INSIGHT: Six Flags Fingerprint Privacy Case Puts Illinois Biometric Law to Test

More companies are collecting “biometric” information from employees and consumers to provide services that are authorized through the use of facial recognition technology and fingerprint scans. A few state laws regulate the collection and use of such data, but should a company be held liable for mere collection if there is no actual harm from improper use? Six Flags is fighting a lawsuit on the issue before the Illinois Supreme Court and the upcoming decision could impact privacy laws in other states. Hunton Andrews Kurth partners Torsten Kracht and Lisa Sotto and associate Bennett Sooy examine the potential impact of the upcoming ruling.

Laws in several states regulate the collection, use and storage of fingerprints, face and voice identifiers, retina scans, and other “biometric” information. But all eyes are on one case before the Illinois Supreme Court that could dictate the course of future legislation when the court decides if someone must actually be harmed by the capture of biometric information in order to sustain a lawsuit.

The Illinois Biometric Information Protection Act (BIPA) is currently the most important statute in the U.S. concerning the collection and use of biometric data. BIPA makes it unlawful for private entities to collect, store, or use biometric data without first providing notice and obtaining express consent. Many putative class actions have been filed under the law in recent years, both inside and outside of Illinois, due to BIPA’s private right of action and per-violation statutory penalties of $1,000 or more.

To date, courts applying BIPA have been proceeding without a definitive interpretation by the Illinois Supreme Court of the nature of the harm required to demonstrate a violation of the statute. The court is set to answer the question of whether persons “aggrieved” by a violation of the statute must allege that they suffered actual harm, or if a technical violation of the statute is sufficient to establish standing. What the court decides has the potential to spur an increase in biometric litigation or render BIPA toothless.

The court heard oral argument on Nov. 20 in Stacy Rosenbach v. Six Flags Entertainment Corp., No. 123186 (Ill.). The plaintiff in the case has asserted a claim based on a technical violation of the statute: her teen son’s fingerprint scan was collected by the amusement park to access a season pass, but the park failed to comply with the notice and consent requirements of BIPA.

The defendants pressed the point that interpreting BIPA to allow for private enforcement of technical violations has opened the floodgates to “no-injury lawsuits,” and argued that, while a company that fails to comply with BIPA’s notice-and-consent requirements is liable if the information it collects is compromised or misused in violation of the law, collection alone fails to trigger liability.

During oral argument, several justices appeared to side with the plaintiff, citing collection of biometric data itself without notice and consent as a potential “irreparable harm” and noting that the purpose of the statute was to prevent actual harm from occurring in the first place. The court is expected to render a decision within the next few months.

Interestingly, BIPA originally was enacted in response to a situation that presents a cloudy issue as to actual versus potential harm. When Pay By Touch, a biometrics firm that supplied fingerprint scanners to Illinois retailers, faced bankruptcy in 2007, the company considered selling to the highest bidder its database of fingerprints collected by the scanners. The Illinois chapter of the American Civil Liberties Union used the opportunity to draft BIPA, which was passed by the Illinois legislature the next year.

While some may consider it troubling for a business to sell a person’s biometric information that was collected without notice to or consent of the individual, does such action constitute actual harm? Most courts to date have interpreted BIPA as vesting in Illinois residents the right to control their biometric information by requiring notice before collection and providing residents with the ability to withhold consent.

There are some courts, however, that have required a showing of actual harm for litigants to have standing to bring a claim under BIPA, and consequently rejected lawsuits based on technical violations. A decision by the Illinois Supreme Court holding that a plaintiff has standing to enforce BIPA based only on a technical violation of the statute would further energize litigation regarding the collection and use of biometric data.

Although Texas and Washington also have laws governing the collection and use of biometric identifiers, those laws do not allow for private actions. BIPA has been the main vehicle for biometrics-related lawsuits (especially class actions) due to its private right of action and steep statutory penalties.

BIPA is likely to remain the relevant benchmark for legislation controlling the collection and use of biometric information as efforts to pass a bill at the federal level thus far have been unsuccessful.

At the federal level, the House of Representatives introduced the Biometric Information Privacy Act (H.B. 4381) in 2014. The bill would have required entities to obtain permission before sharing biometric data. No action was taken on this bill.

Additionally, the Secure and Protect Americans’ Data Act (SPADA) and the Data Accountability and Trust Act (DATA) both included biometric data as a protected category of personal information requiring notice. No action has been taken on either bill since they were proposed in 2017.

In the Senate, the Customer Online Notification for Stopping Edge-provider Network Transgressions Act (CONSENT Act) and the Social Media Privacy Protection and Consumer Rights Act (SMPPCR Act), both proposed in 2018, cover biometric information. No action has been taken on either bill.

BIPA, and Illinois, have been at the forefront of biometric data litigation. The Rosenbach v. Six Flags decision will determine the next leg of the journey.

Author Information

Torsten Kracht is a partner at Hunton Andrews Kurth in the firm’s Washington, D.C., and New York offices. He represents clients from the U.S. and abroad in complex commercial litigation and arbitration.

Lisa Soto is the managing partner of the firm’s New York office and chair of its global privacy and cybersecurity practice.

Bennett Sooy is a litigation associate at the firm in the Washington, D.C., office.

The authors are grateful to Akiyah Francis, a 2018 summer associate in Washington and a third-year law student at Washington University in St. Louis School of Law, for her valuable research and contributions.