The Illinois Biometric Information Protection Act (“Act”) states that “[a]ny person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.”  Last week, the Illinois Supreme Court heard arguments on what may become the cornerstone decision interpreting the term “aggrieved” as used in the Act.  In Rosenbach v. Six Flags Entertainment Corp., 2017 Ill. App (2d) 170317, 2017 WL 65239, the Illinois Court of Appeals held allegations that an amusement park took patrons’ thumbprints without proper consent was not a violation of the Act because the patrons were not aggrieved under the Act.  Before the Supreme Court issues its decision in the coming months, it is worth taking a closer look at how this case evolved, the impact it had on other courts and how this decision may impact the use of biometric data.

• Facts And Analysis of Rosenbach Decision

The Defendant, Six Flags Entertainment Corporation (“Six Flags”), operates an amusement park located in Gurnee, Illinois.  The Plaintiff, Stacy Rosenbach (“Rosenbach”), is a parent of a 14-year-old boy that visited Six Flag’s amusement park for his class trip. Before the trip, Rosenbach purchased a season pass for her son using Six Flag’s website. Rosenbach claims she was surprised to find out that her son was directed to scan his thumbprint to gain access to Six Flags and to receive his season pass card.  Rosenbach claims she would not have purchased the season pass for her son if she knew Six Flags intended to collect his thumbprint without obtaining written consent or disclosing their plan to collect such data.

The Illinois Court of Appeals for the Second District held alleging a technical violation of the Act was insufficient to maintain an action under the Act. In particular, the Court of Appeals framed its interpretation of the term “aggrieved” in the Act as follows:

The certified questions revolve around whether a party is “aggrieved,” and thus may bring an action for liquidated damages or injunctive relief, when the only injury alleged is a violation of the notice and consent requirements of section 15(b) of the Act. Defendants contend that the interpretation of “aggrieved” most consistent with the Act’s language and purpose, and with interpretations of that term in other statutes and in other jurisdictions, is that it requires actual harm or adverse consequences. Plaintiff opposes this and argues that a mere technical violation of the Act is sufficient to render a party “aggrieved.”

In determining whether real or actual harm was required for a party to be “aggrieved” under the Act, the Court of Appeals held “if the Illinois legislature intended to allow for a private cause of action for every technical violation of the Act, it could have omitted the word “aggrieved” and stated that every violation was actionable.”  Based on this reasoning, the Court of Appeals held Rosenbach could not recover because “a plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person” under the Act.

In her Brief submitted to the Illinois Supreme Court, Rosenbach claims she did not receive the rights and benefits provided to her and her son under the Act.  Specifically, Rosenbach claims Six Flags deprived season ticket holders with the opportunity to receive “detailed notices” required under the Act and deprived her of the opportunity to provide or withhold her consent to take her son’s thumbprint as required under the Act.

• Illinois Supreme Court Has The Opportunity To Resolve Disputes Over Interpretation Of “Aggrieved”

The Rosenbach decision has received significant analysis since it was issued in December 2017. For example, in In Re Facebook Biometric Information Privacy Litigation, 326 F.R.D. 525 (N.D. Cal. April 16, 2018), a California court rejected the Rosenbach court’s interpretation of “aggrieved.”  Instead, the Facebook court found “because a plain of reading of BIPA ‘leave[s] little question that the Illinois legislature codified a right of privacy in personal biometric information rooted in ‘a long tradition of claims actionable in privacy law” and extending to control over one’s data, independent of disclosure or misuse risks.”  In particular, the Facebook court relied on Am. Sur. Co. v. Jones, 384 Ill. 222, 230, 51 N.E.2d 122 (Ill. 1943), where the Illinois Supreme Court determined that “aggrieved” parties under an Illinois statute are those with a “direct, immediate and substantial interest rather than a speculative, theoretical, inconsequential or remote interest.”  The Facebook court found Facebook and the Rosenbach court failed to address the holding in Jones that a party was aggrieved by an act that directly or immediately affects their legal interest may have a viable cause of action. The Facebook court  further noted that the Rosenbach court may have come to a different conclusion if it had properly reviewed Jones.  We will now see whether the Facebook court was correct in predicting how the Illinois Supreme Court will interpret this portion of the Act.

