What does it mean to be aggrieved?
The Illinois Supreme Court decided recently what it meant for purposes of the Illinois Biometric Information Privacy Act (BIPA)—a state law designed to protect biometric data such as fingerprints and retinal scans—and the court’s decision could have a long-lasting effect on data privacy law in general and pending litigation involving Facebook specifically.
Facebook—and class action plaintiffs suing Facebook—have been waiting for the state high court’s decision in Rosenbach v. Six Flags Ent. Corp., No. 123186 (Ill. Jan. 25, 2019) because the court was deciding the issue of whether, to be able to bring a private action against an alleged BIPA violator, one had to show damages beyond a mere violation of the statute.
Reversing a state intermediate appellate court, the Illinois Supreme Court held a mere violation of the statute with someone’s biometric information made them an “aggrieved” party, triggering the private right of action—whether there were additional damages or not.
Orwellian Amusement Park?
In the spring of 2014, Alexander Rosenbach and his eighth-grade class went to Six Flags Great America in Gurnee, Illinois, for a school field trip. Alexander’s mother, Stacy, registered him for a season pass to the amusement park, but the final step of the process had to be completed at the park.
When Alexander arrived at Six Flags Great America with his class, he learned that he would have to supply his thumbprint to get his pass and gain access to the park. Neither he nor his mother had been told of this requirement, and his mother was not at the park to supply consent for 14-year-old Alexander.
Nevertheless, Six Flags Great America scanned Alexander’s thumbprint and stored his biometric information in Six Flag’s biometric data capture system.
Stacy Rosenbach, individually, and on behalf of Alexander, sued Six Flags Great America’s parent company, Six Flags Entertainment Corp., alleging Great America’s capture of Alexander’s thumbprint violated Illinois’ Biometric Privacy Information Act (BIPA).
Illinois enacted BIPA in 2008 to help regulate “the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.” BIPA defines “biometric identifier” to be “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”
BIPA goes on to define “biometric information” as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.”
At a basic level, there’s no question that BIPA applied to situations such as Alexander’s, where someone has just snagged his thumbprint and stored it in a corporate database.
The legal question went beyond merely whether BIPA applied to this type of situation. The question involved damages and whether Alexander qualified as an “aggrieved” person under BIPA.
BIPA provides that any person “aggrieved” by a violation of BIPA’s provisions “shall have a right of action … against an offending party” and “may recover for each violation.”
But what does it take to be an “aggrieved” person? The statute doesn’t say specifically.
Answering certified questions from an Illinois state trial court, an intermediate Illinois state appellate court held Alexander was not an “aggrieved” party under the act.
The intermediate appellate court held a person is not “aggrieved” within the meaning of BIPA and may not pursue either damages or injunctive relief under the BIPA based solely on a defendant’s violation of the statute—additional injury or adverse effect must be alleged. The injury or adverse effect need not be pecuniary, the intermediate appellate court held, but it must be more than a “technical violation of the Act.”
However, on January 25, the Illinois Supreme Court reversed the intermediate appellate court.
Rejecting the idea that parties had to show damages beyond the rights granted under BIPA, the court wrote:
To require individuals to wait until they have sustained some compensable injury beyond violation of their statutory rights before they may seek recourse, as defendants urge, would be completely antithetical to the Act’s preventative and deterrent purposes.
The Illinois Supreme Court’s holding has ramifications far beyond Illinois.
The Faces of Facebook
The most immediate legal impact of Rosenbach is on ligation over Facebook’s tagging feature pending in the U.S. District Court for the Northern District of California, In re Facebook Biometric Info. Privacy Litig., No. 3:15-cv-03747 (N. D. Cal.).
Since 2011, users of the social media platform, Facebook, have used the “tag” feature with which one can “tag” friends who appear in their photos. The tag feature works with a facial recognition tool imbedded into Facebook.
Nimesh Patel and others sued Facebook in class action, alleging Facebook’s data collection practices with its tagging feature—in which they allege Facebook collected and stored their biometric data without prior notice or consent—violated their privacy rights under Sections 15(a) and 15(b) of BIPA.
As Six Flags argued in Rosenbach, Facebook argued—among other things—that a BIPA plaintiff had to show injuries beyond a violation of the statute. Facebook relied heavily on the intermediate appellate decision in Rosenbach. Now that the Illinois Supreme Court has taken that argument away, Facebook must reply on other defenses.
Data Breach Damages
The debate over whether one must show actual damages or a mere violation of a statute is nothing new. It’s often litigated in data breach litigation.
For instance, in 2012, Zappos Inc. sustained a data breach, allegedly exposing the personal information of Zappos customers. Zappos customers sued and in March 2018, the Ninth Circuit reversed a federal district court and held that even if actual financial damages had not been shown, substantial risk that harm would occur—e.g., personal information being exposed—created standing to sue.
The U.S. Supreme Court in Zappos.com, Inc. v. Stevens is considering the legal issues presented in In re Zappos.Com, Inc. Customer Data Security Breach Litigation, namely the status of a group of plaintiffs in the case who did not allege that any fraudulent charges had been made using their identities—despite the data breach having exposed their names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information.
Why Rosenbach v. Six Flags Matters
As the U.S. Supreme Court considers the damages issues in In re Zappos, the Illinois Supreme Court’s decision in Rosenbach will have an immediate impact on cases dealing with BIPA.
In re Zappos will, in all likelihood, resolve a data breach litigation circuit split, with the First, Second, Fourth, and Eighth Circuits holding a concrete harm must be shown, and the Third, Sixth, Seventh, Ninth, and DC Circuits holding a mere violation—without additional injury required—created standing.
These cases are establishing a base threshold for being able to bring actions for data privacy and data protection violations.
Should one be able to prevail in data protection litigation just because they can show, as in In re Zappos, that their information’s out there as the result of a data breach—without having to show they were actually harmed by its exposure?
Is it harm enough to have to worry about what hackers are doing with your data after a breach?
Should one be able to prevail in data privacy litigation just because, as in Rosenbach, they can show their biometric data were collected in violation of the statute—without any showing they sustained an actual injury?
Using the same analysis, is being violated by a data collector harm enough?
Much to the chagrin of Six Flags and Facebook, the issue seems to be resolved vis-à-vis the Illinois Biometric Information Privacy Act.
For data breaches, the verdict remains out.