The extent to which individuals may seek relief due to the unauthorized use of their personal information is an important issue in the privacy community. The Supreme Court of Illinois recently added its voice to this debate in ruling that an individual may recover statutory damages and other relief, without having to plead or establish actual damages, where unauthorized use has been made of the person’s biometric information.
Although the decision turns primarily on statutory interpretation principles applied to the State’s Biometric Information Privacy Act (“Act”), the court also addressed the broader policy implications involved and why such relief is appropriate.
The matter, Stacy Rosenbach v. Six Flags Entertainment Corp., Docket No. 123186 (Ill. S. Ct. 1/25/2019), arose when a family bought their teenage son an online season pass for him to attend an amusement park event. When the boy arrived at the park, he was required to provide his thumbprint to receive the pass and gain entry to the park.
The park had not advised the parents of the requirement when they purchased the ticket and did not furnish them or their son with any information about the use of the thumbprint, or how long it would be retained. The parents subsequently brought a class action under the Act on behalf of their son and others similarly situated, in response to which the park sought dismissal on the grounds that no actual injury had been suffered by the boy.
The Act prohibits a private entity from obtaining a person’s or a customer’s biometric identifier or biometric information unless it first:
- Informs the subject or the subject’s representative in writing that a biometric identifier or biometric information is being collected or stored.
- Informs the subject or the subject’s representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
- Receives a written release executed by the subject of the biometric identifier or biometric information or the subject’s representative.
Although conceding its noncompliance with the Act, the park asserted that the Act did not support such a mere “technical” violation of its terms as the plaintiff had not suffered an injury or other adverse effect. After the trial court denied the motion, which an appellate court reversed, the matter came before the state Supreme Court for review.
In considering the Act, the court found no legislative direction requiring that actual harm be suffered as a condition of recovery. The court also observed that, although the term “aggrieved” as used in the Act lacked statutory definition, its meaning could be determined through precedent and common meaning to extend beyond an actual injury to include when a legal right is invaded by the act complained of.
The court observed that the legislature had codified that individuals possess a right to privacy in and control over their biometric identifiers and biometric information, whose contours were defined by the Act.
Thus, when a private entity fails to comply with the Act’s requirements, that violation itself constitutes an invasion, impairment or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach. Such a person or customer would be “aggrieved” and entitled to seek recovery under the Act. The violation, itself, is sufficient to support the individual’s or customer’s statutory cause of action without the need to plead additional consequences.
In rejecting the appellate court’s dismissal of the park’s violation as merely “technical,” the Court also addressed the larger policy aspects of protecting individuals’ privacy rights.
The court explained that the Act vested in individuals and customers the right to control their biometric information by requiring notice before collection and affording them the power to refuse by withholding consent.
The court continued by noting that these procedural protections are particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual’s unique biometric identifiers — identifiers that cannot be changed if compromised or misused.
When a private entity fails to adhere to the statutory procedures, as defendants are alleged to have done in the matter before the court, the right of the individual to maintain his or her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized. Thus, the court concluded that this is no mere “technicality.” The injury is real and significant. (quotations and citations omitted)