Privacy & Cybersecurity Law Blog

On November 20, 2018, the Illinois Supreme Court heard arguments in a case that could shape future litigation under the Illinois Biometric Information Privacy Act (“BIPA”). BIPA requires companies to (i) provide prior written notice to individuals that their biometric data will be collected and the purpose for such collection, (ii) obtain a written release from individuals before collecting their biometric data and (iii) develop a publicly available policy that sets forth a retention schedule and guidelines for deletion once the biometric data is no longer used for the purpose for which it was collected (but for no more than three years after collection). BIPA also prohibits companies from selling, leasing or trading biometric data.

The plaintiff in the case, Stacy Rosenbach v. Six Flags Entertainment Corp., alleged that Six Flags Entertainment Corporation (“Six Flags”) violated BIPA by collecting her son’s fingerprint in connection with the purchase of a season pass, without first notifying her or obtaining her consent to the collection of her son’s biometric data. At the trial level, Six Flags argued that the case should be dismissed for failure to establish standing because the plaintiff did not allege that actual harm resulted from the company’s collection of her son’s fingerprint data. The case was appealed to the Second District Appellate Court, which ruled in Six Flags’ favor, holding that BIPA plaintiffs cannot rely on technical violations of the law, such as failure to obtain consent, to be “aggrieved” and have standing. The plaintiff appealed the case to the Illinois Supreme Court.

In oral arguments heard by the Illinois Supreme Court on Tuesday, Six Flags again argued that the plaintiff must allege more than just a technical violation of BIPA to establish standing. Three of the Court’s seven justices appeared to disagree with this argument, with one, Justice Robert Thomas, countering that “there seems to be at least a logical appeal” to ensuring that individuals are made aware that their biometric data will be collected, and that “the purpose [of BIPA] is so [an actual harm] won’t happen in the first place.” Justice Anne Burke joined, stating that it is “too late to wait” for a violation of the law to occur in the first place because at that point, a plaintiff “may never know [about the violation] and you can’t get your fingerprints back. It’s irreparable harm.”

The Second District Appellate Court’s ruling in favor of Six Flags diverges from a First District Appellate Court opinion in Klaudia Sekura v. Krishna Schaumburg Tan Inc., which held that plaintiffs have causes of action under BIPA even without allegations of actual harm. The Illinois Supreme Court’s ruling in Rosenbach is expected to set the standard for which plaintiffs have standing under BIPA in future litigation.