The Illinois Supreme Court recently ruled that an individual does not need to allege or prove actual injury or adverse effect, beyond mere violation of his or her rights, in order to qualify as an "aggrieved" person and be entitled to seek damages pursuant to the Illinois Biometric Information Privacy Act ("BIPA").
The BIPA, enacted in 2008, regulates "the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information", including fingerprints and facial recognition model.
The BIPA imposes several obligations on entities collecting, retaining, and disclosing biometric data, including the need to inform the individual or the individual's representative in writing that biometric data is being collected or stored and the purpose and length of term of collection, storage and use of the biometric data. As part of the BIPA's enforcement mechanism, "aggrieved" parties are granted a private right of action and entitled to damages.
In the current case law, the plaintiff claimed that Six Flags, a regional theme park, collected her son's biometric data during a school visit without obtaining prior written active consent or parental notification. Six Flags sought to dismiss the action by arguing that in order to bring a claim as an "aggrieved" party under the statute, the plaintiff was required to allege actual injury or harm beyond the statutory violation.
The Illinois Supreme Court unanimously found that the term "aggrieved" does not require an allegation of actual harm beyond a violation of the rights conferred by the BIPA, since the entity's violation of the BIPA, "the right of the individual to maintain [his or] her biometric privacy vanishes into thin air . . ." constitutes an injury that is "real and significant."
This ruling demonstrates the importance of strict compliance with the BIPA, in light of the liability to which companies might be subject, ranging from $1,000 to $5,000 per violation.
We would be happy to provide advice and recommendations concerning compliance with collection and usage of biometric data and other sensitive information.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.