While many states are still struggling to enact comprehensive cyber/privacy laws and the federal government still lacks a uniform framework, Illinois data collectors have been working under the most advanced privacy statutes and common law in the United States. Specifically, the Illinois legislature has taken steps through the Personal Information Protection Act and the Biometric Information Protection Act (“Biometric Act”) that will put data collectors and courts at the forefront of privacy law for years to come.

The latest development in Illinois privacy law was seen last Friday when the Illinois Supreme Court issued its decision in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Jan. 25, 2019) which provides insight on what is necessary to bring a cause of action under the Biometric Act.  In Rosenbach, the Illinois Supreme Court analyzed the provision in the Biometric Act which states that “[a]ny person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.”  The central question for the Supreme Court was whether the use of the term “aggrieved” in the Biometric Act requires a plaintiff assert that they suffered an injury in addition to having their biometric data collected.  In reversing the Illinois Court of Appeals, the Supreme Court found a violation of the Biometric Act when a data collector merely took information from a minor without proper consent.  The most important aspect of this case is a data collector can be liable without breaching any information.

  • The Facts In Rosenbach

The Defendant, Six Flags Entertainment Corporation (“Six Flags”), operates an amusement park located in Gurnee, Illinois.  The Plaintiff, Stacy Rosenbach (“Rosenbach”), is a parent of a 14-year-old boy that visited Six Flag’s amusement park for his class trip. Before the trip, Rosenbach purchased a season pass for her son using Six Flag’s website.  Rosenbach claims she was surprised to find out that her son was directed to scan his thumbprint to gain access to Six Flags and to receive his season pass card.  Rosenbach claims she would not have purchased the season pass for her son if she knew Six Flags intended to collect his thumbprint without obtaining written consent or disclosing their plan to collect such data. Rosenbach claimed she was “aggrieved” under the Biometric Act without any allegation that Six Flags breached any data.

In Rosenbach, The Illinois Supreme Court provided the following analysis of the term “aggrieved” as in the Biometric Act:

More than a century ago, our court held that to be aggrieved simply “means having a substantial grievance; a denial of some personal or property right.” Glos v. People, 259 Ill. 332, 340 (1913). A person who suffers actual damages as the result of the violation of his or her rights would meet this definition of course, but sustaining such damages is not necessary to qualify as “aggrieved.” Rather, “[a] person is prejudiced or aggrieved, in the legal sense, when a legal right is invaded by the act complained of or his pecuniary interest is directly affected by the decree or judgment.” (Emphasis added.) Id.  ¶

  • The Illinois Court Of Appeals’ Decision Is Reversed

The Illinois Court of Appeals held the allegations that Six Flags took patrons’ thumbprints without proper consent was not a violation of the Act because the patrons were not “aggrieved” as required by the Biometric Act.  In reversing the Court of Appeals, the Illinois Supreme Court held:

In sum, defendants’ contention that redress under the Act should be limited to those who can plead and prove that they sustained some actual injury or damage beyond infringement of the rights afforded them under the law would require that we disregard the commonly understood and accepted meaning of the term “aggrieved,” depart from the plain and, we believe, unambiguous language of the law, read into the statute conditions or limitations the legislature did not express, and interpret the law in a way that is inconsistent with the objectives and purposes the legislature sought to achieve. That, of course, is something we may not and will not do.

  • Potential Impact Of This Decision

The Rosenbach decision will undoubtedly cause ripples in privacy law for years to come as a party can conceivably maintain a viable cause of action without pleading any “actual injury or damage.”  This decision may close the door on data collectors being held liable only when they breach biometric data.  Rather, data collectors will need to review all processes that may collect biometric data to confirm they are complying with the Biometric Act.  For example, Six Flags may now need to revamp its use of thumbprints to make sure it obtains consent from a minor’s guardian and they make clear how the data will be used.

Further, this decision may undercut the usefulness of expensive equipment used to collect biometric data if a majority of people withhold their consent to have their information collected.  For example, many workplaces have started to track employees’ hours by using biometric data including fingerprints and thumbprints.  These new systems that rely on biometric data make “clocking in” more convenient than systems that may rely on employee numbers or time cards.  It will be interesting to see how employers will work with employees that refuse to consent to having their biometric information collected after the employer purchased the expensive equipment.  Suffice it to say, we can expect Illinois to continue to be the source of many influential developments in privacy law in the coming years.