In 2008, the Illinois legislature passed the Biometric Information Privacy Act (BIPA) to regulate businesses that use biometric data, such as fingerprints and retinal scans, for “streamlined financial transactions and security screenings.”[1] BIPA was drafted in the aftermath of the Pay By Touch bankruptcy in the mid-2000s.[2] Pay By Touch, a biometric payment system that once seemed poised to revolutionize daily transactions,[3] became emblematic of the risk to consumers’ personal information should business record-keepers go under.[4]
BIPA currently is the first and only biometrics privacy statute in the U.S. to establish a private right of action,[5] and was designed to safeguard individuals’ privacy in the face of an emerging technology whose “full ramifications . . . are not fully known.”[6] By regulating the collection, use, and destruction of biometric identifiers while mandating notice and consent requirements, the legislature hoped that BIPA would mitigate consumers’ privacy concerns over business’s use of their biometric data.[7]
Fast-forward ten years and BIPA has become a class action vehicle for plaintiffs. Opportunistic plaintiffs brought over fifty actions alleging BIPA violations between September and December of 2017 alone.[8] However, the flood of lawsuits seems to have abated after the ruling in Rosenbach v. Six Flags.9 There, a minor voluntarily consented to provide his fingerprint to Six Flags as part of the process for obtaining a season pass. Six Flags did not provide written notification regarding how it would use, store, or destroy the biometric data. The child’s mother then brought suit against Six Flags, alleging that she would not have allowed her son to purchase a season pass had she known of Six Flags’s conduct. In a rare win for the defense, the court found that a “person aggrieved” by a BIPA violation “must allege some actual harm.”[10] In other words, a “mere technical violation” of the Act does not equate to any cognizable harm or adverse effect that would trigger BIPA’s private right of action.[11]
Although this is a significant win for businesses who utilize biometric data, as well as their insurance companies, we do not counsel that companies rely too strongly on the Rosenbach opinion. It is plausible that the Supreme Court will reverse the appellate court and clarify some lingering issues. First, in a brief footnote, the appellate court mentions that the “plaintiff did not allege in her complaint any harm or injury to a privacy right,”[12] but does not explicitly state whether this addition would have altered the outcome of the opinion. Then, tucked away into the opinion’s final sentence, the court notes that although an “actual harm” is required “the injury or adverse effect need not be pecuniary.”[13]
Naturally, these statements beg the question: Would the court have found differently had the Rosenbach plaintiff pled an invasion of privacy in addition to merely a statutory violation?
Post-Rosenbach, biometric privacy law in Illinois sits at a crossroads. On the one hand, a good-faith reading of Rosenbach could find that an alleged invasion of privacy due to improperly obtained or handled biometric data, without further injury, satisfies the requirements for BIPA’s private right of action.[14] Alternatively, others argue that biometric data must actually be misused and cause a real harm to trigger BIPA’s right of action.[15] If the latter is true, then it remains uncertain what constitutes a real harm that is not monetary in nature but also not just an invasion of privacy. Still, the Supreme Court may choose a third option and reverse the appellate court altogether, finding that a statutory violation alone makes a person “aggrieved” with or without an alleged invasion of privacy.
But before reaching a decision on Rosenbach, the Supreme Court will have plenty to consider. For example, in a 2018 California federal district court decision, In re Facebook Biometric, the court considered Rosenbach’s language that an injury “need not be pecuniary,” and construed it to mean that an alleged injury to a privacy right is enough to make a person “aggrieved” under BIPA regardless of any “actual” harm.[16] In deciphering the Rosenbach opinion, the district court put immense emphasis on the case’s sole footnote – “plaintiff did not allege in her complaint any harm or injury to a privacy right.” The California court suggested that the Rosenbach court would have found differently had the plaintiff properly alleged an invasion of privacy.[17] However, the court also stated, “To the extent Rosenbach might be read differently, the court would part company with it.”[18] This decision would seem to re-assert a broad private right of action under BIPA, but only if an invasion of privacy is alleged.
