Illinois Supreme Court Rules “Actual Harm” Unnecessary Under Illinois Biometric Information Privacy Act

By Jason M. Taylor

In a prior December blog post we previewed arguments presented to the Illinois Supreme Court in the case of Rosenbach v. Six Flags Entertainment Corp. regarding whether Illinois’ Biometric Information Privacy Act, 740 ILCS 14/1 et seq. [“the Act”] requires “actual harm” to establish a right of action under the statute.  On Friday, January 25, 2019, in a unanimous decision, the Illinois Supreme Court reversed the Appellate Court and held that an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages and injunctive relief.

By way of background, the Act imposes numerous restrictions on how private entities collect, retain, disclose and destroy biometric identifiers, including retina or iris scans, fingerprints, voiceprints, scans of hand or face geometry, or biometric information. Under the Act, any person “aggrieved” by a violation of its provisions “shall have a right ofaction…against an offending party” and “may recover for each violation” the greater of liquidated damages or actual damages, reasonable attorney fees and costs, and any other relief, including an injunction, that the court deems appropriate.  

The central issue in Rosenbach was whether one qualifies as an “aggrieved” person who can recover liquidated damages and injunctive relief under the Act if he or she has not alleged some actual injury or adverse effect, beyond violation of his or her rights under the statute. The appellate court answered this question in the negative, and the Illinois Supreme Court reversed.

In Rosenbach, Plaintiff brought suit on behalf of a proposed class against Six Flags amusement park after Six Flags required her minor son to scan his thumbprint to access a season pass.  Plaintiff alleged she neither consented to the fingerprint scan, nor received information about Six Flags’ collection and storage of her son’s data, which was required under the Act.  For purposes of appeal, alleged technical violations of the Act were not contested. Rather, Six Flags argued that no other type of injury or damage to Rosenbach’s son had been alleged.  Defendants contended that an individual must have sustained some actual injury or harm, apart from the statutory violation itself, in order to bring suit under the Act. 

The Illinois Supreme Court sided with Rosenbach. According to the Court, “Defendants’ contention that redress under the Act should be limited to those who can plead and prove that they sustained some actual injury or damage beyond infringement of the rights afforded them under the law would require that we disregard the commonly understood and accepted meaning of the term ‘aggrieved,’ depart from the plain and, we believe, unambiguous language of the law, read into the statute conditions or limitations the legislature did not express, and interpret the law in a way that is inconsistent with the objectives and purposes the legislature sought to achieve.  That, of course, is something we may not and will not do.”  Rosenbach, 2019 IL 123186, ¶ 38. 

For example, the Court reasoned that where the legislature had wanted to impose an “actual harm” requirement in other situations, it has made that intention clear, citing as an example Illinois’ Consumer Fraud and Deceptive Business Practices Act.  By contrast, the legislature authorized private rights of action for monetary relief, attorney fees, and such other relief, by any person “aggrieved” by a violation of the statute without requiring proof of actual damages in order to recover.  Id.¶ 26 (citing to Illinois’ AIDS Confidentiality Act).   The Biometric Information Privacy Act, according to the Court, clearly followed the latter model compelling the Court to conclude that a person need not have sustained actual damage beyond violation of his or her rights under the Act in order to bring an action under it.

The Court also looked to prior case law construing the term “aggrieved” to mean “having a substantial grievance; a denial of some personal or property right.”  Thus, while a person who suffers actual damages as the result of the violation of his or her rights would meet this definition, such damages are not necessary to qualify as “aggrieved.”  Rather, “[a] person is prejudiced or aggrieved, in the legal sense, when a legal right is invaded by the act complained of or his pecuniary interest is directly affected by the decree or judgment.” Id.¶ 30. 

The Court concluded that through the Act, the legislature codified that individuals possess a right to privacy in and control over their biometric identifiers and biometric information. The duties imposed on private entities by section 15 of the Act addressing the collection, retention, disclosure, and destruction of a person’s or customer’s biometric identifiers or biometric information define the contours of that statutory right. Accordingly, when a private entity fails to comply with one of the Act’s requirements, “that violation constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach…[and] such a person or customer would clearly be “aggrieved” within the meaning of [] the Act….No additional consequences need be pleaded or proved. The violation, in itself, is sufficient to support the individual’s or customer’s statutory cause of action.”  Id. ¶ 33.

The Illinois Supreme Court’s decision in Rosenbach has important consequences as to who can bring claims for violations of the Act, and when such claims may be brought.  The Court’s decision will no doubt result in greater opportunity for consumers to sue companies that violate the Act in the first instance, and require companies to develop new or additional policies and procedures to ensure that they are adhering to the Act’s consent and disclosure requirements. The battleground over liability, however, is likely to shift to whether defendants’ business practices actually violate the Act and/or whether consumers have expressly or impliedly consented or agreed to collection of biometric identifiers or data.  These issues have yet to be fully addressed and developed in the courts, but are now expected to take on greater emphasis in light of the Court’s ruling in Rosenbach.

Share