Illinois: Actual Injury Not Required for Privacy Lawsuit; Inviting Costly Litigation against Innovators
On Friday, the Supreme Court of Illinois found that a plaintiff could seek liquidated damages and injunctive relief under a state privacy statute without “[p]roof of actual damages.”
The case—Rosenbach v. Six Flags Entertainment—was brought under the Illinois Biometric Information Privacy Act (BIPA or Act). The Act imposes numerous obligations on private entities that collect biometric information, like fingerprints and retina scans. If the entity fails to follow the obligations in the Act, any person “aggrieved” is provided a “right of action . . . against an offending party.”
Plaintiffs here alleged that an amusement park violated the Act by collecting fingerprints without following a few statutorily imposed procedures. Specifically, the amusement park collected the fingerprints of individuals who held repeat-entry passes and then allowed the pass holders to scan their fingerprints to enter the park. Seems like a pretty user-friendly and beneficial idea, right? Wrong, according to class action lawyers.
In 2014, the plaintiff visited the park during a school field trip and, while there, provided his fingerprint. Uh-oh. According to the park patron’s mom, the amusement park violated the BIPA by (1) failing to give written notice that it was collecting and storing biometric information; (2) not providing written notice of the “specific purposes” for which the information was being stored and how long it would be kept and used; and (3) not obtaining a written release by the plaintiff or his mother before collecting the information. Mom found a class action lawyer (or maybe it was the other way around….) and sued on behalf of her son and a large class of allegedly similarly situated plaintiffs, for lots of money.
The amusement park was not amused. It argued that mom and the other class members were not entitled to relief because the park patron was not “aggrieved.” It reasoned that the only allegations against it were “technical violation[s] of the Act,” whereas the word “aggrieved” (which is ordinarily applied to govern who can bring a lawsuit) suggested that there must be an actual injury or adverse effect, not just a mere violation of the statute in and of itself. A lower court agreed with the amusement park and shut down the class action.
But the Illinois Supreme Court—reversing the lower court—held that simply violating the statute, without showing any actual harm or adverse effect, was enough to state a claim under the Act. (disappointing to many, but maybe not surprising given past studies have heavily criticized Illinois state court jurisprudence)
Using general tools of statutory interpretation, the court found that (1) some Illinois statutes limited relief to allegations of actual damages, whereas the Act did not contain such a requirement; (2) according to Illinois law and dictionary definitions, “aggrieved” means having one’s right violated; (3) the Act created a “right to privacy in and control over [an individual’s] biometric identifiers and biometric information;” and (4) failing to adhere to the statutory procedures violated that right; therefore (5) alleging that Defendants violated Plaintiff’s statutory right was sufficient to state a cause of action under the Act.
This opinion sets a troubling precedent. As Law360 pointed out, Illinois’ law is the only biometric privacy law in the country with a private right of action, and plaintiffs have recently seized upon it to file hundreds of cases. Some of these cases could impose large costs on companies for fairly innocuous violations—for example, Facebook could be subject to massive fines for using facial recognition technology to allow users to “tag” one another in photographs, as one large class action claims. By removing any requirement to show actual harm, the Illinois Supreme Court has given its blessing to a flood of litigation, which may prove costly and deter companies from launching innovations in Illinois.
While this opinion turned on the interpretation of a state statute, it intersects with a broader problem in federal standing doctrine over what constitutes a concrete harm. In Spokeo, Inc. v. Robins, the Supreme Court held that simply alleging “a bare procedural violation” of a statute cannot satisfy standing where the relevant “procedural requirements may result in no harm.” However, the Court did not spell out when procedural requirements may result in harm. Litigants are currently duking it out over whether a mere failure to follow the BIPA satisfies Article III standing in federal court.
This ambiguity over what kind of injury constitutes Article III standing is not limited to procedural harms. There are many privacy and cybersecurity cases percolating through the federal courts that turn on whether actual injuries must be shown. Recently, the Supreme Court declined to provide guidance in FCA v. Flynn, where plaintiffs claimed that they paid too much for vehicles that later were alleged to have unexploited security vulnerabilities but which were never subject to a hack. We filed an amicus brief urging the court to consider this important standing issue.
Legions of “unharmed plaintiffs” and “injury-free class actions,” encouraged by judges unwilling to enforce standing requirements, pose several unfortunate consequences. They will plague the courts, force companies into massive payouts to plaintiffs’ lawyers, and deter technological innovation. States and the U.S. Supreme Court should carefully enforce Article III standing requirements, and legislators considering new privacy laws should be wary of authorizing similar “harm-free” class actions.
Megan Brown is a partner at Wiley Rein LLP, leading the firm’s cybersecurity and IoT work. She also is Associate Program Director of the National Security Institute at George Mason’s Scalia Law School.