In Rosenbach v. Six Flags Entertainment Corporation, the Plaintiff – the mother of a fourteen-year-old boy – sued Six Flags Entertainment Corporation under the Illinois Biometric Privacy Act (BIPA). Plaintiff alleged that the theme park scanned her son’s fingerprint without obtaining written consent and without properly disclosing the company’s business practices relating to the collection, use, and retention of the fingerprint data. Defendant Six Flags filed a motion to dismiss stating that Plaintiff was not an “aggrieved party” for purposes of BIPA because she had not alleged an “actual injury.” The motion was denied. Defendant then filed a motion for reconsideration. The district court presented questions for appellate review regarding whether a party who had only suffered a violation of the BIPA notice and consent requirements could be “aggrieved.” On appeal, the Illinois Appellate Court answered both questions in the negative. The question now lies before the Supreme Court of Illinois.
Whether a party is considered “aggrieved” under the Illinois Biometric Information Privacy Act who suffers a violation of the Act’s notice and consent requirement when Defendant collected the victim’s fingerprint without obtaining consent.
Plaintiff Stacy Rosenbach is the mother of fourteen-year-old Alexander Rosenbach. Defendant Six Flags Entertainment Corporation (Six Flags) is a corporation that operates an amusement park in Gurnee, IL, called Great America. Plaintiff purchased a season pass online for her son Alexander from Defendant’s Great America amusement park. Six Flags scanned and stored Alexander’s fingerprint during his next visit to the park in order for Alexander to obtain his physical season pass. The fingerprint scan was part of a nationwide policy that Six Flags rolled out in 2014 as a security process for pass holders to enter and exit amusement parks. To get into the amusement park, pass holders had to present their physical pass in addition to scanning their fingerprint. After Six Flags obtained Alexander’s fingerprint, he never returned to the park. The Plaintiff alleges that if she would have known about Six Flags’ fingerprint policy, she would not have purchased the season pass. The mother, who filed the lawsuit as next of friend to her child, alleges that the corporation violated the Biometric Information Privacy Act (BIPA), an Illinois law that restricts corporations’ collection, use, and retention of biometric data, like fingerprints, face and hand scans, eye scans, and voice prints.
In the District Court, the Defendant filed a motion to dismiss stating that Plaintiff was not aggrieved because she had not alleged an “actual injury.” The motion was denied under BIPA. Defendants then filed for a Rule 308(a) certification, arguing that the district court’s denial of their motion to dismiss raised significant legal questions. This motion was also denied. The Defendant then successfully filed a motion for reconsideration. The district court reformulated the prior questions presenting two questions for appellate review. The central inquiry of the District Court was whether a party who had only suffered a violation of the notice and consent requirements of section 15(b) of the Act could be “aggrieved.” Specifically, the District Court’s certified questions addressed whether 1) statutory liquidated damages under Section 20(1) of the Act and 2) injunctive relief authorized under section 20(4) of the Act were appropriate in the context of such violations. Defendant’s requested leave to appeal at the Illinois Appellate Court, which the Illinois Appellate Court granted.
On appeal, the Illinois Appellate Court answered both questions in the negative, finding that an individual who raises a “technical violation of the Act without alleging any injury or adverse effect” is not an “aggrieved” person and may not recover under any of the damage provisions of the Act. However, the court noted that an “injury or adverse effect” does not need to be pecuniary in nature. The Defendant argued that the Act’s text and purpose, as well as interpretations of the term “aggrieved party” in other statues, suggest that “aggrieved” should be interpreted as requiring “actual harm or adverse consequences.” The Plaintiff maintained that a technical violation of the Act was sufficient. The Illinois Appellate Court looked at the plain meaning of the text since the Act does not define “aggrieved.” Definitions from Black’s Law Dictionary for “aggrieved party” and “aggrieved” reference rights that have been “adversely affected.” The plaintiff argued that the right to privacy was an “adversely affected” right. However, the court dismissed this argument noting that even this interpretation required “an actual injury, adverse effect, or harm in order for the person to be ‘aggrieved.’” The court also examined cases interpreting an “aggrieved party,” determining that more than a technical violation was required for a party to be aggrieved. The Supreme Court of Illinois granted Plaintiff’s petition for leave to appeal.
The Illinois Biometric Privacy Information Act (BIPA) requires a corporation that obtains a person’s biometric information to 1) obtain a “written release” from them prior to collection, 2) to provide them notice that their information is being collected and stored, and 3) to state the duration the information will be collected, stored and used as well as its specific purpose. The law gives a private right of action to anyone “aggrieved” under the statute. Several courts have considered, and disagreed on, the meaning of the term “aggrieved” under BIPA. While some courts have considered a violation of the biometric notice and consent requirements to be a privacy violation that is actionable in itself, other courts have held that an aggrieved party must both allege a technical violation of the law combined with a separate and additional claim of injury.
The Illinois Legislature passed the BIPA in 2008 to protect the “welfare, security, and safety” of Illinois residents by “regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric information.” Seeing the use of biometric identifiers growing, especially in the financial sector, the Illinois Legislature was cognizant that unlike other unique identifiers, biometrics are biologically unique and cannot be changed even if compromised. Furthermore, knowing that the implications of using of biometric identifiers for a commercial purpose is unknown, the Illinois Legislature intended BIPA to address the concerns of a wary public that may be deterred from transactions that require biometric identification.
To combat these worries, BIPA requires a corporation that obtains a person’s biometric information to first obtain a “written release” from the customer or the customer’s representative. The law also requires a corporation that seeks to obtain biometric information from a customer to first provide “in writing” various information: (1) that the biometric information is being “collected;” (2) that the biometric information is being “stored;” (3) the “length of term” that that the biometric information will be collected, stored, and used; and (4) the “specific purpose” for the collection, storage, and use of the information.
In 2005, EPIC first identified the risk to privacy resulting from the collection of biometric data at amusement parks in the United States. EPIC noted that it is disproportionate and unnecessary for theme parks to collect biometric identifiers from attendees. At the very least, EPIC explained, “Theme park visitors should have knowledge of the practice of collecting fingerprint information so they may act to protect their and their children’s privacy.” EPIC further stated, “Knowing as much as possible whenever personally identifiable information is being collected from you or your family is your best defense. It is not in your privacy interest to fail to ask questions or challenge requests for personally identifiable information. It is important to ask questions and assert your right to protect you and your children’s privacy.”
EPIC has filed many amicus curiae briefs in federal and state courts concerning emerging privacy issues, including a brief in the D.C. Circuit concerning the massive OPM data breach, that included the compromise of 5.1 million fingerprints, precisely the same digital data gathered by Six Flags.
EPIC has long advocated for strict limits on use of biometric data. Biometric data is personally identifiable information that cannot be changed, even if compromised. Improper collection of this information can contribute to identity theft, inaccurate identifications, and infringement on constitutional rights. Strict limits on biometric data is the best practice to prevent abuse.