On Friday, January 25, 2019, the Illinois Supreme Court filed a unanimous opinion addressing whether one qualifies as an “aggrieved person” under the Illinois Biometric Information Privacy Act (BIPA) “if he or she has not alleged some actual injury or adverse effect, beyond violation of his or her rights under the statute.”
As alleged in the complaint for Rosenbach v. Six Flags Enter. Corp., a theme park operator in Illinois maintained a system to collect and store pass holders’ fingerprints and biometric’ identifiers gleaned from the fingerprints. This information was to quickly verify customer identities for entry to the theme park. The mother of a fourteen year old season pass holder brought suit under BIPA on behalf of her son and similarly situated individuals, seeking redress solely based on defendants’ failure to comply with the BIPA consent requirements for the collection of biometric identifiers. Defendants argued an individual must have sustained some actual injury or harm, besides the statutory violation itself, in order to sue under BIPA, a position upheld by the appellate court.
In its analysis, the Illinois Supreme Court noted: “Accepted principles of statutory construction, however, compel the conclusion that a person need not have sustained actual damage beyond violation of his or her rights under the Act in order to bring an action under it.” “Contrary to the appellate court’s view, an individual need not allege some injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act.”
In the last few years BIPA has been a magnet for class action claims, in part because of ambiguity over whether individuals qualified as aggrieved persons who can bring an action for statutory damages. With the new Illinois Supreme Court ruling, such suits will continue.
Please contact any of our attorneys if you would like to discuss BIPA, the ruling, or the use of biometrics and legal risks.
Jim Shreve is chair of Thompson Coburn's Cybersecurity group and holds CIPP/US and CIPT certifications from the International Association of Privacy Professionals (IAPP). He is also a Fellow of Information Privacy (FIP) with the IAPP. Libby Casale is an associate in Thompson Coburn’s Business Litigation group and holds CIPP/US certification.
The Supreme Court of Illinois does not recognize certifications of specialties in the practice of law, and the CIPP/US certificate is not a requirement to practice law in Illinois.