Further, the Illinois Supreme Court also has an opportunity to address a split in the interpretation of “aggrieved” as seen in the Rosenbach decision and the recent decision in Sekura v. Krishna Schaumburg Tan, Inc., 2018 IL App (1st) 180175.  In Sekura, the Illinois Court of Appeals adopted reasoning similar to that seen in the Facebook litigation when it ruled the Act does not require actual harm. Instead, the Sekura court held an alleged violation of the Act may give a plaintiff the right to sue since the Act protects an individual’s legal right to privacy.

• The Impact Of The Rosenbach Decision

There should be little question that this decision will impact the collection, storage and use of biometric data. Further, this decision may impact data collectors outside of Illinois to the extent that many states are watching the development of the Illinois Biometric Act.  Therefore, the legislatures in states that are still considering implementing a similar law will be able to consider the Illinois Supreme Court’s interpretation of “aggrieved” while determining what allegations give rise to a viable cause of action.

Further, data collectors will need to address the public’s’ view on storing their data regardless of the outcome of this decision. Outside of this litigation, Six Flags has maintained that they are not storing the actual thumbprints:  “Similar to those used at Walt Disney World and other theme parks, the scans at Great America in Gurnee, take measurements of fingerprints and create mathematical models, which officials said cannot be used to re-create full fingerprints.”

Nevertheless, at the time when the scanners first went into use, there was a fair amount of backlash as seen in a May 31, 2014 Chicago Tribune article:

“I don’t see why they need to have juveniles’ fingerprints on file,” said Vincent Bennett, of Antioch, whose wife and two daughters bought season passes a few weeks ago. “It’s a step up on security to not let other people use season passes, but I think it’s an invasion of privacy rights.”

Consequently, even if the Illinois Supreme Court rejects Rosenbach’s position that Six Flags did not obtain proper consent, data collectors will need to address the fact that the public may not be entirely comfortable with the collection of their biometric data.

The post Illinois Supreme Court Set to Address Amusement Park’s Use of Biometric Data appeared first on Privacy Risk Report.

Taylor Swift has a stalker problem.  In April 2018, a man broke into her New York City loft and took a shower before falling asleep in her residence.The same stalker attempted to break Taylor Swift’s front door down with shovel in February 2018. Other stalkers have sent emails threatening to kill Taylor Swift’s entire family. Suffice to say, Taylor Swift and other public personalities should take all reasonable steps to protect themselves and their families. And, thankfully, it appears Taylor Swift is taking these threats seriously.  In addition to taking a variety of other security measures, a number of news reports indicate Taylor Swift has installed a face-recognition camera at her concerts that cross-references pictures of her known stalkers.

A recent Rolling Stone article provides the following information concerning this new security measure:

Taylor Swift fans mesmerized by rehearsal clips on a kiosk at her May 18th Rose Bowl show were unaware of one crucial detail: A facial-recognition camera inside the display was taking their photos. The images were being transferred to a Nashville “command post,” where they were cross-referenced with a database of hundreds of the pop star’s known stalkers, according to Mike Downing, chief security officer of Oak View Group, an advisory board for concert venues including Madison Square Garden and the Forum in L.A. “Everybody who went by would stop and stare at it, and the software would start working,” says Downing, who attended the concert to witness a demo of the system as a guest of the company that manufactures the kiosks.

While there is no reasonable argument against Taylor Swift taking reasonable steps to protect herself from stalkers, we cannot ignore the privacy questions related to this new security method.  Specifically, there are significant questions involving the privacy of individuals that have their images captured, the vast majority are not stalkers. And, unfortunately, there is little guidance on how this new technology should be used.

