Legal Update

Jan 25, 2019

Illinois Supreme Court Opens Floodgates For Damages In Class Actions Alleging Violations of the Illinois Biometric Information Privacy Act (“BIPA”)

Click for PDF

Seyfarth Synopsis: The Illinois Supreme Court has held that a person need not have sustained actual damage beyond technical violations of BIPA, in order to pursue claims for damages. The Illinois Supreme Court’s ruling will likely greatly increase the potential exposure of companies in actions alleging violations of the Act and makes strict compliance with the Act significantly important. Accordingly, while the use of biometric technology by businesses has become increasingly more common in recent years as an effective and emerging technology, businesses must take immediate compliance measures or else face the potential of significant liability and damages in class action litigation.

The Illinois Biometric Information Privacy Act

As biometric technology has become more advanced and affordable, more businesses have begun implementing procedures and systems that rely on biometric technology for various purposes including employee timekeeping, consumer transactions, and for security purposes. In the context of this emergence, BIPA was enacted in 2008 and regulates the “collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.”

BIPA creates a limited right of action for “person[s] aggrieved by a violation” of its terms. A “person aggrieved” by a negligent violation of BIPA may recover “liquidated damages of $1,000 or actual damages, whichever is greater.” A “person aggrieved” by an intentional or reckless violation of BIPA may recover “liquidated damages of $5,000 or actual damages, whichever is greater.”

Requirements of the BIPA

Notice and Consent

The BIPA prohibits companies from collecting employees’ biometric information until the company notifies the employee in writing that the information is being collected. Specifically, the written notice must inform the employee of the “specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored and used.” 740 ILCS § 14/15(b). Likewise, before collecting the biometric information, a company must obtain a “written release” from the employee enabling it to collect and store the information. A “written release” is defined as “informed written consent or, in the context of employment, a release executed by an employee as a condition of employment.”

Written Policy

The BIPA also requires companies to develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric information when the initial purpose for collecting them has been satisfied or within three years of the employee’s last interaction with the employer, whichever occurs first. The policy must be made available to the public.

Disclosure to Third Parties

In addition, a company may not disclose biometric information to a third party unless: it obtains consent for disclosure from the employee; the disclosure completes a financial transaction requested by the employee; the disclosure is required by law; or the disclosure is required by a valid warrant or subpoena.

Standard of Care

Also, the BIPA requires that a company use “the reasonable standard of care” within its industry for storing, transmitting and protecting biometric information and act “in a manner that is the same as or more protective than the manner in which the [company] stores, transmits and protects other confidential and sensitive information.”

The Facts

Stacey Rosenbach, acting in her capacity as mother of her son, Alexander, brought an action on his behalf in the circuit court of Lake County seeking redress for Alexander, individually and on behalf of all other similarly situated persons, under BIPA. The complaint alleged that Alexander, visited Defendants’ amusement park on a school field trip. In anticipation of that visit, Rosenbach had purchased a season pass for him online. Rosenbach paid for the pass and provided personal information about Alexander, but he had to complete the sign-up process in person once he arrived at the amusement park, which included scanning his thumb into defendants’ biometric data capture system. After that, he was directed to a nearby administrative building, where he obtained a season pass card. The card and his thumbprint, when used together, enabled him to gain access as a season pass holder.

Rosenbach’s complaint alleged that neither Rosenbach, nor her son, were informed in writing or in any other way of the specific purpose and length of term for which his fingerprint had been collected; neither of them signed any written release regarding taking of the fingerprint; and neither of them consented in writing “to the collection, storage, use sale, lease, dissemination, disclosure, redisclosure, or trade of, or for [defendants] to otherwise profit from, Alexander’s thumbprint or associated biometric identifiers or information.” Further, Rosenbach alleged that Defendants did not have any “written policy made available to the public that discloses [defendants’] retention schedule or guidelines for retaining and then permanently destroying biometric identifiers and biometric information."

