As the number and scale of cases involving the theft or loss of personal information grows, so does the number of plaintiffs filing suit as a result. One of the most difficult hurdles for these plaintiffs to clear is the requirement that they have standing to bring their suit. Standing generally requires that a plaintiff show she has suffered some actual harm. Most plaintiffs find it difficult to link the improper gathering or storage of their personal information to some actual harm they have suffered.
In Rosenbach v. Six Flags Entertainment Corp., the Supreme Court of Illinois examined the issue of standing requirements for certain privacy suits. Rosenbach concerned a minor, Alexander Rosenbach, whose mother bought him a season pass to Six Flags Great America amusement park. To complete the sign-up process for a season pass, Six Flags required Rosenbach’s thumbprint. When Rosenbach’s mother learned that Six Flags had taken her son’s thumbprint, she brought suit on his behalf. The suit alleged that “[n]either Alexander…nor…his mother, were informed in writing or in any other way of the specific purpose and length of term for which his fingerprint had been collected,” in violation of Illinois’ Biometric Information Privacy Act (BIPA).
BIPA – the nation’s most stringent biometric privacy act – mandates specific conditions under which a company may collect and store biometric information. Additionally, it provides certain remedies to an “aggrieved” party, including a private right of action for damages. The question on appeal before the Illinois Supreme Court was not whether Six Flags’ behavior violated BIPA. Instead, the Court was asked to decide whether Rosenbach was an “aggrieved” person as BIPA uses that term. Six Flags argued that if Rosenbach was not “aggrieved,” then he was barred from recovery. The Court answered the question in Rosenbach’s favor, finding that to be “aggrieved” meant simply to have had “a denial of some personal or property right.” Because Six Flags had denied Rosenbach’s rights under BIPA, he was “aggrieved,” and it was not necessary for him to have suffered any “actual damages” as the result of this denial.
This case is critical to plaintiffs wishing to bring suit under BIPA, because it makes it easier to bring a viable claim. Because Rosenbach turned on the definition of a single word in an Illinois statute, however, it is easy to view the case as having limited impact outside of that state. After all, only two other states in the country – Washington and Texas – even have laws concerning the collection and use of biometrics. And the word “aggrieved” does not appear anywhere in the biometrics statutes of those states.
Despite this, Rosenbach may become an important case even outside of Illinois. This is because the Illinois Supreme Court explicitly rejected the lower court’s argument that Six Flags’ violation of BIPA was merely “technical,” and that Rosenbach had therefore suffered no actual harm. Quoting a similar federal case from the Northern District of California, it found that BIPA’s protections “are particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual’s unique biometric identifiers—identifiers that cannot be changed if compromised or misused.” Because of this, Six Flags’ failure to adhere to statutory procedures caused an injury that is “real and significant.” This language sounds strikingly similar to the “actual harm” that a plaintiff must show to meet standing requirements.
Consequently, Rosenbach will provide an assist to plaintiffs around the country who want to demonstrate standing in suits for the improper gathering or storage of their personal information. Those plaintiffs can now point to this persuasive authority and argue it concludes that an injury to a privacy right confers standing. In anticipation of this, defense counsel must be aware of Rosenbach, and be prepared to argue that it has no application beyond statutory rights created by BIPA in Illinois.
Chris Jones is a member of Sands Anderson’s Cybersecurity and Technology Team.