Today the Illinois Supreme Court issued the much-anticipated Rosenbach ruling regarding the Illinois Biometric Information Privacy Act (“BIPA”/ “Act”) reversing the trial Court’s dismissal of the complaint for failing to state an injury under the BIPA. The Illinois Supreme Court found that “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated and injunctive relief pursuant to the Act. Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (2019).
Averring that the injury from a violation of the BIPA is “real and significant” and not merely technical as stated by the lower court, the Court addressed concerns with the unknown ramifications of biometric technology. Id. at 12. The court noted that the General Assembly was trying “to head off such problems before they occur” through safeguards to insure privacy rights are honored and protected before they can be compromised and substantial potential liability, including liquidated damages, injunctive, attorney fees and litigation expenses for each violation of the law whether or not actual damages can be shown. Id. The Court declared that the provision was intended by the legislature to have “substantial force”. Id.
What is the impact? We now know that the BIPA has teeth, and Plaintiffs’ bar stands at the ready to use its teeth against all private entities in Illinois that are using biometric information and identifiers without policies and consents in place. As for the additional allegations of privacy rights and mental anguish made in recent BIPA lawsuits, we can probably expect those to go by the wayside as the court has drawn the line in the sand and such additional allegations are now unnecessary to withstand a motion to dismiss. We can expect an uptick in BIPA filings, and quite possibly quicker settlements by defendants that have violated the BIPA.
What do you need to do now? If you are a private entity that collects biometric identifiers or information from an employee or person in Illinois, you should have a written policy in place and a written consent from each individual from whom the information is collected. Specifically, the policy and consent should: (1) inform that biometric information is being collected or stored; (2) state the purpose and length of time the information is being collected, stored and used; (3) obtain a written release executed by the individual. You also need to revisit your retention and destruction policies to make sure they comply with the Act. If you don’t yet have these written policies and procedures in place, we can help. Jamie Filipovic at firstname.lastname@example.org is our resident BIPA expert and can provide you with any assistance you may need.
By: Jamie L. Filipovic