Today, the Illinois Supreme Court unanimously held that actual harm was not a necessary component of proving a breach of the state’s Biometric Information Privacy Act. This ruling found that Stacy Rosenbach, the mother of a minor whose thumbprint was collected by Six Flags as part of a season pass holder purchase, can be considered an “aggrieved person” under the state’s biometric privacy law without alleging that her child’s data was stolen or misused.
This decision is significant because Illinois has the nation’s only biometric privacy law with a private right of action. Today’s ruling reverses a December 2017 finding by the Illinois state appeals court that plaintiffs must show specific injuries to meet the “aggrieved person” standard under the law. Specifically, the court of appeals held that the individual must show that their personal, pecuniary or property rights were adversely affected. In so holding, the Illinois Supreme Court reasons that “when a private entity fails to comply with one of [the statute’s] requirements, that violation constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach…such a person or customer would clearly be ‘aggrieved’ within the meaning of section 20 of the Act…and entitled to seek recovery under that provision. No additional consequences need be pleaded or proved. The violation, in itself, is sufficient to support the individual’s or customer’s statutory cause of action.”
Although the statute is unique to Illinois, the ruling is consistent with the increasing willingness of courts to allow a privacy related claim to proceed even without clear injury. The Illinois Supreme Court’s ruling is expected to buoy similar cases already pending in Illinois.
About Data Points: Privacy & Data Security Blog
The technology and regulatory landscape is rapidly changing, thus impacting the manner in which companies across all industries operate, specifically in the ways they collect, use and secure confidential data. Moore & Van Allen’s Privacy & Data Security Group recognizes the challenges clients face in the effort to stay abreast of such volatility. “Data Points” seeks to educate by providing transparent and cutting-edge insight on the most critical issues and dynamics. Our goal is to inform business decision-makers who are navigating these waters about the information they must protect, and what to do if/when security is breached. Read About Our Practice and Meet the MVA Privacy & Data Security Team.