits without merit, that don’t help consumers because they weren’t about security in the first place.”
Six Flags updated its park admission policy in 2014 or before. The new policy requires park guests to supplement their season passes with a thumbprint. Later in 2014, a high school student went to the Chicago Six Flags Great America park while on a field trip. He brought a park pass with him but was told he also had to comply with the fingerprint requirement to be admitted to the park, which he did. When the student returned home, he told his mother about the new fingerprint requirement. She asked for the booklet or paperwork he’d received in connection with his season pass, but there was none. According to the complaint:
- Neither the boy or his mother was provided with written notice of the policy
- Neither of them had signed a written release regarding the fingerprint
- Neither of them had consented in writing “to the collection, storage, use, sale, lease, dissemination, disclosure, redisclosure, or trade of, or for Six Flags to otherwise profit from [they boy’s] thumbprint or associated biometric identifiers or information.
A multi-year lawsuit followed. Ultimately, the Illinois Supreme Court found in favor of the plaintiffs.
That means, as of January 25, 2019, if your company is collecting biometric data in Illinois and fails to provide adequate written notice, individuals can sue your company for up to $5,000 plus attorney’s fees, an injunction, or both.
Why actual harm isn't required
In attempting to understand the intention of the legislators who penned and passed BIPA, the Supreme Court turned to Black’s Law Dictionary, which states the word “aggrieved” means “having legal rights that are adversely affected.”
Interestingly, a lot of lawsuits and would-be lawsuits fail because the plaintiff is unable to show harm. For example, if a biometric identifier were stolen and the thief used that identifier to steal a prototype from a manufacturer, that manufacturer could show harm since there was a cost associated with developing the prototype, likely a cost associated with developing the associated intellectual property, lost revenue, etc. However, the Rosenbach v. Six Flags case isn’t about a security breach, it’s about a lack of disclosure.
Under BIPA, plaintiffs don’t have to show actual harm in order to receive a monetary award. For BIPA case defendants, the effect is “unjust enrichment” because plaintiffs are getting money for nothing.
“It’s not always huge businesses that get hurt by this and get sued,” said Kay. “A number of top tier companies were among the first entities sued. The second wave over the past two years has been mostly focused on finger scanning by employers. Some of them are big national companies [including] hotel chains, airlines and restaurant franchises. However, there are a number of Illinois businesses that could [go] out of business all because they didn’t hand someone a piece of paper [stating] what was actually clear from context and what had been communicated verbally.”
BIPA amendments have failed
Two BIPA-focused Senate bills and one House bill failed. Kay said he wouldn’t be surprised if more bills were proposed since BIPA doesn’t help consumers and it hurts businesses by encouraging lawsuits. One of the Senate bills focused on facial recognition gleaned from photographs which is outside the scope of BIPA. The other two bills were intended to limit the scope of BIPA by providing more exemptions.
Meanwhile, BIPA has been impacting other states’ laws. Kay said Texas has a BIPA-like biometric law that uses similar language, but it doesn’t include a private right of action, and that Washington State’s law was the business community’s response to BIPA. A bill was also introduced recently in Arizona.
“A company trying to do business nationally has to decide what its policy is going to be,” said Kay. “Do we have a national policy? If so, we’d have to comply with the most restrictive [state] which is Illinois. So, the most restrictive becomes the national standard. Tech companies are pushing for comprehensive national privacy legislation because that would solve that problem.”
The cost of providing notice is far cheaper than the cost of litigation. If your company is collecting biometric data in Illinois, make sure to explain why you’re collecting the data and how it will be used in writing. Otherwise, your company is opening the door to what it will likely consider frivolous lawsuits.