Illinois Supreme Court Weighs In on Biometric Information
In a previous post, “How Collecting Biometric Information Can Lead to Litigation,” I wrote about the Illinois Biometric Privacy Act (BIPA)—one of three statutory schemes in the US currently which regulate the collection and use of biometric information and the only scheme that creates a private right of action for aggrieved individuals. I also noted that Illinois courts were split on whether a “mere” violation of BIPA was sufficient to give rise to a viable claim. That split has now been resolved by the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Jan. 25, 2019).
Rosenbach is a class action brought by the mother of a teenager who visited an amusement park on a class trip. When he arrived at the park, the teenager completed a sign-up process that included scanning his thumbprint. This led to the class action, described by the Supreme Court as follows:
“The complaint alleges that this was the first time Rosenbach learned that Alexander’s fingerprints were used as part of defendants’ season pass system. Neither Alexander, who was a minor, nor Rosenbach, his mother, were informed in writing or in any other way of the specific purpose and length of term for which his fingerprint had been collected. Neither of them signed any written release regarding taking of the fingerprint, and neither of them consented in writing ‘to the collection, storage, use sale, lease, dissemination, disclosure, redisclosure, or trade of, or for [defendants] to otherwise profit from, Alexander’s thumbprint or associated biometric identifiers or information.’”The plaintiff sought damages and injunctive relief under BIPA on behalf of her son and all “similarly situated persons” for the alleged failure of the defendants to comply with various provisions of the statute.
An intermediate appellate court had dismissed the complaint, having concluded that:
“a plaintiff is not ‘aggrieved’ within the meaning of the Act and may not pursue either damages or injunctive relief under the Act based solely on a defendant’s violation of the statute. Additional injury or adverse effect must be alleged. The injury or adverse effect need not be pecuniary, the appellate court held, but it must be more than a ‘technical violation of the Act.’”Another appellate court had reached the opposite conclusion.
The Supreme Court reversed:
“In sum, defendants’ contention that redress under the Act should be limited to those who can plead and prove that they sustained some actual injury or damage beyond infringement of the rights afforded them under the law would require that we disregard the commonly understood and accepted meaning of the term ‘aggrieved,’ depart from the plain and, we believe, unambiguous language of the law, read into the statute conditions or limitations the legislature did not express, and interpret the law in a way that is inconsistent with the objectives and purposes the legislature sought to achieve. That, of course, is something we may not and will not do.”What might this mean for healthcare providers or other entities that collect biometric information? First, note that BIPA excludes from the definition of “biometric identifiers” the following:
“information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.”That exclusion may protect healthcare providers from exposure under BIPA for HIPAA-related conduct. However, it leaves those providers subject to possible exposure under BIPA for non-HIPAA-related conduct, just as it does for any entities which collect and use biometric information. Moreover, bear in mind that what the Illinois Supreme Court did was to interpret a statute. There may be attempts to amend BIPA and tighten its language and reach. But, in any event, Rosenbach is likely to lead to more litigation for alleged violations of BIPA.
**Editor’s Note: The views expressed in this column are those of the author alone and should not be interpreted otherwise or as legal advice.
[author] [author_image timthumb='on']/Portals/0/uploads/content_hub/Rons-Headshot.png[/author_image] [author_info] Ron Hedges, JD, is a former US Magistrate Judge in the District of New Jersey and is a writer, lecturer, and consultant on topics related to, among other things, electronic information. He is a Senior Counsel with Dentons US LLP. [/author_info] [/author]