In re Facebook Biometric underscores the stakes of the Supreme Court’s upcoming decision. In 2011, Facebook launched a “Tag Suggestions” feature that includes a multi-step facial recognition process to detect faces in pictures. Plaintiffs brought suit alleging that Facebook violated BIPA when it collected biometric data without notice or consent from Facebook users.[19] With millions of class members and potentially $5,000 per violation, Facebook faces what could amount to an astronomical payout.
In contrast to canceling a stolen or misplaced credit card, the road back from an immutable biometric identity breach is exponentially more severe. Unlike the financial risks posed in the Pay By Touch example, the vast majority of class action lawsuits brought under BIPA have been for “minor technicalities” against companies that use biometrics for routine employee timekeeping and security.[20] Companies like Google have begun to restrict their product offerings in Illinois over fear of litigation, which further drives calls for amendment.[21] These alleged abuses have convinced some in the legislature that current litigation is far afield of the Act’s original intent.[22]
Thus, the stage is set for the Illinois Supreme Court to rule on what some have called one of America’s hottest class action trends.[23] We believe that the Illinois Supreme Court may overturn Rosenbach to the extent that it held an “aggrieved person” must allege a privacy violation to trigger the private right of action. Regardless, the litigants in In re Facebook and similar lawsuits outside of Illinois will anxiously await the Illinois Supreme Court’s decision because it will control those extraterritorial cases. The law is clear: “[t]he highest court of a state is the final arbiter of what is state law. When a state’s highest court has addressed the issue, a federal court exercising diversity jurisdiction must defer to that court’s decision.”[24] In other words, even a contractual provision that selects a litigation venue outside of Illinois will not help a business escape the Illinois Supreme Court’s decision whether or not the outcome is a positive one for businesses.
Of note for businesses, the Supreme Court might clarify several issues from the Rosenbach opinion. First, the Court may consider whether a plaintiff must allege a privacy violation (to the extent that Rosenbach has made this a pleadings requirement). Second, the Court will likely clarify whether the specific plaintiff in Rosenbach was aggrieved – a fact-specific determination.
On the first issue, several subsequent courts have interpreted Rosenbach to mandate an alleged privacy violation. As mentioned previously, the court in In re Facebook suggested that a privacy violation is the valid non-pecuniary harm referred to in the final sentence in Rosenbach.[25] Similarly, the court in Dixon v. Washington & Jane Smith Cmty. distinguished Rosenbach, stating that BIPA’s private right of action was satisfied because “Dixon did allege an injury to a privacy right in her complaint.”[26] That allegation, the court found, is what made Dixon’s complaint actual and concrete.[27]
The Supreme Court could eliminate this extra-statutory requirement. The legislature’s intent in crafting BIPA was to make the public less wary in divulging biometric information. The statute expressly states that “an overwhelming majority of members of the public are weary [sic] of the use of biometrics.”[28] For this reason, BIPA was probably designed not only to remedy actual instances of biometric data’s misuse, but also to redress instances where data could be misused by granting individuals a statutory right of action. In other words, the legislature sought to reassure those otherwise “deterred from partaking in biometric identifier-facilitated transactions.”[29] Thus, the Court could find that the public may be deterred from providing biometric information to businesses if the private right of action only applies after data is lost, sold, or similarly misused.
Second, the Supreme Court will consider whether the Rosenbach plaintiff was aggrieved by Six Flags’s violation of BIPA. Here, the Supreme Court could agree with the appellate court that a technical violation of a statute and an actual harm are two distinct occurrences. However, the statute only requires a person be “aggrieved” in some undefined way. If the Court finds that the statute was intended to broadly protect Illinois residents against any number of unforeseen biometric dangers, it follows that the alleged harms due to a technical violation may be equally broad.
