Illinois Biometric Information Privacy Act Allows Legal Action Over Violations Even Without Actual Harm

The Illinois Supreme Court has decided that state residents can file a lawsuit against a private entity when their privacy has been violated as a result of a breach of the Illinois Biometric Information Privacy Act, regardless of whether the BIPA violation resulted in actual harm being caused.

The Illinois Biometric Information Privacy Act, passed in 2008, necessitates private entities to give a written notification to a person prior to collecting or storing his/her biometric information. The notification must specify the purpose for the data collection or storage and the length of time that the data will be used/stored. The entity also needs to get written consent from a person or his/her legal representative prior to the collection or storage of the biometric data. Biometric information consists of fingerprints, iris scans, voiceprints, hand scans, and any other biometric means of identification of a person.

Unlike HIPAA, which doesn’t have a private cause of action, it is possible for consumers to take legal action against organizations for violating the Illinois Biometric Information Privacy Act (BIPA). Similar laws have been passed in other states such as Texas and Washington, but Illinois is the only state with a law covering biometric data that includes a private cause of action.

Now it is no longer necessary to establish and prove that a violation of BIPA has resulted in harm following an Illinois Supreme Court ruling on January 25, 2019. A person can take legal action even without an actual injury as a result of the violation.

Plaintiff Stacy Rosenbach sued Six Flags Entertainment Corp., after her 14-year-old son visited a Six Flags amusement park. His fingerprint was used to gain access to the amusement park. There was no written notification given to Stacy Rosenbach nor her son regarding the reason for obtaining the fingerprint and they were not notified about how long the fingerprint would be stored. Additionally, Six Flags did not get written consent to collect the fingerprint.

The plaintiff filed a lawsuit over the BIPA violation but did not allege harm. Six Flags attempted to have the case dismissed since there was no actual harm or threatened injury. The circuit court declined the motion to dismiss; the court of appeal reversed the decision; and the Supreme Court reversed the decision of the court of appeal.

The courts believed that a technical BIPA violation, in itself, is enough to support a person’s statutory cause of action. It is not required to show proof of an actual injury or damage due to a BIPA violation. The ruling is likely to result in a flood of lawsuits over BIPA violations.

If a violation of BIPA can be proven to have happened because of negligence, damages up to $1,000 per violation are possible. In cases of reckless or intentional BIPA violations, as much as $5,000 in damages could be obtained for each violation.