While we do not have substantial legal guidance on this new security method using biometric data, there are at least a couple of sources that provide some insight.  At present, most protections for biometric data arises out of state laws and regulations such as the Illinois Biometric Information Protection Act (“BIPA”).  BIPA states that “[a]ny person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.”  As it stands, the technology that allows for the storage and collection of biometric data may be outpacing the development of protections for this information. For example, by using the term “aggrieved,” there is a possible violation under at least one or any of the following scenarios:

• The collection of biometric data without the individual’s consent;
• The collection and use of biometric data without the individual’s consent;
• The collection of biometric data with consent but use without consent;
• The collection of biometric data with consent and use of the data outside the limited consent provided by the individual.

While BIPA clearly states any person “aggrieved by a violation” of BIPA has a potential cause of action, there is little guidance as to when a person should bring suit.

While the protections arising from BIPA are cutting edge compared to most states where there are no protections in place for biometric data, courts are still being called upon to interpret biometric data protection laws.  For example, the Illinois Supreme Court recently heard arguments in a case that may become the cornerstone decision interpreting the term “aggrieved” as used in BIPA.

In Rosenbach v. Six Flags Entertainment Corp., 2017 Ill. App (2d) 170317, 2017 WL 65239, the Illinois Court of Appeals held allegations that an amusement park taking patrons’ thumbprints without proper consent was not a violation of the Act because the patrons were not aggrieved under the Act. The Defendant, Six Flags Entertainment Corporation (“Six Flags”), operates an amusement park located in Gurnee, Illinois.  The Plaintiff, Stacy Rosenbach (“Rosenbach”), is a parent of a 14-year-old boy that visited Six Flag’s amusement park for his class trip.  Before the trip, Rosenbach purchased a season pass for her son using Six Flag’s website.  Rosenbach claims she was surprised to find out that her son was directed to scan his thumbprint to gain access to Six Flags and to receive his season pass card.  Rosenbach claims she would not have purchased the season pass for her son if she knew Six Flags intended to collect his thumbprint without obtaining written consent or disclosing their plan to collect such data.

In determining whether real or actual harm was required for a party to be “aggrieved” under the Act, the Court of Appeals held “if the Illinois legislature intended to allow for a private cause of action for every technical violation of the Act, it could have omitted the word “aggrieved” and stated that every violation was actionable.”  Based on this reasoning, the Court of Appeals held Rosenbach could not recover because “a plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person” under the Act.

Of course, data collectors and individuals will have more guidance once the Illinois Supreme Court either affirms or reverses the Court of Appeals in Rosenbach.  And, while the Supreme Court will provide some clarity, we should not be surprised if this decision fails to answer all questions related to BIPA.

The privacy issues are clear even when viewed outside of the various biometric data laws. For example, the Rolling Stone article on Taylor Swift’s use of the images asks: “Despite the obvious privacy concerns — for starters, who owns those pictures of concertgoers and how long can they be kept on file?”  And, that is a reasonable question for any data collector or individual having their data collected.  In addition to the concerns discussed in Rolling Stone, there are a number of other questions that quickly come to mind:  Can Taylor Swift keep the images and cross-reference them down the road when new stalking cases arise?  Are the images limited to be used in only stalking cases?  Can Taylor Swift use the images for marketing purposes?  Do concertgoers need to give consent to have their images taken?  In simpler terms, Taylor Swift’s security team will need to analyze the likelihood that non-stalker concert-goers are going to be “aggrieved” by having their photos taken without consent. Suffice it to say, the parent in Rosenbach may be just as angry if she sent her teenager to a Taylor Swift concert and her child was photographed without consent.  Consequently, even though courts are increasingly providing clarification on these issues, we can expect to see technology continue to outpace the law on biometric issues.

The post Shake It Off! Even Taylor Swift Is Collecting Your Biometric Data appeared first on Privacy Risk Report.