Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
Since mid-September 2017, more than 50 employers that use “biometric timeclocks” in Illinois have been targeted with class action lawsuits alleging violations of the state’s Biometric Information Privacy Act (“BIPA”). A unanimous ruling issued on December 21, 2017, by the Illinois Appellate Court, could reduce the flood to a trickle. The case holds that to state a claim under BIPA, a plaintiff must allege more than a mere failure to comply with BIPA’s requirements to provide notice and obtain consent before collecting biometric data.1
The Illinois Appellate Court’s ruling follows the Second Circuit’s recent decision affirming the dismissal of a BIPA class action lawsuit for lack of standing to sue in federal court because the plaintiff alleged only technical violations of BIPA’s notice and consent provisions without any attendant harm.2 The Illinois Appellate Court’s decision is even more momentous for employers because it provides a substantive defense that has the potential for defeating BIPA class actions whether filed in federal or state court.
The Court’s Decision in Rosenbach v. Six Flags Entertainment Corp.3
The allegations asserted by the lead plaintiff in Six Flags mirrored those being alleged against employers that have implemented biometric timeclocks. Specifically, the plaintiff alleged:
- Six Flags scanned his thumbprint for security purposes using a biometric scanner.
- Before scanning his thumbprint, Six Flags did not provide the plaintiff with a written disclosure that stated the purpose of the collection and provided a destruction schedule.
- Before his thumbprint was scanned, Six Flags did not ask him to sign a written release authorizing the collection and disclosure of his biometric information.
Notably, the plaintiff in Six Flags was a minor who bought a season pass to the amusement park while unaccompanied by a parent and, therefore, arguably is a type of plaintiff who is even more worthy of protection than an employee.
Six Flags responded to these allegations by moving to dismiss the plaintiff’s BIPA claims.4 In its motion, Six Flags argued that the plaintiff was not an “aggrieved” person—a requirement for recovering actual or liquidated damages under BIPA’s remedy provision. The lower court denied the company’s motion and certified an interlocutory appeal.
Issues Certified for Appeal
On appeal, the court addressed whether a plaintiff is “aggrieved” under BIPA “when the only injury he or she alleges is a … private entity collected his or her biometric identifiers and/or biometric information without providing him or her the disclosures and obtaining written consent …”
The Court Defines “Aggrieved” Under BIPA
The Appellate Court’s ruling centered on the definition of the term “aggrieved” as used in Section 20 (the remedy section) of BIPA. Because BIPA itself provides no definition, the court looked to the plain meaning of the term “aggrieved.” The court held that, by its plain language, “aggrieved” requires “an actual injury, adverse effect, or harm in order for the person to be aggrieved.”5 That a plaintiff does not receive notice or provide consent before the collection of his or her biometric data, standing alone, is insufficient to meet this standard.
The court supported this interpretation of the Act by highlighting decisions by two other courts in comparable cases. First, the court cited the decision of the Northern District of Illinois federal court in McCollough v. Smarte Carte, Inc.6 In McCollough, the court dismissed a BIPA class action filed against the owner/operator of electronic storage lockers that used fingerprint entry. The plaintiff in McCollough alleged the same “technical violations” of BIPA’s notice and consent provisions as did the plaintiff in Six Flags. The McCollough court held the plaintiff did not meet the dictionary definition of an “aggrieved” party because she had not alleged any facts to show that her pecuniary or other interests had been adversely affected by the defendant’s alleged violation of BIPA.
Second, the Illinois court cited a Wisconsin Appeals Court decision involving an interpretation of the term “aggrieved” person in the context of a Wisconsin statute that requires mortgage brokers to provide a disclosure statement to consumers before they enter into a mortgage broker agreement. The Wisconsin court ruled that a plaintiff who merely alleged a defendant had failed to provide the statutorily required disclosure form, without a showing of some actual injury or harm, was not an “aggrieved party” under the Wisconsin Act.
Based on these decisions and the plain meaning of the term “aggrieved,” the Illinois Appellate Court concluded:
if the Illinois legislature intended to allow for a private cause of action for every technical violation of the Act, it could have omitted the word “aggrieved” and stated that every violation was actionable … Therefore, a plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person under section 20 of the Act.7
The Illinois Appellate Court's decision provides much-needed clarity on a gray area in BIPA that the plaintiffs’ class action bar has sought to exploit; namely, whether the mere “technical violation” of failing to comply with the Act’s notice and consent provisions can serve as the basis for recovering, per employee, liquidated damages of $1,000 for negligent violations and $5,000 for intentional or reckless violations. The court’s holding that in order to have a right of action under BIPA a person must allege an “injury, adverse effect, or harm” that stems from the allegedly improper collection or storage of their biometric data under the Act resolves that issue, and provides employers with a basis to dismiss a BIPA claim that does not allege a cognizable injury. Because employers likely will see plaintiffs’ class action counsel attempt to “plead around” this holding with “creative” allegations of a cognizable injury, they should continue to obtain informed consent from employees in Illinois before collecting their biometric data.
1 BIPA regulates the collection of both “biometric identifiers,” defined as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” and “biometric information,” defined as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier.” Biometric information and biometric identifiers are jointly referred to as “biometric data” in this article.
2 For more information on the Second Circuit decision, please see Kwabena A. Appenteng and Philip L. Gordon, The Second Circuit Provides A Roadmap For Employers Defending Claims Under Illinois’ Biometric Information Privacy Act, Littler Insight (Dec. 6, 2017).
3 Rosenbach v. Six Flags Entertainment Corp., No. 2-17-0317, 2017 IL App (2d) 170317.
4 The plaintiff also alleged a claim of unjust enrichment.
5 2017 IL App (2d) 170317, ¶ 20.
6 McCollough v. Smarte Carte, Inc. No. 16 C 0377, 2016 WL 4077108 (N.D. Ill. Aug. 1, 2016). The court’s analysis in McCollough was instructive in the case that was affirmed by the Second Circuit, Vigil v. Take-Two Interactive Software, Inc, 235 F. Supp. 3d 499 (S.D.N.Y. 2017).
7 2017 IL App (2d) 170317, ¶ 23.