Last Friday, the Illinois Supreme Court delivered the highly anticipated Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, opinion. Businesses and consumers alike watched for the Court’s opinion regarding whether mere technical violations of the Illinois Biometric Information Privacy Act (“BIPA”) gave plaintiffs the requisite standing to seek damages under the statute. The Court heard the case after the Second District Appellate Court of Illinois ruled that an individual was not a “person aggrieved” by a technical violation and several other courts, both state and federal were split over the issue.  Rosenbach v. Six Flags Entertainment, 2017 IL App (2d) 170317.  In a fairly short opinion, focusing on statutory construction and the common meaning of the word “aggrieved,” the Illinois Supreme Court reversed the Appellate Court.  2019 IL 123186, ¶ 1. The Illinois Supreme Court held that an individual was in fact an “aggrieved person” under the statute where they are unable to show actual damage, but there has been a violation of the statute. The Court held, where there is no actual harm, the individual is entitled to statutory relief for each violation. In short, a technical violation is a violation.  The Illinois Supreme Court took a strong stance in that individuals should not have to wait for actual harm with respect to their biometric information and that businesses would lack the requisite motivation to comply with statutes like BIPA without such an interpretation. 

Notably, the Court stated:

The violation [of the Act], in itself, is sufficient to support the individual’s or customer’s statutory cause of action….When a private entity fails to adhere to the statutory procedures, as defendants are alleged to have done here, “the right of the individual to maintain [his or] her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.” This is no mere “technicality.” The injury is real and significant.

Id. at ¶ 34.

The Illinois Supreme Court’s holding is likely to increase the amount of BIPA litigation that has boomed over the recent years. Furthermore, the reach of Rosenbach is unlikely to be limited to Illinois given the number of courts across the country considering cases involving similar issues and statutes regarding the handling of personal information.  With the resoluteness of the Rosenbach decision, businesses, including employers, are advised to review and update their privacy policies, disclosures, and practices, particularly related to biometric information.

  1. Understand your organization’s information collection practices. The Rosenbach opinion highlights an organization’s need to review not only how it collects information, but also what type of information it collects, and how it uses that information.  This information serves as a critical foundation to the necessary disclosures and policies required under laws like BIPA.
  2. Update policies and disclosures. At the heart of the Rosenbach case was defendants’ failure to have the requisite disclosures, consents, and policies in place with respect to the collection, handling, and deletion of biometric data as required under BIPA.  Organizations should take the opportunity to review its external facing consents and disclosures to ensure they accurately reflect an organization’s practices and update its internal policies and procedures accordingly.
  3. Review vendor practices. An organization should not only look at its own handling of biometric data, but also its vendors with whom it may share biometric data or who may collect biometric data on behalf of the organization.  Organizations should not only review its contractual agreements with such vendors to ensure the proper data protection clauses are in place, but also conduct an audit to ensure vendors are appropriately representing their data handling practices.

Dykema’s Privacy and Data Security group is here to help your organization review, update, and develop not only compliance BIPA policies and disclosures, but also assist with a holistic privacy program that is responsive to the ever changing landscape of domestic and international statutes.

To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.

Print:
EmailTweetLikeLinkedIn
Photo of Cinthia Granados Motley Cinthia Granados Motley

Cinthia Granados Motley is the Director of Dykema’s Global Data Privacy and Information Security practice group. She has an active national and international practice assisting clients implement effective information security practices, address current and emerging regulatory compliance issues, including cross-border data transfer and…

Cinthia Granados Motley is the Director of Dykema’s Global Data Privacy and Information Security practice group. She has an active national and international practice assisting clients implement effective information security practices, address current and emerging regulatory compliance issues, including cross-border data transfer and information governance, as well as litigation readiness and regulatory inquiry matters. She routinely acts as incident response counsel to national and multi-national entities, as well as privacy litigation counsel. In her litigation practice, Cinthia handles consumer and privacy litigation, international contract disputes, directors and officers liability, ERISA, e-discovery and  professional liability matters. She routinely counsels clients in complex commercial disputes both domestically and abroad.

Photo of Ashley S.A. Jackson Ashley S.A. Jackson

Ashley Jackson is an associate on Dykema’s privacy and data security team. Ms. Jackson is a certified information privacy professional who advises domestic and international clients on issues of breach response, litigation, employee training, risk assessment and management, policies and procedures, table top…

Ashley Jackson is an associate on Dykema’s privacy and data security team. Ms. Jackson is a certified information privacy professional who advises domestic and international clients on issues of breach response, litigation, employee training, risk assessment and management, policies and procedures, table top exercises related to cybersecurity and data privacy. Ms. Jackson is proficient in both U.S. and international privacy laws, including Europe’s General Data Protection Regulation (GDPR).

Photo of Erin S. Johnson Erin S. Johnson

Erin Johnson is an attorney in the business & commercial litigation practice group in Dykema’s Chicago office.

Ms. Johnson’s practice includes litigation in Illinois and Indiana’s federal courts and Illinois’ state courts defending businesses against individual and class action lawsuits arising from Illinois…

Erin Johnson is an attorney in the business & commercial litigation practice group in Dykema’s Chicago office.

Ms. Johnson’s practice includes litigation in Illinois and Indiana’s federal courts and Illinois’ state courts defending businesses against individual and class action lawsuits arising from Illinois BIPA and data protection laws, ADA, ADEA, as well as contractual disputes. Ms. Johnson also defends financial services providers against individual claims brought pursuant to RESPA and TILA.

Ms. Johnson is a member of the firm’s Privacy and Data Security team in which she assists in advising clients in the areas of data breach response and domestic and international data privacy law compliance projects. Ms. Johnson actively participates in pro bono work and has served as a Guardian ad Litem.