Illinois Biometric Privacy Act Ruling Could Have Wide-Ranging Implications
A ruling by the state's Supreme Court comes as a warning: your customers may sue you if you collect their biometric data without informed consent, even if they don't suffer harm.
- By James E. Powell
- January 25, 2019
Be careful what personal data you collect and how you inform your customer you’ll use that data. It could cost you, even if your customer suffered no actual damage.
That’s one of the lessons of today's decision by the Illinois Supreme Court.
The suit, filed in 2014, tested the enforceability of Illinois’ 2008 Biometric Information Privacy Act. The Court ruled unanimously that Six Flags Entertainment Corp. failed to obtain a then-14-year-old boy’s express consent when the company took his thumbprint for the purchase of a season pass to the company’s Great America theme park. The Court ruled that the “aggrieved” party (the boy) is eligible to receive statutory damages of $1000 per violation or $5000 if the violation was intentional or reckless.
The law requires companies collecting such information (including voiceprints and facial and iris scans) to obtain prior consent when the data is collected. The subject must also be told how the data will be used and how long it will be kept. The company has posted its “terms of use” online but did not inform the boy or his parents about these policies at the time the thumbprint was taken.
Robert Cattanach, a partner at the international law firm Dorsey & Whitney, warns that the decision has the potential to impact companies in any industry.
"The Illinois law does not specify that the individual has to suffer any cognizable harm in order to collect damages. This places the law squarely at odds with the United States Supreme Court ruling in Spokeo, which held that absent some cognizable harm, individuals complaining of privacy violations had no standing to bring actions against entities alleged to have violated their privacy.”
Cattanach thinks an appeal to the U.S. Supreme Court is likely, but “if allowed to stand, the Illinois Court’s ruling would signal a significant sea change in how courts allow claims without actual damages to proceed, and open the floodgates to class actions claiming privacy violations even without any showing of actual harm.”
Cattanach practices in the areas of regulatory litigation, including cybersecurity and data breaches, privacy and telecommunications, civil and criminal enforcement proceedings and international regulatory compliance.
At press time, Six Flags Entertainment Corp. has not issued comments about the ruling.
About the Author
James E. Powell is the editorial director of TDWI, including research reports, the Business Intelligence Journal, and Upside newsletter. You can contact him
via email here.