In a groundbreaking decision handed down on January 25, 2019, the Illinois Supreme Court unanimously held that private entities cannot collect biometric data from consumers without their consent, pursuant to the Illinois Biometric Information Privacy Act (740 ILCS 14/1 et seq.) (“BIPA”). Crucially, the Court held that individuals have standing to bring a claim under BIPA even without a showing of actual harm.
Plaintiff Stacy Rosenbach filed suit against Six Flags amusement park after it collected her fourteen-year-old son’s thumbprint data without his consent. Ms. Rosenbach claimed that the collection violated BIPA, despite the fact that her son suffered no actual harm. Rosenbach v. Six Flags Entm’t Corp., 2019 IL 123186, P21 (2019).
In holding that technical non-compliance is sufficient to confer standing, the Illinois Supreme Court reasoned that unlike Social Security numbers, which can be altered after identity theft, biometric data such as face shapes or fingerprint patterns cannot be changed to protect victims. Thus, the high court agreed that the protections afforded by BIPA “are particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual’s unique biometric identifiers,” which can be compromised or misused repeatedly over the course of a person’s lifetime. Id. at P34.
Rosenbach will significantly impact any business entity operating in Illinois—especially those that collect biometric data, which is broadly defined by BIPA. By enabling individuals to bring claims under BIPA without clearing the procedural hurdle of proving actual injury, the Court’s decision is likely to result in a massive influx of BIPA-based class action suits. It is pertinent for businesses with Illinois operations to ensure that they are compliant with the notice-and-consent provisions of BIPA to avoid litigation exposure and substantial liability to individuals.