Rosenbach v. Six Flags
Reversed and remanded – Six Flags allegedly collected plaintiff’s son’s thumbprint as part of a season-pass purchase – a thumbprint to be used for park entry. Plaintiff claimed at no point was she informed biometrics would be required for the season-pass, and neither she or her son were provided with the Six Flags polices for the purposes of use, retention, security, or deletion of biometric information. Plaintiff further alleged neither she or her son provided written consent for the collection, use, and storage of her son’s thumbprint.
A Lake County Court, denied (in part) a motion to dismiss, and certified a question to the Illinois Appellate Court (2nd Dist; 2-17-0317) as to whether plaintiff was ‘aggrieved’ under BIPA. The appellate court ruled that a bare technical violation of BIPA – absent ‘injury or adverse effect’ – was insufficient to render plaintiff ‘aggrieved.’ Thus, plaintiff was entitled to neither statutory damages nor injunctive relief.
The Illinois Supreme Court disagreed, finding the denial or infringement of a legal right was sufficient to leave one ‘aggrieved’ (as the term is commonly understood). “When a private entity fails to adhere to the statutory procedures, as defendants are alleged to have done here, the right of the individual to maintain [his or] her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized. This is no mere technicality. The injury is real and significant.” (emphasis added, citation omitted)
Thus, plaintiffs need not plead and prove that they sustained some actual injury, a violation of the rights afforded under BIPA were sufficient. The appellate court decision was reversed, and remanded with the ‘corrected’ answer to the certified question.
[Supreme Court of Illinois; 123186]
jbho: will this be the case that gets SCOTUS to reconsider Spokeo? Six Flags may still prevail on the merits, but with the standing bar cleared, we’re likely to see a lot more cases like this.
Certainly will make things more interesting in In re Facebook Biometric Litigation (N.D. CA; 3:15-cv-03747), where Facebook was leaning heavily on this case as part of its defense.
In fact, the court here referenced that case, and essentially validated the 9th circuit’s chastising of Facebook for its reliance on this case.
The court’s logic seems to focus on the fact that once biometrics are compromised, there is no way back. An individual is at heightened risk for identity theft or impersonation – on a physical level – and the full ramifications to an individual due to compromised biometrics are not fully known. This is why I am opposed to the use of biometrics in authentication. The harms simply outweigh the benefits. It’s not better security, it’s just easy/lazy security that shifts the bulk of the risks onto the individual.
So in the absence of regulatory guidance, if you must use biometrics, it may be worth considering to:
• Provide clear and conspicuous notice of the collection, purpose of use, and potential disclosures of information that might be considered ‘biometric’
— cover in both your user agreement and privacy policy
• Obtain a ‘just-in-time’ express consent of the individual
• Provide clear and conspicuous notice of opt-out procedures / how to submit a deletion request
• Specify your retention and destruction practices
For the record, the statute can be read here:
http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57
Remember that BIPA provides for statutory damages of $1,000 per violation ($5,000 per intentional or reckless violation). AFAIK, no court has interpreted the meaning of ‘per violation,’ but class actions under BIPA usually seek damages on a ‘per individual’ basis.