Ruling Is a Warning to Companies Collecting Biometric Scans Without Permission
The Illinois Supreme Court issued an important in late January rejecting attempts to gut the state鈥檚 landmark law that bars companies from collecting people鈥檚 biometric identifiers 鈥 including face recognition scans, fingerprints, and iris scans 鈥 without providing a written explanation of what they plan to do with the data and obtaining consent.
The law, called the Biometric Information Privacy Act (BIPA), has been on the books for over a decade. It鈥檚 the strongest such law in the nation, and it has provided a robust tool for protecting some of Illinoisans鈥 most sensitive data against covert collection, use, and resale.
The question at issue in the case concerns who is allowed to sue for violation of their rights under the law. The was brought by the family of a teenager whose thumbprint was scanned when he went to a Six Flags鈥 amusement part. Contrary to the requirements of the law, there was no explanation of why he was fingerprinted or how the data would be used.
BIPA allows anyone 鈥渁ggrieved鈥 by a violation of its provisions to seek monetary damages and other relief. The defendant in the case, supported by a number of organizations representing businesses that seek to collect biometric data 鈥 including like Facebook, Google, and Amazon 鈥 argued that someone can only be 鈥渁ggrieved鈥 if they can prove that they have suffered actual damages, such as monetary loss or other concrete harms.
As we explained in a , however, that interpretation would often leave 鈥渘o means to hold wrongdoers accountable for their violations of BIPA鈥檚 notice and consent requirements鈥 because 鈥減rivacy harms are difficult for the consumer to understand at the outset and discover after the fact.鈥 (In addition to the 老澳门开奖结果 and 老澳门开奖结果 of Illinois, the brief was joined by the Center for Democracy & Technology, Chicago Alliance Against Sexual Exploitation, Electronic Frontier Foundation, Illinois PIRG Education Fund, and Lucy Parsons Labs).
In a unanimous opinion, the Illinois Supreme Court agreed, holding that 鈥渁n individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an 鈥榓ggrieved鈥 person and be entitled鈥 to sue. The court explained, quoting a lower court鈥檚 ruling in another case:
The Act vests in individuals and customers the right to control their biometric information by requiring notice before collection and giving them the power to say no by withholding consent. These procedural protections 鈥渁re particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual鈥檚 unique biometric identifiers 鈥 identifiers that cannot be changed if compromised or misused.鈥 When a private entity fails to adhere to the statutory procedures, as defendants are alleged to have done here, 鈥渢he right of the individual to maintain [his or] her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.鈥 This is no mere 鈥渢echnicality.鈥 The injury is real and significant.
The court鈥檚 ruling ensures that the Illinois law remains a meaningful tool for protecting against invasions of privacy. It will have an immediate effect in other cases, including a lawsuit challenging Facebook鈥檚 collection of face recognition scans 鈥 also filed under BIPA 鈥 in which we filed a friend-of-the-court brief late last year.
The decision also stands for a larger principle that in an age when companies have ever greater abilities to amass and monetize our personal data, it is crucial that Congress and state legislatures provide strong laws that both protect people鈥檚 rights and allow them to sue when companies violate the law. Legislators should reject self-serving industry arguments 鈥 similar to the ones made in this case 鈥 that consumers don't deserve the right to take companies to court unless they can prove monetary or concrete harm.
As my colleague Neema Singh Guliani recently , 鈥淗uge privacy violations have become commonplace. Without a private right of action, consumers have little practical ability to seek relief in cases where their data was mishandled or misused.鈥
Lawmakers nationwide would be wise to follow Illinois鈥 lead and ensure that people throughout the country have a way to defend against surreptitious or misleading uses of their biometrics and other private and sensitive data.