Plaintiffs, in their Prayer for Leave to Appeal, argue for the broad interpretation of “aggrieved person” found in Glos v. People, where the Illinois Supreme Court defined an aggrieved person this way:
A person is prejudiced or aggrieved, in the legal sense, when a legal right is invaded by the act complained of or his pecuniary interest is directly affected by the decree or judgment . . . ‘Aggrieved’ means having a substantial grievance; a denial of some personal or property right.[30]
Unlike the cases cited by the appellate court, the Glos decision is binding precedent whose definition was affirmed by subsequent cases.[31] According to the Leave to Appeal, “Plaintiff was aggrieved when Defendants invaded her . . . right to written information and opportunity to decide whether to consent to [her son’s] fingerprinting.” The Court may find the plaintiff’s argument persuasive and hold that she was “aggrieved” by a BIPA violation.
Alternatively, the BIPA violation in Rosenbach could be read as a privacy violation even if the exact term was not used. There, plaintiff’s privacy right was not explicitly abused by selling or losing the data. Nonetheless the Court may find a more subtle privacy harm: plaintiff lost control over who should and should not have access to her son’s highly sensitive and personally identifying information.[32]
Considerations of bodily autonomy and personal dignity may well sway the Supreme Court to protect how this information falls into the hands of corporate entities even absent the data’s misuse.
While the litigation is proceeding, the Illinois Senate is currently considering SB 3053, sponsored by Senator Bill Cunningham, which would amend BIPA to exempt private companies who use biometric data for exclusively employment or security purposes.[33] SB 3053 and its House companion, sponsored by Rep. André Thapedi, have earned broad support from the Illinois Chamber of Commerce and businesses ranging from telecommunications companies to fitness centers.[34] Opposing the bill are many concerned private citizens and the Electronic Frontier Foundation, a leading data privacy watchdog organization.[35] While the amendments maintain strong support from businesses, it should be noted that a similar effort to amend BIPA in 2016, allegedly backed by Facebook and Google, fell narrowly short.[36]
In conclusion, to the extent that BIPA has been broadly acted upon by plaintiffs’ counsel, it is the legislature’s duty to amend the law even if it could not have foreseen the flood of litigation BIPA would prompt. The Illinois Supreme Court may keep an eye to the progress of SB 3053 in the Illinois Senate, but, in the meantime, the safest path for businesses is to err on the side of caution despite the Rosenbach decision.
* D. Patterson Gloor is a Shareholder at Johnson & Bell, LTD, specializing in toxic tort, environmental litigation, catastrophic injury litigation, and product liability litigation. Mr. Gloor received his J.D. from the University of Michigan Law School in 1966, and received a B.B.S. from Miami University – Oxford, Ohio in 1963. To date, he has tried more than 200 cases to verdict.
** Brandon R. Thompson is a summer clerk at Johnson & Bell, LTD, and is the Editor-in-Chief of the Southern California Interdisciplinary Law Journal. Mr. Thompson is a third-year law student at the University of Southern California Gould School of Law, and received a B.A. in Government and History from Cornell University in 2016.
[1] Illinois Biometric Information Privacy Act, 740 Ill. Comp. Stat. 14/1 (2008) [hereinafter BIPA].
[2] Dune Lawrence, Do You Own Your Own Fingerprints?, Bloomberg: Bloomberg Businessweek (July 7, 2016, 6:00 AM), https://www.bloomberg.com/news/articles/2016-07-07/do-you-own-your-own-fingerprints.
[3] Lance Williams, How 'Visionary' Raised - and Lost - a Fortune, SFGate (Dec. 7. 2008, 4:00 AM), https://www.sfgate.com/news/article/How-visionary-raised-and-lost-a-fortune-3181454.php.
[4] Shubha, Failure Story: What Happened to Pay By Touch?, Medici (Apr. 20, 2015), https://gomedici.com/failure-story-what-happened-to-pay-by-touch/.
[5] Jeffrey Neuburger, Illinois Considering Amendments to Biometric Privacy Law (BIPA) That Would Create Major Exemptions to Its Scope, Proskauer: New Media & Technology Blog (Apr. 17, 2018), https://newmedialaw.proskauer.com/2018/04/17/illinois-considering-amendments-to-biometric-privacy-law-bipa-that-would-create-major-exemptions-to-its-scope/.
[6] BIPA, supra note 1.
[7] Id.
