Privacy Alert - Liability Under the Illinois Biometric Privacy Act

02.20.19

A new Illinois Supreme Court ruling expands the scope of liability for companies that collect or store biometric information. The Illinois Supreme Court has now clarified that actual injury or harm is not necessary to bring a claim under the Illinois Biometric Privacy Act, 740 ILCS 14/1, et. seq. Instead, a claim may be brought for damages prescribed by statute by anyone whose information was collected or stored in violation of the Biometric Privacy Act.

In Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (January 25, 2019), Alexander Rosenbach, a 14-year-old visiting Six Flags amusement park on a class trip was fingerprinted, without his parent’s consent or knowledge, as part of obtaining a season pass to the park. Six Flags argued in the litigation that they collected the fingerprints of the season pass holders to increase the speed of entry into the park and to eliminate sharing of season passes, and that Rosenbach has not suffered any actual injury or harm from its collection of his fingerprints. Rosenbach alleged the collection of his fingerprints violated the Biometric Privacy Act.

The Biometric Information Privacy Act regulates the collection, storage, use and disposal of certain individual biometric information, such as fingerprints, voice recordings and eye scans. Before a private entity collects or obtains biometric information, it generally must:

  1. Inform the subject (or his or her legally authorized representative) in writing as to what specific information is being collected or stored;

  2. Inform the subject in writing of the specific purpose and length of term that the information will be collected, stored and used; and

  3. Receive a written release executed by the subject. 740 ILCS 14/15(a).

The Biometric Information Privacy Act also sets forth strict requirements as to the manner of care that must be used when storing biometric information, such as having a policy in place for the storage and use of the biometric information, as well as prohibitions on the use of biometric data, such as the prohibition on the sale, lease or otherwise profiting from a customer’s biometric information.

The Act also creates a private right of action, allowing any person aggrieved by a violation of the act to obtain: (1) if the violation was the result of negligence, the greater of $1,000 or actual damages; (2) if the violation was intentional or reckless, the greater of $5,000 or actual damages; (3) reasonable attorney’s fees and litigation costs; and (4) other relief that a court deems appropriate. 740 ILCS 14/20.

Here, Rosenbach claimed Six Flags violated the Biometric Privacy Act by failing to inform him or his legally authorized representative in writing that the information was being collected or stored, failing to set forth in writing the specific purposes of the collection of his biometric information, including how long the information would be stored, and failing to obtain a written release of Rosenbach’s parents prior to the collection of his biometric information.

Six Flags argued that these violations constituted merely a technical violation of the Act, and, since Rosenbach did not suffer any actual injury or harm due to Six Flags’ alleged violation, that Alexander had no claim. The Illinois Supreme Court rejected Six Flags’ argument. The Court analyzed the General Assembly’s purpose in passing the law, where they noted that biometrics are “unlike other unique identifiers” and cannot be changed when compromised. Based upon the legislative intent, and other methods of statutory construction, the Court held that injury or harm is not necessary to support a claim under the Act.

The effect of this case will be felt immediately by companies conducting business in Illinois as well as private entities that collect biometric information in Illinois. They must ensure strict compliance with the Act or risk substantial liability under the Act.

If you have any questions about this Alert, or if you would like assistance with compliance matters, please contact the author listed below or the Aronberg Goldgehn attorney with whom you normally work.

David A. Johnson, Jr.
312.755.3142
djohnson@agdglaw.com

CLICK HERE to download a PDF copy of this Alert.

© 2019 Aronberg Goldgehn. All rights reserved. The above material is intended for general information and promotional purposes, and should not be relied on or construed as professional advice. Under the Illinois Rules of Professional Conduct, the above information may be considered advertising material. The transmission of this information is not intended to create, and receipt of it does not create, a lawyer-client relationship.



330 N. Wabash AvenueSuite 1700Chicago, Illinois 60611