On Friday, January 25, 2019, the Illinois Supreme Court issued its highly anticipated decision in Rosenbach v. Six Flags Entertainment Corp, et al., 2019 IL 123186 (Ill. Jan. 25, 2019). The Court concluded that a private cause of action is available under the Illinois Biometric Information Privacy Act, 740 ILCS § 14/1 et seq. (BIPA), without allegations of additional, actual harm beyond violations of the procedural requirements set forth in the statute. This decision is an important development for companies that use biometric information with their consumers or employees.
Enacted in 2008, BIPA is a response to the concerns about the growing use of biometric identifiers and information in financial transaction and screening procedures. 740 ILCS § 14/5(a). BIPA limits the right to sue to “person[s] aggrieved” by a violation of the statute. In the past year, however, there has been a flurry of proposed class actions brought in Illinois state and federal courts under BIPA, and courts have grappled with determining when an individual is “aggrieved” under the statute.
In Rosenbach, the plaintiff alleged that an amusement park violated BIPA because it used her son’s fingerprints to issue a season pass without first obtaining written consent or otherwise complying with BIPA’s notification procedures. On certification from the trial court, the Second District Appellate Court held that in order to bring an action under BIPA’s “aggrieved person” private right of action, a plaintiff must allege an “injury or adverse effect” beyond noncompliance with the statute.
The Illinois Supreme Court disagreed, concluding that that the term “aggrieved” does not contemplate actual harm or injury beyond violation of the rights provided under BIPA. The Court held that a litigant can seek both monetary damages and injunctive relief regardless of whether a defendant’s alleged non-compliance with BIPA resulted in actual harm or injury.
The Court’s decision in Rosenbach likely will stimulate the proliferation of class action lawsuits, already numbering approximately 200, filed in Illinois state and federal courts alleging BIPA violations. Although the Court’s decision addressed only this threshold issue of who has the right to sue — it did not consider the merits of such cases, the viability of class certification or any other issues — companies that use “biometric information” for their customers and employees should remain mindful of BIPA and its multiple requirements and continue to ensure they are in compliance.