For the last decade, Illinois has had the nation’s most rigorous law protecting citizens’ biometric privacy information. It’s also a heavily litigated piece of legislation that’s pulled high-profile companies like Google and Facebook into class action lawsuits. Now, Six Flags is contesting a suit that threatens to totally defang the statute.
This browser does not support the video element.
The Biometric Information Privacy Act (BIPA), passed by Illinois lawmakers in 2008, stipulates that a company doing business in the state must obtain explicit written consent from an individual before collecting their biometric identifiers, such as fingerprints. Penalties are set at a $1,000 fine per violation, and $5,000 per violation if an offending company is found to be violating the statute either intentionally or recklessly. The problem is, the state doesn’t prosecute BIPA violations, it only grants individuals the right to sue. Six Flags is trying to make that very difficult.
The case revolves around the question of whether a company can be held liable for violating BIPA if a plaintiff is unable to demonstrate “harm.” Stacy Rosenbach claims that the theme park fingerprinted her 14-year-old son when he was picking up a season pass to the park on a group trip. Rosenbach says she did not give permission for the company to collect and store her son’s fingerprints. Six Flags argues that for Rosenbach to qualify as a “person aggrieved,” she must demonstrate that the collection of her son’s identifiable biometric information resulted in some type of injury.
The Illinois Supreme Court held appellate hearings on the case last week, and according to Law360, at least three of the seven justices hearing the case were skeptical of the arguments made by attorneys representing Six Flags. The initial trial court rejected Six Flags’ argument, but it certified two questions for appeal that revolve around the definition of “aggrieved.” Last December, the Second District Appellate Court agreed with Six Flags, and now the case is in the hands of the states’ highest court. What’s at stake is a legal definition that could affect a similar pending lawsuit against Facebook that could potentially result in billions of dollars worth of fines.
According to Law360's account of last week’s proceedings, Justice Anne Burke told Six Flags’ attorneys that their argument does not consider the initial violation of the statute. “How does one challenge that, if that isn’t harm,” Justice Burke asked. “There’s no opportunity for the guardian to say no or [be] given the information of what they could do.”
Six Flags and business interests that support its argument are looking to narrowly define BIPA as a statute that could be acted on in a case in which, for example, a company collected fingerprint information and suffered a data breach or accidentally posted that information publicly.
Violating BIPA’s consent and disclosure requirements is one thing, but “it is a separate legal question” of whether an individual is aggrieved by that violation, [Six Flags Attorney Kathleen] O’Sullivan argued. And just because Illinois lawmakers enacted BIPA out of concern for biometric data that had previously been compromised, it “did not mean the Legislature intended to create a private right of action for someone whose biometric data has not been compromised at all,” she argued.
But it is “too late to wait” for the compromise to happen once a person’s biometrics have been collected without their informed consent because at that point, “they can’t do anything about it,” Justice Burke countered.
“They may never know, and you can’t get your fingerprints back. It’s irreparable harm,” she said.
Rosenbach’s attorney Phillip Bock pointed to Illinois’ AIDS Confidentiality Act as another statute that could be affected by the court’s decision. That law requires informed consent from an individual before an entity tests their blood for HIV, and it is likewise only enforceable through private suits. Bock told the court that it “doesn’t make any sense to say ‘aggrieved’ means this statute, or that statute, can’t be enforced when the defendant does exactly what is prohibited.”
Six Flags didn’t immediately respond to a request for comment on this story.
In an amicus brief, the ACLU, Electronic Frontier Foundation, and other groups that fight for privacy rights argued that the absence of enforcement powers for the Illinois Attorney General coupled with mandated statutory damages and the ability to recoup attorney’s fees indicates “the Illinois legislature’s intent to create a robust enforcement regime that relies on private litigants to ensure compliance with BIPA’s requirements of notice and informed consent.” The groups argued that adopting Six Flags’ reading of BIPA “would effectively gut the statute’s primary purpose and leave Illinoisans without meaningful recourse in a world of rapidly advancing technology and proliferating uses of biometric information.”
The case also brings up the more abstract question of whether violating someone’s legal expectation of privacy is a form of harm unto itself. Nothing like this case falls under the four main types of invasion of privacy claims considered under law, but we’re dealing with new, untested issues, and few states even have laws protecting this kind of personal information. It’s an early test case on how privacy legislation in the era of biometrics and massive data collection will need to be written if the intent is to work as a preventative measure.