Skip to content First Illinois Appellate Court Decision Regarding Biometric Information Privacy Act Favors Defendants


Search Publications

January 2018

First Illinois Appellate Court Decision Regarding Biometric Information Privacy Act Favors Defendants

On December 21, 2017, the Appellate Court for the Second District issued the first appellate decision from an Illinois court interpreting the Biometric Information Privacy Act, 740 ILCS 14/1, et seq.  In an interlocutory appeal following the trial court’s certification of questions regarding the Act’s application, the appellate court found that a mere technical violation of the statute, without some consequent injury, is insufficient to give rise to an actionable claim.  Rosenbach v. Six Flags Ent. Corp., 2017 IL App (2d) 170317.  The Illinois appellate court decision interpreting BIPA joins a number of federal decisions that have dismissed BIPA cases for failure to state a claim.  See Santana v. Take-Two, 2017 U.S. App. LEXIS 23446 (2nd Cir., Nov. 21, 2017); McCollough v. Smarte Carte, Inc., 2016 U.S. Dist. LEXIS 110404 (N.D.Ill., Aug. 1, 2016).  While the decision is an initial victory in Illinois’ appellate courts for defendants facing a growing tide of BIPA lawsuits, the opinion leaves open the issue of whether an alleged invasion of a privacy right is sufficient to give rise to an actionable BIPA claim, and invites further litigation on that issue.

Illinois’ Biometric Information Privacy Act (“BIPA”), enacted in 2008, regulates the use of biometric information, defined as including “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” 740 ILCS 14/10.  BIPA requires persons collecting biometric information to obtain the subject’s informed consent prior to the collection, and must have a publicly-available retention policy for the information.  BIPA further prohibits the disclosure of biometric information without the subject’s consent, and prohibits the sale of biometric information under any circumstances. Finally, BIPA establishes standards regarding the security of biometric information while retained.  BIPA creates a private right of action for “any person aggrieved by a violation” of the Act. 740 ILCS 14/20. In any such action, the plaintiff may obtain injunctive relief, as well as either actual damages or statutory damages of $1,000 for any negligent violation of the Act, or $5,000 for any intentional violation of the act, as well as reasonable attorneys’ fees and costs. 740 ILCS 14/20.

In Rosenbach, Six Flags filed a motion to dismiss a class action claim under BIPA, arguing that the plaintiff failed to state a claim because she had not been “aggrieved” by any violation of the Act.  The subject class action was filed by a mother who had purchased a season pass for her son at a Six Flags amusement park.  In order to ensure that its customers were not sharing the pass among multiple persons, Six Flags required pass holders to scan their fingerprint when entering the park. The plaintiff alleged that Six Flags violated BIPA by failing to obtain her informed consent before taking her son’s fingerprint, and failing to have a publicly-available retention policy regarding the fingerprint data.  The trial court denied Six Flag’s motion, but certified two questions for an interlocutory appeal.  The first question asked whether a person is sufficiently “aggrieved” to seek statutory damages when the person alleges only a violation of BIPA’s notice and consent provisions. The second question asked whether the same allegations could give rise to a claim for injunctive relief, if not statutory damages.

The appellate court answered both questions in the negative, holding that a mere technical violation of BIPA’s notice and consent provisions is insufficient to give rise to an actionable claim under BIPA. The court based its analysis on traditional statutory construction rules.  The court explained that, for the word “aggrieved” to have any meaning, it had to distinguish between mere technical violations of the Act, and violations giving rise to an injury. If the legislature meant to create a right of action for any violation of the statute, then the word “aggrieved” was superfluous.  The court stated that the plaintiff must allege some corresponding injury in order for an alleged BIPA violation to be actionable, and that this analysis applied regardless of whether the plaintiff was seeking compensatory damages or merely injunctive relief.

While the decision is favorable for defendants, the appellate court left open the issue of whether the plaintiff can state a claim under BIPA by alleging an invasion of privacy, and we can expect further litigation on this issue. The appellate court was careful to note that the plaintiff alleged only that, had the disclosure been made, she would not have purchased the pass.  In a footnote, the court stated that the plaintiff had not alleged that she sustained any injury to a privacy right.  The court did distinguish a recent federal district court decision that found that an alleged invasion of privacy was sufficient to confer Article III standing, but on the grounds that the federal court failed to address the “aggrieved-person” requirement in the statute’s text.  See Monroy v. Shutterfly, 16-cv-10984 (N.D. Ill., Sept. 15,  2017).  The court further stated in its opinion that its decision was limited to the questions that had been certified for appeal, and declined to address any additional arguments asserted by the parties. Accordingly, the appellate court left open the issue of whether BIPA creates a privacy right in biometric information, due to the limited nature of the plaintiff’s allegations and the narrow framing of the certified questions by the trial court.  We can anticipate that the plaintiff’s bar will seize on this opening, and include alleged invasions of privacy in their BIPA complaints going forward.

In short, this battle favors defendants, but the war is far from over.       

Employment Law

J. Hayes Ryan

Employment Law