In a ruling that’s expected to have widespread implications, the Illinois Supreme Court has held that consumers can sue companies for collecting biometric data, including facial scans or fingerprints, if the companies fail to disclose how the information will be used.
The court unanimously said companies that gather people’s data improperly could be held liable for damages, even without concrete injury to the consumers.
The ruling paves the way for lawsuits against Facebook, Google and other businesses that have been fighting challenges on this and related issues.
In the Illinois case, a teenager’s fingerprints were collected in 2014 when he bought a pass for a Six Flags amusement park. His family sued Six Flags, claiming that the collection without their consent violated a state law called the Biometric Information Privacy Act (BIPA).
BIPA is known as the strictest biometric data law in the country. It requires companies to obtain a written release, from either the person whose data is collected or their legally authorized representative, and to provide a written explanation detailing the reason for collecting it and the length of time it will be stored.
The Illinois law allows individuals to sue for damages of $1,000, or up to $5,000 if a court rules that the violation of the law was deliberate or reckless.
Other state privacy laws typically only allow attorneys general to sue companies.
Six Flags argued that because the family didn’t have evidence that taking their son’s fingerprints caused any harm to him, it shouldn’t pay damages.
The court disagreed, saying that “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act” in order to sue.
As a result, the court said the family could sue Six Flags. Ultimately, the court found that Six Flags had violated the Illinois law and would have to pay damages to the family.
Facial recognition under attack
In addition to penalizing Six Flags, the ruling shoots down an argument that’s been made by other corporate defendants, including Facebook and Google.
For example, a class action lawsuit pending against Facebook alleges violations of the Illinois law due to the platform’s use of facial recognition to tag photos. If Facebook loses the case, the fines could total billions of dollars.
In a case filed against Google, the plaintiffs claim that the company didn’t obtain users’ consent to use facial recognition technology in Google Photos.
Numerous other cases currently are pending under the same Illinois law. Both Texas and Washington State also have laws that regulate facial recognition.
If you’re a business outside of Illinois, could this case affect you? At the moment, it’s unclear how widespread the effect will be. The federal appeals courts are split on the question of whether consumers can sue companies after a data breach without proving concrete harm, and the U.S. Supreme Court has refused to decide the issue.
In the federal cases, the focus has been on whether a data breach amounts to a sufficient risk of future harm to allow a plaintiff to sue.
One federal appeals court addressed this question under the BIPA law in 2017 and decided there was no injury. However, the Illinois Supreme Court avoided this question in the current case, instead saying that a straight violation of the law was enough.
Regardless of your location, the decision demonstrates how important it is to speak with a business attorney to ensure that your company is making proper disclosures to consumers if you collect biometric data.