In this age of face recognition, digital fingerprints, and iris scans, what allegations and proof of damages is sufficient to state a claim for the mishandling of biometric identifiers? Must the aggrieved party have suffered any actual damages beyond the improper collection, retention or disclosure of his biometric identifiers themselves?
In Stacy Rosenbach, as Mother and Next Friend of Alexander Rosenbach v. Six Flags Entertainment Corporation, 2019 IL 123186, the plaintiff alleged violations under Illinois’ Biometric Information Privacy Act (740 ILCS 14/1 et seq. (2016)). The Act imposes restrictions on how private entities collect, retain, disclose, and destroy biometric identifiers, such as retina or iris scans, fingerprints, voiceprints, scans of hand or face geometry, or other biometric information. Under the Act, any person “aggrieved” by a violation of its provisions “shall have a right of action… against an offending party” and “may recover for such violation” the greater of liquidated or actual damages, reasonable attorney fees and costs, and any other relief, including an injunction, that the court deems appropriate. The issue in this particular case was whether a person qualifies as an “aggrieved” person and may seek liquidated damages and injunctive relief pursuant to the Act if he has not alleged some actual injury or adverse effect, beyond violation of his rights under the statute. The First District Court of Appeals answered this question in the negative, holding a plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person under the Act.
Since at least 2014 defendant Six Flags has used a fingerprinting process when issuing season passes to its Great America theme park. Plaintiff alleged the system scans pass holders’ fingerprints; collects, records and stores biometric identifiers and information gleaned from the fingerprints; and then stores that data in order to quickly verify customer identities upon subsequent visits to the park.
Plaintiff’s 14 year old son was to visit the park on a school field trip in May or June 2014, and plaintiff purchased a season pass for him online. When he arrived at the park with his class, he had to complete the season pass sign-up process, which included scanning his thumb into defendant’s biometric data capture system. The complaint alleged that plaintiff was not informed in advance that the minor’s fingerprints were to be used as part of defendant’s season pass system and that neither the minor son nor his mother were informed in writing of the purpose or length of term for which his fingerprint had been collected. Neither of them signed any release or written consent for the collection, storage, use, dissemination, disclosure, or trade of the fingerprint or the associated biometric information. The complaint also alleged that, although the minor child has not visited the park since that school field trip, defendant has retained his biometric identifiers and information and has not disclosed what was done with the information or how long it will be kept.
Plaintiff’s complaint sought redress for the minor child, individually and on behalf of all other similarly situated persons under the Act. The defendant moved to dismiss on the basis that the plaintiff had suffered no actual or threatened injury and something more than just a violation of the Act must be alleged to state a claim. The Appellate Court for the First District agreed with defendant and held that while the injury or adverse effect alleged need not be pecuniary, it must be something more than a technical violation of the Act. 2017 IL App (2d) 170317.
The Illinois Supreme Court reversed upon de novo review. Basic principles of statutory construction dictate that if the legislature had wanted to impose a requirement limiting a plaintiff’s right to bring a cause of action to circumstances where he or she had sustained some actual damages, beyond violation of the rights conferred by the statute, it could have made its intention clear. The Act contains no such requirement. It simply provides that any person aggrieved by a violation of the Act shall have a right of action. While the Act does not define “aggrieved”, the state Supreme Court more than a century ago held that to be aggrieved simply “means having a substantial grievance; a denial of some personal or property right.” Glos v. People, 259 Ill. 332, 340 (1913). As held in Glos, “[a] person is prejudiced or aggrieved, in the legal sense, when a legal right is invaded by the act complained of or his pecuniary interest is directly affected by the decree or judgment.” Id. This is consistent, the court noted, with the dictionary definition of “aggrieved”, which includes definitions such as “suffering from an infringement or denial of legal rights” or “having legal rights that are adversely affected.”
The Court concluded that when a private entity fails to comply with one of the Act’s requirements, that violation alone constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach. Such person or customer is clearly “aggrieved” within the meaning of the Act and is entitled to seek recovery under that provision with no need to plead or prove additional consequences. A contrary result would misapprehend the nature of the harm the legislature is attempting to mitigate through this legislation. “The Act vests in individuals and customers the right to control their biometric information by requiring notice before collection and giving them the power to say no by withholding consent.” When an entity violates the statutory procedures, such as what the defendant is alleged to have done here, the individual loses his right to maintain his biometric privacy, which is the precise harm the legislature sought to prevent by passing the Act in the first instance. “The injury is real and significant.”
This opinion creates a strong incentive for private entities, which might include not only theme parks but financial institutions, recreational facilities or health clubs, employers, etc., to conform to the law and prevent problems before they occur and cannot be undone.