On January 25, 2019, the Illinois Supreme Court ruled that a consumer need not demonstrate an adverse effect or specific harm, such as evidence that personal information was stolen or misused, to have standing to sue under the state’s Biometric Identity Protection Act (BIPA). The court held that a procedural violation of the law itself is sufficient to support a private right of action under BIPA. The court’s decision will give real teeth to the 200-plus BIPA actions already filed in Illinois – the only biometric law in the country with a private right of action – and we are likely to see a boost in lawsuits against private entities alleging procedural BIPA violations.
In Rosenbach v. Six Flags (a more detailed explanation of the facts and previous inter-district split is provided in a previous blog post), the Court held that Rosenbach’s son can be considered an “aggrieved person” under BIPA based simply on the fact that his fingerprint was taken (for a season pass to Six Flags) without the required written consent. The Illinois Supreme Court opined that even a “technical” breach prevents an individual from maintaining his/her biometric privacy, which the court considers a “real and significant” injury to one’s “statutory right.”