News 02.21.19

CYBER RISK CLIENT ALERT: Actual Harm is not Necessary Under BIPA

The Background Of BIPA

The Illinois legislature enacted BIPA in 2008.  The “biometric identifiers” protected under BIPA include “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” 

Section 15 of BIPA requires companies that obtain an individual’s biometric information to put in place a public written policy that describes the biometric information’s retention schedule as well as the guidelines for its destruction.  This section states that a corporation must destroy an individual’s biometric information either when there is no more use for the information, or within three years of the individual’s last interaction with the company. Additionally, in order for the company to obtain an individual’s biometric information, it must: (1) provide written notice that the biometric information is being collected; (2) provide written notice regarding the purpose of collecting the biometric information and the length of time the information will be stored; and (3) receive a written release from the individual whose biometric information is being stored.  Stated simply, there are numerous compliance requirements a corporation must adhere to under BIPA.

The Illinois legislature also added a section in BIPA granting “[a]ny person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplement claim in federal district court against an offending party.”  Who was “aggrieved” under BIPA, and therefore who had standing, was the source of much disagreement among lower courts.

Diverging Court Opinions On Standing Under BIPA

For example, the First District Appellate Court in the lower court case Rosenbach v. Six Flags Entertainment Corp., 2017 IL App (2d) 170317, denied plaintiffs a remedy for the unconsented collection of their biometric data under BIPA.  The court reasoned that the Illinois legislature intended BIPA to allow a private cause of action only to those who can show actual harm because the statute stated “[a]ny person aggrieved.”  740 ILCS § 14/20 (West 2016) (emphasis added).  The rationale was that if the legislature intended for a mere technical violation to suffice for standing, the court believed the legislature would have omitted the word “aggrieved.”

Conversely, the court in Sekura v. Krishna Schaumburg Tan, Inc., 2018 IL App (1st) 180175, ruled BIPA’s legislative intent was to allow for a cause of action regardless of whether the plaintiff suffered actual harm.  The court stated that BIPA was enacted to “prevent any harm from occurring in the first place, thereby reassuring the public, who will then be willing to participate in this new [biometric data] technology.” 

The Supreme Court
In Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, the Illinois Supreme Court overturned the First District Appellate Court and held an individual is not required to allege actual harm, beyond the violation of his or her rights under BIPA, to qualify as “aggrieved” and seek remedial measures.  Plaintiff alleged that Six Flags Entertainment Corporation (“Six Flags”) stored her son’s fingerprint when he obtained a season pass for the park without following the proper procedures under BIPA.  She claimed neither her nor her son had any proper written notice for the purpose of storing the son’s fingerprints, or how and when the data would be destroyed.  The Illinois Supreme Court reviewed whether a party is “aggrieved” when no actual injury is alleged.

Therefore, the Supreme Court determined that the legislative purpose of enacting BIPA was to impose safeguards and ensure those safeguards were followed.  Apart from the private right of action provided in section 20 of BIPA, no other mechanism for enforcement is available.  This fact seemed to bolster the Supreme Court’s reasoning of the importance of ensuring a private right of action, regardless of injury.  Defining the scope of BIPA to allow claims to be brought irrespective of actual harm provides a stronger incentive for companies to follow BIPA’s guidelines.  Additionally, the Supreme Court found that compliance is not overly burdensome, and the expense that companies do incur is insignificant compared to the irreversible harm that could occur if an individual’s biometric information is not properly safeguarded.

What’s Next

In light of the Supreme Court’s ruling in Rosenbach that actual harm is not necessary to confer standing, we anticipated that there will be increased litigation under BIPA.  Not surprisingly, two weeks after the Rosenbach decision employees of Ryder Integrated Logistics Inc. (“Ryder Integrated Logistics”) filed a class action lawsuit in Cook County against their employer for its violation of BIPA, in Villalobos v. Ryder Integrated Logistics Inc., No. 2019-CH-01712.  The complaint claims Ryder Integrated Logistics required its employees to provide scans of their handprint to clock in and out of their shifts.  However, no waiver was signed by the plaintiffs, and no information was provided to the employees about the storage of their handprints or the company’s usage and destruction policies of the biometric data. 

This is the first out of many expected law suits alleging BIPA violations against companies collecting biometric information.  It will not be the last. We recommend that companies be proactive in assessing their need to obtain, and then audit their compliance with BIPA, before requiring the collection and storage of biometric information.