| BLOG
Get Ready for a Wild Ride: The Illinois Supreme Court Decides that a Bare Violation of BIPA Supports a Cause of Action, with No Actual Injury Required

The Biometric Information Privacy Act (BIPA) establishes safeguards and procedures relating to the retention, collection, disclosure, and destruction of biometric data. Passed in October 2008, BIPA is intended to protect a person’s unique biological traits—the data encompassed in a person’s fingerprint, voice print, retinal scan, or facial geometry. This information is the most sensitive data belonging to an individual. Unlike a PIN code or a social security number, once biometric data is compromised, “the individual has no recourse, is at [a] heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.” 740 ILCS 14/5(c). For this reason, BIPA provides a private right of action for “[a]ny person aggrieved by a violation of this Act . . . .” 740 ILCS 14/20.

The question facing Illinois courts had been how best to interpret the meaning of “aggrieved.” Was an individual aggrieved if the defendant violated the statute or did the individual need to have sustained “some actual injury or harm, apart from the statutory violation itself, in order to sue under the Act[?]” Rosenbach v. Six Flags Entm't Corp., 2019 IL 123186, ¶23. Illinois’s appellate courts had reached conflicting decisions on this question, with the First District holding that a bare statutory violation was sufficient to confer standing under BIPA, Sekura v. Krishna Schaumburg Tan, Inc., 2018 IL App (1st) 180175, ¶77, and the Second District holding that BIPA required a person aggrieved by a violation of the Act to allege an actual harm and not simply a technical violation. Rosenbach v. Six Flags Entm't Corp., 2017 IL App (2d) 170317, ¶28.

On January 25, 2019, the Illinois Supreme Court resolved this split and held that a person is aggrieved in the legal sense “when a legal right is invaded by the act complained of . . . .” Rosenbach, 2019 IL 123186, ¶30. In other words, the “violation [of the statute], in itself, is sufficient to support the individual’s or customer’s statutory cause of action.” Id., at ¶33 (emphasis added). The underlying goals of BIPA supported this result. Id. at ¶¶24-37. If the purpose of BIPA was to safeguard biometric identifiers and information before the data was compromised, then individuals must be permitted to enforce those protective rights as soon as they became aware of a defendant’s failure to properly protect their biometric data. See id. at ¶37. To hold otherwise and require “individuals to wait until they have sustained some compensable injury beyond violation of their statutory rights . . . would be completely antithetical to the Act’s preventative and deterrent purposes.” Id.

The Supreme Court’s ruling is likely to further embolden lawsuits asserting bare violations of the statute and have an immediate impact on businesses in Illinois. After all, even a “technical” violation of the statute produces a “real and significant” injury. Id. at ¶34. The effect of the law is already being seen beyond the courtroom. BIPA is believed to be behind Nest’s decision not to offer facial recognition on doorbells operating in Illinois and Google’s decision not to allow Illinois users to match their selfies with faces depicted in works of art. Ally Marotti, Illinois Supreme Court Rules Against Six Flags in Lawsuit Over Fingerprint Scans. Here’s Why Facebook and Google Care, Chicago Tribune (Jan. 25, 2019). Companies in Illinois may want to hold on: after the Six Flags decision they could be in for a wild ride.

More information about BIPA and the cases interpreting the statute can be found here.

  • Charles N. Insler
    Partner

    Charles N. Insler is an accomplished writer who helps spearhead the firm’s appellate practice. He has briefed more than 15 appeals over the last five years, covering a variety of procedural and substantive legal issues. Mr ...

Search Blog

Categories

Archives

Contact

Kerri Forsythe
618.307.1150
Email

Jump to Page

HeplerBroom LLC Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek