The Illinois Supreme Court has unanimously ruled against Six Flags Entertainment Corp. in a landmark Biometric Information Privacy Act (BIPA) case. The ruling will certainly impact claims against employers in the future for failing to properly notify and obtain consent from employees about the collection of their biometrics.
In Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, the Court determined that a minor child whose thumbprint was scanned as part of an amusement park’s season pass-holder program–allegedly without proper notice or consent–was an “aggrieved person” who could maintain a claim under BIPA.
BIPA provides for a private right of action and liquidated damages of $1,000 per violation (or $5,000 for intentional or reckless violations) to persons “aggrieved by a violation” of its restrictions on the collection, use and sharing of certain biometric data. The statute does not define the term “aggrieved.” Multiple lawsuits have addressed how the courts should interpret the meaning of the term.
In our February 2018 Newsletter, we discussed the recent challenges under BIPA. Specifically, we addressed and analyzed the Rosenbach v. Six Flags Entertainment Corp., No. 2-17-0317, 2017 IL App (2d) 170317 holding. To briefly recap, the Second District court in Rosenbach held that, to be “aggrieved” requires “an actual injury, adverse effect, or harm in order for the person to be aggrieved.” The court held that, “a plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person under section 20 of the Act.” Thus, defendant’s failure to provide notice or to obtain plaintiff’s consent before collecting his thumbprint, on its own, was not sufficient to meet the standard.
The Supreme Court’s decision reverses the decision of the appellate court that the alleged violations are merely “technical” in nature, and do not constitute harm under the statute. In sum, an individual does not have to plead an actual injury or harm, apart from the statutory violation itself, in order to have standing to sue under BIPA.
Based on this ruling, it appears that persons “aggrieved” are now only required to prove a technical violation in order to seek damages under BIPA.
Practice tip: This decision emphasizes great importance for Illinois employers to now implement a biometric data retention policy in compliance with BIPA. We expect to see an influx of BIPA litigation following this decision, so the best practice would be for employers to be proactive in ensuring their compliance with the statute’s requirements.
Employers should review their existing biometric collection and retention policies to make sure any written policies and internal procedures comply with the statute’s mandates. This includes informing employees in writing about the specific purposes and length of time for which their biometric information will be collected, used or stored, and first obtaining a written release by the person whose biometric information is sought.
As a reminder, we prepare comprehensive employee handbooks tailored to your business needs, in addition to reviewing and revising existing handbooks to ensure up-to-date compliance with applicable law. We strongly recommend that you consider a yearly audit of your current policies as there are constant changes–such as Rosenbach–and additions to the law.
The statute further requires a written schedule and guidelines for the retention and destruction of the biometric information to be made public. BIPA also mandates consent and notice procedures that private entities must follow before disclosing someone’s biometric information to a third party. If you have any questions about your BIPA policy, would like assistance in drafting one, and/or are interested in our employee handbook services, please contact Storrs Downey or Jessica Jackler.