ILLINOIS SUPREME COURT OPENS THE FLOODGATES TO “NO-INJURY” BIPA LAWSUITS
Illinois lawmakers enacted the Biometric Information Privacy Act (BIPA) in 2008, which provides a private right of action for those whose biometric information is collected, used, sold, disseminated or stored in a manner that does not fully comply with the state law. This made businesses vulnerable to massive potential liability in Illinois. Just since January 2018, more than 250 lawsuits have been filed.
BIPA requires companies to inform an individual in writing and receive a written release prior to taking or retaining his or her biometric data. If a company fails to follow this procedure or meet other requirements, then any “aggrieved” person can seek the greater of $1,000 or actual damages for each negligent violation, and the greater of $5,000 or actual damages for each violation they allege was recklessly or intentionally committed.
Following BIPA’s enactment, class action trial lawyers immediately sought to cash in by targeting businesses that use iris scans, fingerprints and facial recognition data that are used increasingly to keep physical workplaces and sophisticated communications and cyber systems safe. These lawsuits do not allege any harm from collection of the information (which is encrypted) but seek substantial civil penalties along with attorney’s fees and litigation costs.
In January 2019, the Illinois Supreme Court issued its long-awaited decision in Rosenbach v. Six Flags Entertainment. The court found that a plaintiff does not need to have suffered actual harm to maintain and win a lawsuit filed under BIPA. This liability-expanding decision immediately led to a flurry of BIPA class action filings.
In Rosenbach, the plaintiff sued the amusement park company for BIPA violations after the park collected and stored his son’s fingerprints when they purchased a season pass so that they could easily enter and reenter the park. In a unanimous decision, the Court held that the mere violation of the statute was sufficient, meaning that a plaintiff only needs to show that a company took and stored biometric information without following the law’s consent and disclosure rules.
Following the Rosenbach decision, BIPA lawsuits against Walmart and Whole Foods were filed by their employees. Employees in both suits allege that the employer improperly collected and stored employee fingerprint data. It is common practice for employers to collect this data when employees “clock-in,” to keep track of hours worked. Plaintiffs simply allege that that they weren’t properly notified by the company before their fingerprints or handprints were scanned. They do not allege real world harm – i.e. the companies disclosed, profited from, or failed to secure the information.
Recently, the U.S. Court of Appeals for the Ninth Circuit made a similar ruling against Facebook, handing plaintiffs’ lawyers a big win. A three-judge panel ruled in August 2019 that three lawsuits using BIPA to target Facebook’s photo tagging tool could move forward as a consolidated class action, despite class members not suffering any actual harm. The risk of future harm, the Ninth Circuit found, was sufficient to provide the plaintiffs with standing to proceed in federal court.
The Illinois Supreme Court and Ninth Circuit rulings open the door to even more aggressive no-injury class actions and may discourage development and use of innovative technology.
For additional information about the growing liability concerns around BIPA and data privacy, see the “Closer Look” section later in the report.