Analysis The Illinois Supreme Court on Friday ruled a family's lawsuit that claims downmarket-Disneyland Six Flags broke the US state's Biometric Privacy Act can proceed.
The decision reverses an earlier appellate court ruling that threw out the legal action on the basis the plaintiffs did not allege any specific harm.
The supreme court ruling [PDF], hailed by consumer and privacy advocacy groups and condemned by industry trade groups, has major implications for privacy claims in Illinois, and perhaps for future state and federal privacy regulation across America.
The law requires companies that want to collect biometric data have to obtain informed opt-in consent. It recognizes that a biometric privacy violation is actionable under the law even in the absence of harm following from the violation, like identity theft.
The court ruling bodes ill for companies like Facebook and Google that have been sued under the state law and have been lobbying for years to undo it. A bill backed by industry groups that consider the law commercially damaging is being considered by the Illinois legislature. If passed, it will limit the law's privacy protections.
The Biometric Privacy Act, enacted in 2008, is considered to be one of the strongest privacy laws in the US because it allows private individuals to bring claims to protect their privacy. Other privacy laws restrict the right to sue to government authorities.
Hands off my kid's fingers!
The case, Rosenbach v. Six Flags Entertainment Corp, was brought by Stacy Rosenbach, the mother of 14-year-old Alexander, who alleged that the theme park's collection of her son's fingerprint data was done without written consent or the data handling disclosures required under the law.
Six Flags challenged the family's lawsuit on the grounds that the family had not alleged any actual harm, something that's difficult to prove with privacy cases, and a state appellate court agreed.
However, the Illinois Supreme Court overturned that decision, stating that the Biometric Privacy Act was written to address "risks posed by the growing use of biometrics by businesses and the difficulty in providing meaningful recourse once a person’s biometric identifiers or biometric information has been compromised."
No, you can't have a warrant to force a big bunch of people to unlock their phones by fingerprint, face scansREAD MORE
"Contrary to the appellate court's view, an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an 'aggrieved' person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act," the court concluded.
In December, a judge in Chicago, Illinois, dismissed a 2016 claim against Google over facial data collection in Google Photos because the plaintiff didn't suffer "concrete injuries." It's unclear whether today's ruling will lead to the resurrection of that claim. Facebook is currently facing a class action lawsuit in the state over its use of facial recognition technology.
The Biometric Privacy Act's rationale for holding companies to a higher standard of protection for biometric data than for personal information like social security numbers is that biometric data cannot be easily changed.
"Biometric information is uniquely sensitive," said Abraham Scarr, director of Illinois PIRG Education Fund, in a statement.
"You can cancel your credit card but you cannot cancel your face. Illinois’ biometric privacy law is unique in part because it gives individuals the power to enforce the law when their rights have been violated. We applaud the Illinois Supreme Court for reaffirming consumers’ ability to effectively defend their rights."
Let a thousand lawsuits bloom
"The Illinois Supreme Court has adopted the view that EPIC has long argued as amici in standing cases – a violation of a privacy law is sufficient to confer standing," said Alan Butler, senior counsel at the Electronic Privacy Information Center, in an email to The Register.
"It should not be necessary for a plaintiff to show additional, compensable injury. As the Illinois court explained regarding the state biometric privacy law, that 'would be completely antithetical to the Act’s preventative and deterrent purposes.'"
Meanwhile, Todd Maisch, president and CEO of the pro-business Illinois Chamber of Commerce, issued a statement of concern: "We fear that today’s decision will open the floodgates for future litigation at the expense of Illinois’ commercial health."
In November, 2018, the National Law Review said at least 32 cases had been filed in the preceding two months by Illinois residents against companies over their handling of biometric data. It also said state legislatures in Alaska, Connecticut, Massachusetts and New Hampshire are looking into similar legislation. ®