[8] Kwabena A. Appenteng & Philip L. Gordon, Recent Illinois Appellate Court Ruling Could End The Recent Flood Of Class Action Lawsuits Against Employers Under Illinois' Biometric Information Privacy Act, Littler: Insight (Jan. 9, 2018), https://www.littler.com/publication-press/publication/recent-illinois-appellate-court-ruling-could-end-recent-flood-class.
[9] See Rosenbach v. Six Flags Entm't Corp., 2017 IL App (2d) 170317.
[10] Id. at 1.
[11] Id. at 21, 28.
[12] Id. at 20 n.1.
[13] Id. at 28.
[14] See In re Facebook Biometric Info. Privacy Litig., 2018 U.S. Dist. LEXIS 63930, at 18 (“[T]he better reading is Rosenbach would find that injury to a privacy right is enough to make a person aggrieved under BIPA.).
[15] Id. at 16 (Facebook heatedly insists that Rosenbach interpreted "aggrieved" to require injury or harm "beyond the alleged statutory violation.”).
[16] Id. at 17-18.
[17] Id. at 18-19 (“Rosenbach would find that injury to a privacy right is enough to make a person aggrieved under BIPA. As the Court has already found, there is no question that plaintiffs here have sufficiently alleged that intangible injury. . . . a plain of reading of BIPA ‘leave[s] little question that the Illinois legislature codified a right of privacy in personal biometric information.’”).
[18] Id. at 18.
[19] Id. at 3-4.
[20] Ally Marotti, Proposed Changes to Illinois' Biometric Law Concern Privacy Advocates, Chi. Trib. (Apr. 10, 2018, 4:55 PM), http://www.chicagotribune.com/business/ct-biz-illinois-biometrics-bills-20180409-story.html.
[21] Id.
[22] See bills cited infra notes 33-36.
[23] Steven Grimes & Eric Shinabarger, Biometric Privacy Litigation: The Next Class Action Battleground, Bloomberg L.: Big Law Business (Jan. 17, 2018), https://biglawbusiness.com/biometric-privacy-litigation-the-next-class-action-battleground/.
[24] Wagstaffe Prac. Guide: Fed Civil Proc Before Trial § 3-II (2017).
[25] In re Facebook, 2018 U.S. Dist. LEXIS 63930, at 17.
[26] Dixon v. Washington & Jane Smith Cmty., 2018 U.S. Dist. LEXIS 90344, at 38.
[27] Id. at 39.
[28] BIPA, supra note 1.
[29] Id.
[30] Glos v. People, 259 Ill. 332, 340 (1913).
[31] American Surety Co. v. Jones, 384 Ill. 222, 229-30 (1943).
[32] See Dixon, 2018 U.S. Dist. LEXIS 90344, at 37 (“[O]btaining or disclosing a person's biometric data without her consent or knowledge necessarily infringes on the right to privacy in that data. Even though this may not be a tangible or pecuniary harm, it is an actual and concrete harm.”).
[33] S.B. 3053, 100th Gen. Assembly 2017-2018 (Ill. 2018) (amending 740 Ill. Comp. Stat. 14/1 (2008)).
[34] Witness Slips for SB3053 (Proponents), S.B. 3053, 100th Gen. Assembly 2017-2018 (Ill. 2018), http://www.ilga.gov/legislation/Witnessslip.asp?LegDocId=139941&DocNum=3053&DocTypeID=SB&LegID=110583&GAID=14&SessionID=91&GA=100&WSType=PROP.
[35]Witness Slips for SB3053 (Opponents), S.B. 3053, 100th Gen. Assembly 2017-2018 (Ill. 2018), http://www.ilga.gov/legislation/Witnessslip.asp?LegDocId=139941&DocNum=3053&DocTypeID=SB&LegID=110583&GAID=14&SessionID=91&GA=100&WSType=OPP.
[36] Jeff John Roberts, Push to Weaken Face Recognition Law Falls Short, For Now, Fortune (May 31, 2016), http://fortune.com/2016/05/31/biometric-law-change/.
