Last week, the Illinois Supreme Court issued a ruling on Rosenbach v. Six Flags, in which the parents of a child sued the theme park for collecting his fingerprints without proper consent. The court ruled unanimously in favor of the plaintiffs in the case, which is regarded as an important test of Illinois’ Biometric Information Privacy Act, or BIPA.
We asked Justin O’Neill Kay, a partner with the law firm Drinker Biddle, to explain the decision and its potential implications beyond the theme park.
What is BIPA again?
BIPA regulates the collection, use, and storage of “biometric identifiers” and “biometric information,” defined respectively as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” (with narrow exclusions for such things as samples used for medical or scientific purposes) and “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.”
BIPA includes a number of technical requirements regulating the collection, use, and storage of biometric identifiers and biometric information. First, it prohibits the collection of biometric identifiers or information without obtaining a signed, written release informing the person of the collection, the specific purpose for collection, and the length of time the identifiers or information will be retained.
Second, it forbids the sale, lease, or profit from the identifiers or the information and prohibits disclosure of them except in narrow circumstances (such as with the person’s consent).
Third, it requires anyone in possession of such identifiers or information to safeguard them using the reasonable standard of care for the industry, and requires protections to be put in place that are at least “the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.”
Fourth, it requires anyone in possession of identifiers or information to develop and adhere to a publicly available written policy establishing a retention and destruction schedule under which the identifiers or information will be retained for no longer than the earlier of when the original purpose for their collection is satisfied, or three years.
What happened in the Rosenbach case?
On January 25, the Illinois Supreme Court issued its decision in Rosenbach v. Six Flags Entertainment Corporation interpreting the meaning of the term “aggrieved” in BIPA. Specifically, the court was asked to address whether to be “aggrieved” (a requirement for filing a lawsuit for $1,000 - $5,000 per violation) a plaintiff need merely allege that defendant violated the statute’s technical requirements regarding the collection, use, and storage of biometric information, or whether a plaintiff must also allege some actual harm arising from that technical violation.
The plaintiff in Rosenbach is a 14-year-old boy who, in order to obtain a season pass to visit Six Flags in Gurnee, provided a thumb scan that he was told would be used to verify his identify when he visited the park. He was not provided with the written disclosures described above and did not execute a release. He filed a purported class action lawsuit two years later based on the lack of the disclosures and release, but did not allege any adverse consequences arising from not receiving them, and did not allege that his thumb scan data had been shared, compromised, or misused.
The trial court held that he could still pursue a claim, but acknowledged that it was a difficult legal issue and asked the appellate court to weigh in. The appellate court disagreed with the trial court and said that if the Illinois legislature intended to allow for a private cause of action for every technical violation of the Act, it could have worded the law differently.
The plaintiff then appealed that decision to the Illinois Supreme Court. The Illinois Supreme Court also looked at the language and disagreed with the appellate court – it said that the way the legislature worded the statute actually required the opposite conclusion, and found support for its interpretation in dictionary definition of “aggrieved” and in the introduction to the statute.
What happens now?
With regard to the Rosenbach case specifically, this decision just means that the case can go forward. It doesn’t mean that the plaintiff won or proved his case. It just means that Six Flags now must defend the case. Many other cases were similarly situated awaiting this decision.
More broadly, it means that there will be more lawsuits and those lawsuits will be more expensive to defend and settle, and that fewer companies will be using biometrics in Illinois as a result. In addition, it means that there will likely be new efforts to amend BIPA (two previous efforts failed). It also means that as other states continue to consider biometric regulations, businesses will point to BIPA and the deluge of lawsuits here as a reason not to impose regulations. Businesses will also likely point to BIPA and the Rosenbach decision as extremes that need to be reined in through comprehensive federal privacy regulations.
What does the decision mean?
The decision in Rosenbach means that if a company using biometric technology in Illinois is not 100-percent complaint with BIPA, it runs the risk of being sued for millions of dollars. But the decision also means that even companies that are 100-percent compliant run the risk of being sued because of the enormous stakes. The theory presented by plaintiff’s counsel is that each and every use of a biometric device is a violation, so that if an employee uses a biometric finger scanner to clock in and out of work, each scan is a violation that subjects an employer to $1,000 - $5,000 in damages. So, if 100 employees scanned in and out of work (arrival, morning break, lunch break, afternoon break, departure) eight times a day, every day for a year, that employer is facing $208 million to $1.04 billion in damages. When facing that type of annihilating liability, even a company that believes it is 100-percent compliant is likely to agree to pay some settlement to rid itself of the risk.
Privacy advocates will say that that sort of risk will encourage compliance with the biometrics laws and force companies to be careful with biometric information. That is true. But imposing jail time for driving 5 mph over the speed limit would also encourage compliance with speeding laws and force citizens to be careful drivers. In fact, it would probably result in fewer people driving, and we are likely to see the same now with regard to biometrics – fewer companies employing biometrics in Illinois.
Is this good for consumers?
Generally, no. The goal of any legislation like this is to strike a balance of encouraging responsible innovation while dissuading bad actors. But the Rosenbach decision upsets that balance by overemphasizing the dissuading of bad actors. The result will be less innovation in Illinois. Indeed, there are already products and apps that consumers in Illinois cannot use because of BIPA, and this decision is likely to result in more companies being unwilling to run the risk of a lawsuit in Illinois.
Privacy advocates will argue that this decision guarantees better protections for biometric information in Illinois, but the lawsuits brought under BIPA generally do not claim that biometric information was not sufficiently protected or that it was misused. Rather, they allege that consumers or employees did not receive the mandated disclosures about how the information was stored or collected. That means that a company could verbally inform an employee that it is using finger scans for security, and use military-level encryption to protect the scans, but because that company did not provide that information in the format required by BIPA, that company would be subject to suit for millions of dollars.
Who has been sued so far, and where?
There have been over 150 BIPA suits so far. Some of the very first BIPA-related suits were filed in 2015 and 2016 in federal court against well-known tech companies like Google, Facebook, Snapchat and Shutterfly related to their use of facial recognition technology. A small number of suits were also filed at that time against tanning salons, a daycare center, Six Flags, and the airport luggage cart rental company related to the use of finger scan technology.
In 2017 and 2018, the pace of filings increased rapidly, with the lawsuits focusing on employers that were using finger-scanning time clocks. Defendants ranged from local healthcare providers, manufacturers, and service providers to national airlines, hotels, grocery stores, and restaurant chains. Most of these later lawsuits were filed in state court.