Share this article on:
The Illinois Supreme Court has ruled that individuals whose privacy has been violated through a breach of the Illinois Biometric Information Privacy Act can take legal action against a private entity, even if the violation of BIPA has not resulted in actual harm.
The Illinois Biometric Information Privacy Act, enacted in 2008, requires private entities to inform a person in writing that their biometric information will be collected or stored. The purpose for the collection or storage of that data and the length of time the information will be retained must also be explained. The entity must also obtain written authorization from an individual or that individual’s legal representative before biometric data can be collected or stored.
Biometric data includes fingerprints, voiceprints, hand scans, iris scans, and other biometric means of identifying a person.
In contrast to HIPAA, which has no private cause of action, individuals can sue companies for Illinois Biometric Information Privacy Act (BIPA) violations. Illinois is unique in that respect. Other states such as Texas and Washington have similar laws, but in those states, there is no private cause of action. Further, according to a ruling by the Illinois Supreme Court on January 25, 2019, legal action can be taken without an allegation of actual injury or an adverse event as a result of the violation.
Plaintiff Stacy Rosenbach took legal action against Six Flags Entertainment Corp., following a visit to a Six Flags amusement park by her 14-year-old son. He was required to provide his fingerprint to access the amusement park. Nether Stacy Rosenbach nor her son were informed in writing about the reason for collecting her son’s fingerprint or the length of time it would be stored. Written authorization to collect the fingerprint was also not obtained by Six Flags.
The plaintiff did not allege harm in the case, which was filed solely over the violation of BIPA. Six Flags sought to have the case dismissed for lack of standing as the plaintiff had not suffered actual harm or threatened injury. The circuit court denied the motion to dismiss, that decision was reversed by the court of appeal, and the Supreme Court reversed the court of appeal’s decision.
The court’s held that a technical violation of BIPA is, in itself, sufficient to support an individual’s statutory cause of action. No proof of an actual injury or damage as a result of the BIPA violation is required and consumer’s need not wait until they have suffered harm as a result of the violation to take legal action.
If it can be established and proven that a violation of BIPA has occurred due to negligence, individuals could receive up to $1,000 for each violation. In cases of reckless or intentional violations of BIPA, up to $5,000 could be received per violation.
According to the ruling, ensuring compliance with BIPA is not difficult and the costs of compliance are likely to be insignificant compared to the substantial and irreversible harm that could be caused to consumers if their biometric identifiers are not appropriately safeguarded and kept private and confidential.