Reed Smith Client Alerts

Illinois’ Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (BIPA) is unique among state biometrics statutes nationwide in that it includes a broad private right of action for those “aggrieved” by a violation of BIPA. Recently, the Illinois Supreme Court ruled in Rosenbach v. Six Flags Entertainment Corporation that a plaintiff need only allege a violation of BIPA to satisfy the statutory requirement that a plaintiff be an “aggrieved” person. The Court’s decision will likely increase the volume of class action litigation under BIPA, and it should lead organizations to reexamine their compliance practices in light of the heightened risk of costly litigation.

作者: Michael B. Galibois Wendell J. Bartnick Mark D. Quist Erica C. Spilde

On January 25, 2019, the Illinois Supreme Court ruled in Rosenbach v. Six Flags Entertainment Corporation that a plaintiff need only allege a violation of BIPA to satisfy the statutory requirements that a plaintiff be an “aggrieved” person. The decision clears a major obstacle for class action plaintiffs alleging violations of BIPA and may increase calls by private industry for the Illinois General Assembly to rein in the Act’s private right of action provision, and possibly, reform its compliance requirements.

BIPA background – A private right of action permitting statutory damages

BIPA was enacted in 2008 and imposes various obligations on private entities that collect, purchase, or otherwise use certain biometric identifiers – specifically, retina scans, iris scans, fingerprints, or voiceprints – or related biometric information (collectively, biometric data) from or about Illinois residents. BIPA prohibits the collection of biometric data without prior written notice to and written consent from the individual, prohibits profiting from the sale of biometric data, and imposes restrictions on the transfer, retention, and storage of biometric data. BIPA also requires the public posting of biometric data retention and destruction policies and mandates the destruction of biometric data records after three years. These requirements may pose substantial compliance hurdles for organizations that collect biometric identifiers and use biometric information.

In addition to the potentially considerable compliance costs, BIPA poses a unique feature among nationwide biometrics privacy laws in that it includes a private right of action for “[a]ny person aggrieved by a violation of this Act.” In private actions brought under BIPA, statutory damages range from $1,000 per violation for negligent violations to $5,000 per violation for intentional or reckless violations. Aggrieved persons may also recover actual damages (if they total more than statutory damages) and attorneys’ fees under BIPA. Unsurprisingly, these high per-violation statutory damages and attorneys’ fees provisions have generated a wave of BIPA class action litigation in the decade since BIPA’s passage – and the Illinois Supreme Court’s recent decision in Rosenbach may encourage further, increasingly expensive litigation against organizations that handle biometric data.