Last week, the Illinois Supreme Court issued an important opinion, defending the ability of individuals to sue for violations of that state’s Biometric Information Privacy Act (BIPA). The opinion raises the tough question of what constitutes a privacy harm sufficient to sustain the requisite damage to get a case heard in a court of law. The question of “informational injury” is contentious as a matter of both law and policy, but we believe lawmakers have acted repeatedly to create causes of action for private citizens to file claims for privacy violations.
We might argue where and when such private causes of action should exist, but at least with respect to BIPA, the Illinois Supreme Court has now ruled that BIPA provides broad rights for individuals to sue. In Rosenbach v. Six Flags, Stacy Rosenbach sued the amusement park for fingerprinting her son without either obtaining “informed written consent” before the collection of biometric data, or providing a “written policy, made available to the public” as required by BIPA. As the Court explains:
The duties imposed on private entities by section 15 of the Act (740 ILCS 14/15 (West 2016)) regarding the collection, retention, disclosure, and destruction of a person’s or customer’s biometric identifiers or biometric information define the contours of that statutory right. Accordingly, when a private entity fails to comply with one of section 15’s requirements, that violation constitutes an invasion, impairment, or denial of the statutory rights of any person.
Companies have argued the opposite in BIPA litigation, suggesting that a mere statutory privacy violation should be insufficient to confer standing under the law. In this case, the argument was that neither providing notice nor obtaining consent were actionable violations. The Illinois Supreme Court responds succinctly: “This construction is untenable.”
The Center for Democracy & Technology, alongside our colleagues at the American Civil Liberties Union, the ACLU of Illinois, the Chicago Alliance Against Sexual Exploitation, the Electronic Frontier Foundation, Lucy Parsons Labs, and PIRG, argued exactly this in an amicus brief we filed last summer. Six months later, the Illinois Supreme Court writes that when companies fail to adhere to legal requirements, “‘the right of the individual to maintain [his or] her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.’ This is no mere ‘technicality.’ The injury is real and significant.”
As we continue to discuss what meaningful privacy law and regulation looks like, this holding is significant and should remain in mind.
Now, we can also acknowledge that BIPA has become a flashpoint in ongoing debates about the roles of states to protect individuals’ privacy. Industry actors have been repeatedly critical of the law, and while BIPA was in some respects ahead of its time when it was passed in 2008, it is also an old law that could use updating. CDT’s preference would be to find a national solution to regulate the use of biometrics technologies, including facial recognition. Our federal privacy proposal specifically addresses the use of biometrics, and would limit their collection and use when not required to provide or add to the functionality of the product, service, or a specific feature that an individual wants.
The Illinois Supreme Court’s ringing endorsement of privacy protections under BIPA mandates that the integrity of our fingerprints, facial recognition patterns, iris scans, and other biometric information must be addressed in the ongoing federal privacy debate.