Skip to main content

No Harm, Still a Foul: Illinois Supreme Court Rules on the Collection of Biometric Data

Leaving its fingerprints all over the privacy debate, the Illinois Supreme Court handed down a ruling that will significantly impact litigation under the state’s unique Biometric Information Privacy Act (“BIPA” or “Act”), creating a potential boon for plaintiffs. In its January 25 opinion in Stacy Rosenbach v. Six Flags Entertainment Corp., the court unanimously sided with the plaintiff, ruling that actual harm is not a requirement to establish standing under BIPA. Specifically, the court addressed the threshold issue of who can be considered an “aggrieved” person under the Act, finding that a Six Flags season pass holder can claim that the theme park breached BIPA by collecting her son's thumbprint without prior consent, even though no consequential, real-world harm occurred from the data collection. In a roller coaster ride for defendant Six Flags Entertainment Corporation, the Illinois Supreme Court reversed the state appellate court’s December 2017 decision.

More than 100 businesses accused of violating BIPA have closely watched the case, and it is likely the ruling may embolden plaintiffs’ attorneys to add to the over 200 BIPA cases brought in Illinois state courts. Many of these cases were stayed in anticipation of the Rosenbach decision.

BIPA requires companies that capture individuals' biometric information, including fingerprints, retina scans, or voice samples, to obtain written consent and disclose how they use, store, and destroy that data. Notably, it is the nation’s only biometric privacy law with a private right of action. The Rosenbach ruling increases exposure and risk for companies collecting biometric data for commercial and employment purposes, and may prompt companies to strengthen their disclosures or scale back their offerings to try to avoid statutory penalties of over $1,000 for each negligent violation and $5,000 per intentional or reckless violation. For more information on BIPA, see Mintz’s past blog: The Law of Unintended Consequences: BIPA and the Effects of the Illinois Class Action Epidemic on Employers.

BIPA cases are still far from a slam-dunk for plaintiff’s attorneys, however, as many issues surrounding interpretation of BIPA remain unresolved. Although the Illinois Supreme Court has settled the meaning of an “aggrieved” party, future cases are likely to examine what constitutes a “biometric identifier,” whether a defendants' business practices actually violate BIPA, the role of implied notice and consent in cases where employees voluntarily submitted their biometric information for purposes such as clocking in and out of work, class certification, and other legal issues. Additionally, Federal BIPA suits will need to distinguish their case from the Supreme Court’s 2016 ruling in Spokeo v. Robins, which held that plaintiffs cannot rely on mere statutory violations but must allege a concrete harm to establish Article III standing. The Rosenbach ruling also sets up a potential conflict with the Seventh Circuit’s holdings that the term “aggrieved” requires a cognizable injury.

The ruling may also set up a clash between businesses and privacy advocates on the legislative front, with businesses urging legislators to amend the law to reduce liability risk. As the first, and arguably most stringent, state biometric privacy law, BIPA has served as a model for states looking to pass similar laws in the future.  To date, Texas and Washington have enacted biometric privacy laws, but BIPA’s statutory damages provision stands alone – so far. Judicial interpretations and legislative actions surrounding BIPA could come to impact businesses with a far broader footprint than just the state of Illinois. Businesses that collect and use biometric data for employment and commercial purposes must follow BIPA, and associated judicial and legislative closely.

For questions regarding this or any other privacy-related issues, contact a member of the Mintz Privacy Team.

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.