Last Friday, the Illinois Supreme Court delivered the highly anticipated Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, opinion. Businesses and consumers alike watched for the Court’s opinion regarding whether mere technical violations of the Illinois Biometric Information Privacy Act (“BIPA”) gave plaintiffs the requisite standing to seek damages under the statute. The Court heard the case after the Second District Appellate Court of Illinois ruled that an individual was not a “person aggrieved” by a technical violation and several other courts, both state and federal were split over the issue. Rosenbach v. Six Flags Entertainment, 2017 IL App (2d) 170317. In a fairly short opinion, focusing on statutory construction and the common meaning of the word “aggrieved,” the Illinois Supreme Court reversed the Appellate Court. 2019 IL 123186, ¶ 1. The Illinois Supreme Court held that an individual was in fact an “aggrieved person” under the statute where they are unable to show actual damage, but there has been a violation of the statute. The Court held, where there is no actual harm, the individual is entitled to statutory relief for each violation. In short, a technical violation is a violation. The Illinois Supreme Court took a strong stance in that individuals should not have to wait for actual harm with respect to their biometric information and that businesses would lack the requisite motivation to comply with statutes like BIPA without such an interpretation.
Notably, the Court stated:
The violation [of the Act], in itself, is sufficient to support the individual’s or customer’s statutory cause of action….When a private entity fails to adhere to the statutory procedures, as defendants are alleged to have done here, “the right of the individual to maintain [his or] her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.” This is no mere “technicality.” The injury is real and significant.
Id. at ¶ 34.
The Illinois Supreme Court’s holding is likely to increase the amount of BIPA litigation that has boomed over the recent years. Furthermore, the reach of Rosenbach is unlikely to be limited to Illinois given the number of courts across the country considering cases involving similar issues and statutes regarding the handling of personal information. With the resoluteness of the Rosenbach decision, businesses, including employers, are advised to review and update their privacy policies, disclosures, and practices, particularly related to biometric information.
- Understand your organization’s information collection practices. The Rosenbach opinion highlights an organization’s need to review not only how it collects information, but also what type of information it collects, and how it uses that information. This information serves as a critical foundation to the necessary disclosures and policies required under laws like BIPA.
- Update policies and disclosures. At the heart of the Rosenbach case was defendants’ failure to have the requisite disclosures, consents, and policies in place with respect to the collection, handling, and deletion of biometric data as required under BIPA. Organizations should take the opportunity to review its external facing consents and disclosures to ensure they accurately reflect an organization’s practices and update its internal policies and procedures accordingly.
- Review vendor practices. An organization should not only look at its own handling of biometric data, but also its vendors with whom it may share biometric data or who may collect biometric data on behalf of the organization. Organizations should not only review its contractual agreements with such vendors to ensure the proper data protection clauses are in place, but also conduct an audit to ensure vendors are appropriately representing their data handling practices.
Dykema’s Privacy and Data Security group is here to help your organization review, update, and develop not only compliance BIPA policies and disclosures, but also assist with a holistic privacy program that is responsive to the ever changing landscape of domestic and international statutes.
To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.