Today the Illinois Supreme Court ruled unanimously that when companies collect biometric data like fingerprints or face prints without informed opt-in consent, they can be sued. Users don't need to prove an injury like identity fraud or physical harm—just losing control of one’s biometric privacy is injury enough.
In Rosenbach v. Six Flags, a 14 year old brought a challenge against an amusement park for collecting his thumbprint without his informed consent, in violation of Illinois law. The law in question, the Illinois Biometric Information Privacy Act (BIPA), prohibits companies from gathering, using, or sharing biometric information without informed opt-in consent. EFF, along with ACLU, CDT, the Chicago Alliance Against Sexual Exploitation, PIRG, and Lucy Parsons Labs, filed an amicus curiae brief urging the Illinois Supreme Court to adopt a robust interpretation of BIPA.
The Illinois Supreme Court agreed with us and soundly rejected the defendants’ argument that BIPA required a person to show an injury beyond loss of statutory privacy rights. The Court rejected the company’s argument that violation of a privacy statute is a mere “technical violation of the law.” In fact, the Court ruled, it inflicts a serious harm that supports a lawsuit.
The court recognized that, through BIPA, the legislature had codified an individual’s “right to privacy in and control over their biometric identifiers and biometric information.” The need to codify this right was supported by the legislature’s findings that biometrics may be used to access sensitive information, but unlike other identifiers like social security numbers, biometrics are unique to each individual and can’t be changed. As a result, the Court ruled, quoting the legislature: “once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”
For these reason, the court held, a person is “clearly ‘aggrieved’” under BIPA through the mere violation of the act alone:
When a private entity fails to adhere to the statutory procedures, as defendants are alleged to have done here, “the right of the individual to maintain [their] biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.” This is no mere “technicality.” The injury is real and significant. (Emphasis added.)
Illinois’ BIPA is the strongest biometric privacy law in the United States. As biometric collection, use, and sharing become more widespread and invasive every year, it only becomes more important that private citizens can sue under laws like BIPA to protect their privacy. More businesses than ever are capturing and monetizing our biometric information. Retailers use face recognition to surveil shoppers’ behavior as they move about the store, and to identify potential shoplifters. Employers use fingerprints, iris scans, and face recognition to manage employee access to company phones and computers. People have filed BIPA lawsuits against major technology companies like Facebook, Google, and Snapchat, alleging the companies applied face recognition to their uploaded photographs without their consent.
EFF and other privacy groups for years have resisted big business efforts to gut BIPA. Laws like BIPA that allow private citizens to sue are necessary for several reasons. First, biometric surveillance is a growing menace to our privacy. Our biometric information can be harvested at a distance and without our knowledge, and we often have no ability as individuals to effectively shield ourselves from this grave privacy intrusion. Second, BIPA follows in the footsteps of a host of other privacy laws that prohibit the capture of private information absent informed opt-in consent, and that define capture without notice and consent by itself as an injury. Third, allowing private lawsuits is a necessary means to ensure effective enforcement of privacy laws.
The Rosenbach case has important ramifications for another case brought under BIPA challenging Facebook’s use of biometric face surveillance without users’ consent. That case, In re Facebook Biometric Information Privacy Litigation (also called Patel v. Facebook), is currently on appeal in the U.S. Ninth Circuit Court of Appeals in California. Like the defendants in Rosenbach, Facebook has argued that a loss of statutory biometric privacy rights is not enough to sue a company, but instead, the plaintiff must also show additional harm. EFF and our privacy allies filed an amicus curiae brief in this case, too.
The Facebook district court rejected this argument last year, as did the Illinois Supreme Court today.
We’re hopeful the Rosenbach ruling shuts down this argument once and for all. The Illinois Supreme Court cited the California Facebook case with approval and quoted from it extensively. Now it’s up to the Ninth Circuit to allow that case to proceed.