Data Points: Privacy & Data Security Blog

Today, the Illinois Supreme Court unanimously held that actual harm was not a necessary component of proving a breach of the state’s Biometric Information Privacy Act.  This ruling found that Stacy Rosenbach, the mother of a minor whose thumbprint was collected by Six Flags as part of a season pass holder purchase, can be considered an “aggrieved person” under the state’s biometric privacy law without alleging that her child’s data was stolen or misused.

This decision is significant because Illinois has the nation’s only biometric privacy law with a private right of action. Today’s ruling reverses a December 2017 finding by the Illinois state appeals court that plaintiffs must show specific injuries to meet the “aggrieved person” standard under the law. Specifically, the court of appeals held that the individual must show that their personal, pecuniary or property rights were adversely affected. In so holding, the Illinois Supreme Court reasons that “when a private entity fails to comply with one of [the statute’s] requirements, that violation constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach…such a person or customer would clearly be ‘aggrieved’ within the meaning of section 20 of the Act…and entitled to seek recovery under that provision. No additional consequences need be pleaded or proved. The violation, in itself, is sufficient to support the individual’s or customer’s statutory cause of action.”

Although the statute is unique to Illinois, the ruling is consistent with the increasing willingness of courts to allow a privacy related claim to proceed even without clear injury. The Illinois Supreme Court’s ruling is expected to buoy similar cases already pending in Illinois.