The Illinois Supreme Court recently issued its controversial opinion in Rosenbach v. Six Flags, holding that a person is not required to allege or suffer an actual injury under the state’s Biometric Information Privacy Act (“BIPA”) in order to recover under the Act. Illinois adopted BIPA in 2008, which regulates the collection and use of “biometric information,” a term that includes identifiers such as retina or iris scans, fingerprints, voiceprints, and scans of the hand or face. A person “aggrieved” under the Act can recover liquidated damages, reasonable attorney’s fees and costs, and any other relief, such as an injunction, that a court finds appropriate. Statutory damages are awarded in the amount of $1,000 per negligent violation or $5,000 per intentional or reckless violations of BIPA.
The case arose out of a parent, on behalf of her child, contesting Six Flags’ park admission policy. The challenged policy, adopted in 2014, required season pass holders to use their thumbprint as validation in order to be admitted to the park. Because Six Flags failed to give proper notice of its policy and did not obtain its visitors’ consent to provide their thumbprints, the Illinois Supreme Court found that the child was “aggrieved” for purposes of the Act. Expanding on its holding, the Court noted that when an entity violates the Act’s requirements, “that violation constitutes an invasion, impairment, or denial of the statutory rights of any person or customer” and that “no additional consequences need be pleaded or proved.”
As a result of the ruling in Rosenbach, companies are already experiencing an increase in the number of lawsuits, including class actions, filed under BIPA. Companies that have adopted any technology that collects biometric information, such as requiring employees use their thumbprint to clock in and out at work, need to take immediate action to ensure they have complied with the BIPA, including implementing appropriate policies notifying employees of their rights under BIPA, as well as obtaining signed consents from employees before using their biometric data.
Currently, only Texas and Washington state have passed similar biometric laws. While Indiana and Kentucky have not yet enacted such laws, prudent employers should nevertheless consider implementing notice and consent policies and procedures before collecting and using employees’ biometric data. KDDK employment law attorneys can assist employers in drafting such policies. Please contact attorney Nick Golding at ngolding@KDDK.com or (812) 423-3183, or contact a member of the KDDK Labor and Employment Law Practice Team.