Illinois Supreme Court decision maintains critical enforcement power of Illinois’ unique biometric privacy law

Media Contacts
Abe Scarr

State Director, Illinois PIRG; Energy and Utilities Program Director, PIRG

Illinois PIRG Education Fund

This morning, the Illinois Supreme Court reversed and remanded an appellate court decision in Rosenbach v. Six Flags, affirming citizens’ ability to enforce the unique Illinois Biometric Information Privacy Act (BIPA) when entities collect individuals’ biometric information without first acquiring informed consent. Illinois PIRG Education Fund filed an amicus brief in the case arguing for reversal and remand, along with the American Civil Liberties Union, the ACLU of Illinois, the Center for Democracy & Technology, the Chicago Alliance Against Sexual Exploitation, the Electronic Frontier Foundation, and Lucy Parsons Labs.

“Biometric information is uniquely sensitive. You can cancel your credit card but you cannot cancel your face,” said Abraham Scarr, director of Illinois PIRG Education Fund. “Illinois’ biometric privacy law is unique in part because it gives individuals the power to enforce the law when their rights have been violated. We applaud the Illinois Supreme Court for reaffirming consumers’ ability to effectively defend their rights.”

In Rosenbach, Six Flags collected biometric data from the plaintiff’s son when he purchased a season pass to Great America. Six Flags did not give notice or obtain consent as required by BIPA. The mother sued in Lake County Circuit Court on behalf of her son and others from whom Six Flags gathered biometric data. But an appellate court held that the plaintiff was not “aggrieved,” because she and her son alleged only a “technical violation” of BIPA and did not suffer any “actual harm.” On appeal, the Illinois Supreme Court found this decision to be in error.

The Court adopted arguments made in the advocates’ brief, concerning the importance of citizen enforcement through a private right of action:

The second of these two aspects of the law is as integral to implementation of the legislature’s objectives as the first. Other than the private right of action authorized in section 20 of the Act, no other enforcement mechanism is available. It is clear that the legislature intended for this provision to have substantial force. When private entities face liability for failure to comply with the law’s requirements without requiring affected individuals or customers to show some injury beyond violation of their statutory rights, those entities have the strongest possible incentive to conform to the law and prevent problems before they occur and cannot be undone. Compliance should not be difficult; whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded; and the public welfare, security, and safety will be advanced. That is the point of the law. To require individuals to wait until they have sustained some compensable injury beyond violation of their statutory rights before they may seek recourse, as defendants urge, would be completely antithetical to the Act’s preventative and deterrent purposes.

The decision is a victory for consumers across Illinois over Facebook and other tech giants, who argue in courts that consumers do not face “harm” from privacy violations and have pushed legislation in recent years to undermine the Illinois law. Consumer and privacy advocates such as Illinois PIRG Education Fund continue to defend BIPA in the courts and in the Illinois General Assembly. Illinois PIRG Education Fund’s national staff is fighting Congressional efforts by Facebook and others to enact a national law that would permanently preempt any existing or prevent any future state actions on data protection.