Illinois Supreme Court Authorizes Biometric Lawsuits Without Any Allegation of Harm–Rosenbach v. Six Flags
Six Flags, the amusement park operator, allegedly violated Illinois Biometric Privacy Statute by collecting a minor’s fingerprint without consent. The state appeals court held that plaintiff had to allege harm beyond the information collection without consent. The Illinois state supreme court reverses.
As alleged in the complaint, Alexander Rosenbach went on a field trip to Six Flags. His mom purchased a pass for him online and expected him to take care of the paperwork on the trip. Alexander was fingerprinted at Six Flags before he was issued a season pass. Upon his return, his mom asked him for the paperwork accompanying the pass, and he said it was all taken care of “by fingerprint now.” She sued on his behalf, alleging a violation of the Illinois biometric privacy act (BIPA). This statute requires disclosure and consent before biometric information is collected.
The court says that the Illinois legislature knows how to make clear their intent to limit standing to plaintiffs who suffered “actual damage” beyond a violation of rights bestowed by statute. The legislature did not reflect such an intent here. This biometric privacy statute is similar to the AIDS Confidentiality Act, another Illinois statute where the legislature said plaintiffs can sue by showing any violation of the statute.
The statute says anyone “aggrieved” may sue and doesn’t define the term further, so the court looks to its commonly accepted definition. A person is aggrieved when her “rights are invaded . . . or . . . pecuniary interest” adversely affected. This definition has been recognized numerous times by Illinois courts, and the legislature is presumed to know this definition.
The court also says that requiring additional harm beyond a statutory violation is at odds with the purpose of the statute, which gives individuals the right to control their biometric information by requiring notice and consent before collection. Collecting this information without consent frustrates this purpose:
This is no mere ‘technicality’. The injury is real and significant.
The court also cites to the growing trend of collection and use by companies of biometric information. The court also notes that the only enforcement mechanism in the statute is a private right of action. And compliance “should not be difficult.”
Eric blogged about Google’s Article III win in a face-scanning case last month (Rivera v. Google). The plaintiffs have refiled in state court. This decision clears that lawsuit to proceed without standing problems. Apparently, Illinois courts do not have an Article III-like limitation on standing.
The Illinois BIPA statute has become the bane of tech companies. The court also notes a Facebook case that reached a similar conclusion. I blogged the trial court’s denial of Facebook’s summary judgment ruling in that case. Since that blog post, the Ninth Circuit granted Facebook’s request for discretionary appeal, staving off trial for the moment.
It appears from the pleadings that Six Flags did not have any documentation at all relating to the season pass. The opinion alludes to an online purchase, but there is no discussion of any accompanying terms. One wonders what the outcome would be if users had an online sign up with a click-through disclosure and consent. Setting aside capacity to contract for minors, is that sufficient to inform the subject and constitute the “written consent” that is required? Privacy statutes often require consent, and to my knowledge no case has really dug into whether consent in a terms of service (even one that the person affirmatively consents to) is sufficient.
Interestingly, the statute was passed in 2008.
See also: EFF’s post on the case. (EFF and others filed a brief in support of plaintiffs.)
Eric’s Comments: As Venkat indicates, BIPA was passed in a different technological era, and it now casts a long and not-always-welcome shadow over a wide range of technological innovations. That could indicate that the BIPA drafters and Illinois legislature did a good job foreseeing the future, or it could indicate that BIPA was premature, drafted before we really understood biometric data and the potential social benefits–and challenges–of using that data.
Unless some of the other pending federal courts erase any Article III limits, this ruling virtually ensures that future BIPA litigation will likely take place exclusively in Illinois state court. Why would a plaintiff want to risk an Article III dismissal in federal court when it’s completely bypassable?
The court casually makes an unsupported factual claim that it would have been easy for Six Flags to get consent. I’d love to stress-test this assumption. Why is Six Flags relying on biometric data in the first place? Maybe it’s essential, or maybe it’s a frivolous convenience. How would Six Flags get consent from both the child and parent in this situation? Why didn’t they try? We know that in the photo facial recognition cases, it’s effectively impossible for the online services to get consent from third parties depicted in the images who aren’t in privity with the online services. If that fact had been before the Illinois Supreme Court, would it have still claimed that getting consent is easy?
Case citation: Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Jan 25, 2019)
Google Photos Defeats Privacy Lawsuit Over Face Scans–Rivera v. Google
Illinois Users’ Face-Scanning Privacy Lawsuit Against Facebook Headed to Trial
Face Scanning Lawsuit Against Shutterfly Survives Motion to Dismiss
Facebook Gets Bad Ruling In Face-Scanning Privacy Case–In re Facebook Biometric Information Privacy Litigation