Illinois Supreme Court Issues Landmark BIPA Ruling

On January 25, 2019, the Illinois Supreme Court issued a key opinion affecting Biometric Information Privacy Act (BIPA) lawsuits, holding that a violation of BIPA’s requirements alone can support a cause of action under the statute. BIPA is a privacy law that regulates the collection, use, and retention of biometric data, such as fingerprints and face and eye scans, by imposing procedural requirements on corporations that collect the data. The Act is the country’s only biometric privacy law with a private right of action that permits an “aggrieved” plaintiff to sue for monetary damages. Since the law’s passage, courts have been split on whether a violation of BIPA’s procedural requirements alone amounts to an “actual injury.”

In Rosenbach v. Six Flags, parents sued Six Flags alleging that it’s collection of children’s thumbprints without prior consent violated the BIPA. At the appellate level, Six Flags successfully argued that the Plaintiffs did not qualify as an “aggrieved party” because they had alleged only a technical violation of the Act without additional proof of “injury or adverse effect.”  The Supreme Court, however, reversed and held that the Plaintiffs had alleged sufficient harm to qualify for standing, stating that the “violation, in itself, is sufficient to support the individual’s or customer’s statutory cause of action.”

In reversing the Appellate Court, the Supreme Court expressed concern that biometric identifiers “cannot be changed if compromised or misused” and noted that the BIPA’s procedural requirements are crucial to protecting against threats posed by misuse of the data. The Court observed that the BIPA’s enforcement mechanism—litigation brought by consumers under the Act’s private right of action provision—is the “strongest possible incentive” for ensuring compliance. The ruling is widely considered a win for consumer privacy rights advocates and will likely lead to an increase in the already voluminous quantity of cases pending and brought against corporations under the Act.

Learn more about this development in our Global Privacy & Data Security Task Force briefing.

TIP: This ruling will make it easier for consumers to qualify for standing to sue under the BIPA. Companies subject to the law’s requirements should implement, update, and maintain policies and procedures that bring them into compliance with the Act.