As a result, Rosenbach’s complaint alleged that Defendants violated BIPA by (1) collecting, capturing, storing, or obtaining biometric identifiers and biometric information from Alexander and other members of the proposed class without informing them or their legally authorized representatives in writing that the information was being collected or stored; (2) not informing them in writing of the specific purposes for which defendants were collecting the information or for how long they would keep and use it; and (3) not obtaining a written release executed by Alexander, his mother, or members of the class before collecting the information.

Defendants moved to dismiss the complaint in the trial court, arguing among many things, that Rosenbach had suffered no actual or threatened injury and therefore was not “aggrieved” as necessary to assert a claim under BIPA. The trial court denied Defendants’ motion to dismiss on this basis. Defendants thereafter sought interlocutory review of the trial court’s ruling, which the Illinois Appellate Court granted.

In late 2017, the Illinois Appellate Court for the Second District became the first Illinois Appellate Court to address the issue of whether a plaintiff can recover for technical violations of BIPA, even if the complaint does not allege that the plaintiff suffered any harm, loss or injury. It held that a plaintiff is not “aggrieved” within the meaning of the Act and may not pursue either damages or injunctive relief under the Act based solely on a defendant’s violation of the statute. The injury or adverse effect need not be pecuniary, the Appellate Court held, but it must be more than a technical violation of the Act. Rosenbach thereafter petitioned the Illinois Supreme Court for leave to appeal, which was granted.

The Illinois Supreme Court’s Decision

The Illinois Supreme Court reversed the Illinois Appellate Court for the Second District and remanded to the trial court for further proceedings. After summarizing BIPA, the Illinois Supreme Court began its analysis by zeroing in its statutory construction, noting that Defendants had read the Act as evincing an intention by the legislature to limit a plaintiff’s right to bring a cause of action to circumstances where he or she has sustained some actual damage, beyond violation of the rights conferred by the statute, as the result of the defendant’s conduct. The Illinois Supreme Court rejected this argument as untenable, noting that when the General Assembly has wanted to impose such a requirement in other situations, it has made that intention clear.

Next, the Illinois Supreme Court held that a person who suffers actual damages as the result of the violation of his or her rights would meet this definition of course, but sustaining such damages is not necessary to qualify as “aggrieved.” Rather, “[a] person is prejudiced or aggrieved, in the legal sense, when a legal right is invaded by the act complained of or his pecuniary interest is directly affected by the decree or judgment.” Accordingly, based on this construction, the Illinois Supreme Court held that a when a private entity fails to comply with one of BIPA’s requirements, that violation constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach. Further, it opined that “[n]o additional consequences need be pleaded or proved. The violation, in itself, is sufficient to support the individual’s or customer’s statutory cause of action.”

Finally, the Illinois Supreme Court explained that BIPA vests in individuals and customers the right to control their biometric information by requiring notice before collection and giving them the power to say no by withholding consent. It explained that these procedural protections are particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual’s unique biometric identifiers—identifiers that cannot be changed if compromised or misused. The Illinois Supreme Court further opined that “[w]hen a private entity fails to adhere to the statutory procedures, as defendants are alleged to have done here, the right of the individual to maintain [his or] her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized. This is no mere ‘technicality.’ The injury is real and significant.”

The Illinois Supreme Court concluded its opinion by holding that contrary to the Appellate Court’s view, an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages and injunctive relief pursuant to BIPA. Therefore, it reversed the judgment of the Appellate Court and remanded to the Circuit Court for further proceedings.

What The Decision Means For Businesses

The decision will make it significantly easier for individuals to assert causes of action and seek damages for mere non-compliance of BIPA’s requirements – absent any allegations of harm or injury. In that regard, the decision makes it of utmost importance that companies take strict measures to comply with BIPA’s requirements regardless of how (or why) it is utilizing biometric technology. As stated by the Illinois Supreme Court, “[w]hatever expenses a business might incur to meet the law’s requirements are likely to be insignificant,” in light of the potential for “liability for failure to comply with [BIPA’s] requirements.” Accordingly, the Illinois Supreme Court’s decision gives companies “the strongest possible incentive to conform to the law and prevent problems before the occur and cannot be undone.”