The Supreme Court of Illinois has issued a new ruling which allows individuals whose privacy has been violated through a breach of the Illinois Biometric Information Privacy Act to take legal action against a private entity, even in cases where no damage to the individual came of the violation.
The Illinois General Assembly passed the Illinois Biometric Information Privacy Act in 2008. It was designed to guard against the unlawful collection and storing of biometric information, such as fingerprints, DNA, or iris recognition. The Act requires private entities to provide a written statement to an individual that their biometric information will be collected or stored. The purpose for the collection or storage of that data and the length of time the information will be retained must also be explained. The entity must also obtain written authorisation from an individual or that individual’s legal representative before biometric data can be collected or stored.
The new ruling, issued on January 25, is unlike existing data protection legislation. For example, the Health Insurance Portability and Accountability Act does not allow for private causes of action. Other states such as Texas and Washington have similar laws to BIPA, but unlike Illinois, there is no private cause of action. There is another unusual aspect to the announcement; legal action can be taken without an allegation of actual injury or an adverse event as a result of the violation.
The judgement was in light of Rosenbach v Six Flags Entertainment Corporation. Plaintiff Stacy Rosenbach took legal action following a visit to an amusement park owned by the corporation by her 14-year-old son. Upon arriving at the amusement park, he was required to provide his fingerprint to enter. Neither Stacy Rosenbach nor her son was informed in writing about the reason for collecting her son’s fingerprint or the length of time it would be stored. Written authorisation to collect the fingerprint was also not obtained by Six Flags.
The plaintiff did not allege harm in the case and stated that the only reason she filed the lawsuit was the violation of BIPA. Six Flags sought to have the case dismissed for lack of standing as the plaintiff had not suffered actual harm or threatened injury. The circuit court denied the motion to dismiss. The court of appeal reversed that decision, and the Supreme Court reversed the court of appeal’s decision.
The court’s decision that a technical violation of BIPA is, in itself, sufficient to support an individual’s statutory cause of action, was unanimous. The court held that “an individual need not allege some actual injury or adverse effect, beyond a violation of his or her rights under the Act in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act.”
If it can be established and proven that a violation of BIPA has occurred due to negligence, individuals could receive up to $1,000 for each violation. In cases of reckless or intentional violations of BIPA, up to $5,000 could be received per violation.