Scanning…Scanning…: Illinois Supreme Court Finds Plaintiffs are Not Required to Show Harm Under Biometric Data Privacy Act
In Illinois, the state’s Supreme Court just issued a significant ruling regarding the state’s biometric information privacy act, holding that a plaintiff need not prove actual harm from improperly collected biometric data.
As a refresher, there has been an effort in the past several years to put in place greater data privacy protections, with the most recent comprehensive legislation being the European Union’s GDPR (Congress is also expected to consider a similar but less comprehensive bill — the Data Care Act of 2018 — this legislative session). As part of this larger initiative, a few states — Illinois, Washington, and our own Texas — have passed statutes specifically protecting biometric information. These laws establish legal requirements for entities that gather and store a person’s biometric data (fingerprints, handprints, retinal data, facial scans, etc.). Legislatures in a number of other states — Alaska, California, Connecticut, Idaho, Massachusetts, Montana, New Hampshire, and New York — have considered (but have not passed) biometric privacy statutes. For more on this subject, please read our blog post from last year.
One of the challenges these statutes have faced are claims that plaintiffs cannot bring suit under them unless they can demonstrate that the company’s improper collection or mishandling of their biometric data caused them actual, tangible harm. And in Rosenbach v. Six Flags Entertainment Corp., we got some clarity on this issue (in Illinois at least). In Rosenbach, a customer of a Six Flags theme park in Illinois had his fingerprint collected in violation of the statute, but had not yet suffered any negative consequences. In ruling that actual harm was not necessary, the court reasoned that to require a plaintiff to demonstrate compensable injury “would be completely antithetical to the act’s preventative and deterrent purposes.” Ultimately, the court deemed the plaintiff’s loss of the right to maintain his biometric privacy sufficient harm.
This ruling removes a major obstacle for plaintiffs in bringing these types of statutory or merely technical violations of the Illinois statute. It will certainly lead to more litigation, especially considering the statute provides that prevailing parties are entitled to a statutory penalty of $1,000 per negligent violation and attorneys’ fees and costs. Given this ruling, employers in those states that have enacted biometric privacy statutes who are considering implementing policies or systems which collect and store employee or customer biometric data — such as new time tracking or on-site access systems — should carefully consider whether any such system complies with their state’s laws.
Subscribe to Managing the Modern Workplace to receive weekly email updates.