Contributors: Nicholas J. Lynn, Esq. and Ryan W. Brown, Esq.
To learn more about Nicholis and Ryan, click here.
The words “data security” can be nightmareinducing for anyone whose job responsibilities include the protection of other people’s personal data. Few areas are more sensitive than private health information—and we have all of the complexities of HIPAA and its State analogues to show for it. Some States are now taking steps to protect private individuals from having their biometric data collected and stored without meaningful consent. Generally, privacy laws will punish a company when a breach occurs—but one State has taken a more proactive approach which allows private individuals to sue a company for collecting and storing their biometric data without consent—that is, in violation of the law.
A recent ruling out of Illinois illustrates some of the risks involved with using private biometric information. An Illinois statute—the Biometric Information Privacy Act (“Act”), 740 ILCS 14/1 et seq.—was the first law to regulate the collection and storage of biometric information when it was passed in 2008. It provides private litigants the opportunity to sue for money damages when their biometric information has been collected or stored in violation of the law. This is relevant to anyone using biometric data in Illinois, and potentially other States with biometric information statutes such as Washington and Texas if their State courts interpret their laws similarly. As an emerging area of technology with increasing business and enterprise use, more States will likely regulate the collection and storage of biometric data in the coming years. States where legislation has been introduced, but not yet passed in recent years include Alaska, California, Connecticut, Idaho, Massachusetts, Montana, New Hampshire, and New York.
On January 25, 2019, the Supreme Court of Illinois (“Supreme Court”) rendered its Opinion in the case styled, Stacy Rosenbach, as Mother and Next Friend of Alexander Rosenbach, Appellant, v. Six Flags Entertainment Corporation et. al., Appellees, 2019 IL 123186. Therein, the Supreme Court interpreted the Act, and found that when a private entity fails to comply with one of Section 15 of the Act’s requirements, that violation, in itself, without some actual injury or damage beyond infringement of the rights afforded under the Act, constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach; and that the person or customer would clearly be “aggrieved” within the meaning of Section 20 of the Act and entitled to seek liquidated damages and injunctive relief pursuant to the Act. In other words, a litigant who has had their rights violated need not show that they were harmed beyond that violation itself to be entitled to monetary damages.
In the summer of 2014, Alexander Rosenbach (“Alexander”), the 14-year-old son of Stacy Rosenbach (“Stacy”), visited Six Flags Great America Amusement Park in Gurnee, Illinois. When Alexander arrived at the amusement park, he was asked to scan his thumb into defendants’ biometric data capture system and then obtained a season pass card. The Complaint alleges that neither Alexander nor Stacy were informed in writing or in any other way of the specific purpose and length of term for which Alexander’s fingerprint had been collected. Neither signed any written release regarding taking of the fingerprint, and neither consented in writing “to the collection, storage, use, sale, lease, dissemination, disclosure, redisclosure, or trade of, or for [defendants] to otherwise profit from, Alexander’s thumbprint or associated biometric identifiers or information.” Defendants retained Alexander’s biometric identifiers and information and had not publicly disclosed what was done with the information or how long it would be kept, nor did they have any written policy that disclosed any retention schedule or guidelines for retaining and then permanently destroying such information.
After consideration of the Section 2-615 motion to dismiss at the Circuit Court (Lake County) and Appellate Court, the Appellate Court identified two questions of law interpreting Section 20 of the Act regarding liquidated damages and injunctive relief when the only injury alleged was a violation of Section 15(b) of the Act by a private entity which collected biometric identifiers and/or biometric information without providing the required disclosures and obtaining written consent as required by Section 15(b) of the Act. On appeal, the Supreme Court reversed the Appellate Court and concluded, contrary to the Appellate Court’s view, that “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act.”
In this case, it was undisputed that the thumbprint constituted a biometric identifier subject to the Act’s provisions and that the electronically stored version of the thumbprint constituted biometric information within the meaning of the Act. For purposes of the Opinion, the existence of violations of Section 15(b) of the Act, below, which imposes various obligations on private entities, were not contested:
(1) informs the subject or the subject’s legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored;
(2) informs the subject or the subject’s legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
(3) receives a written release executed by the subject of the biometric identifier or biometric information or the subject’s legally authorized representative.
There has been an uptick in similar lawsuits in Illinois. An employee of North Shore University Health System filed suit in the Cook County Circuit Court in 2018, alleging the employer had scanned and stored his fingerprints for use in a punch-in clock without his consent. With this increase in litigation and the growing legislative momentum surrounding biometric privacy laws, this is a topic that deserves extra scrutiny before implementing biometric technologies and accompanying policies. Policies should also be regularly reviewed, as this is an actively evolving area of regulation.
Contact Nicholas at:
[email protected]
Contact Ryan at:
[email protected]