No Actual Damages Needed to Assert a Claim Under the Biometric Information Privacy Act: Rosenbach v. Six Flags Entertainment Corp.

Businesses should heed caution when collecting, storing or otherwise using commercial biometric data. Biometric data can provide efficiency and convenience to a business, such as with respect to its security procedures and operations, as well as with its products and services by collecting biometric information of its consumers and employees. Biometric information includes fingerprints, face recognition, voice recognition, and the implantation of microchips. Various industries have contemplated, or even implemented, such technology to allow consumers to gain access to their products and services, make payments or verify the consumer’s identity. For example, as seen in the case described below, an amusement park used fingerprints to allow a season pass holder to gain access to the theme park; or, a business may use voice recognition for employee access and data security. However, litigation may become more prevalent in this area due to a recent decision with respect to the Illinois Biometric Information Privacy Act (“BIPA”).

In an Opinion filed January 25, 2019, the Illinois Supreme Court held in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Jan 25, 2019), that an individual need not allege actual damages or an adverse effect, beyond violation of his or her rights under the Illinois Biometric Privacy Act, in order to qualify as an “aggrieved” person to be entitled to seek relief under BIPA. The plaintiff in Rosenbach – a mother alleging injuries on behalf of her son – filed suit against Six Flags after learning that the defendant collected fingerprints from her son in order to process and maintain his season pass to the theme park. The plaintiff alleged that the collection and storage of such biometric data without giving notification as to the specific purpose and length of term for which the fingerprints were being collected violated BIPA. The plaintiff also asserted that failure of the defendant to obtain the plaintiff’s or her son’s consent violated BIPA. The plaintiff did not show that any actual damages occurred from the alleged violations of BIPA. The Illinois Supreme Court’s holding reverses the Illinois state appellate court’s prior decision which held that it was insufficient for the plaintiff to confer standing to sue under BIPA without showing actual injury.

Currently, Illinois, Texas and Washington have enacting laws imposing distinctive requirements for the collection, storage and use of biometric data. It can be anticipated that more states will also start to address biometric privacy issues as well. As a takeaway from Rosenbach v. Six Flags Entertainment Corp., companies should review their collection and use policies with respect to biometric information. In addition, businesses using such information should review their insurance policies to determine coverage, especially if the insurance company has a claim that the collection or use of such information violated applicable law.