Illinois biometric privacy law passes a key court test
Illinois’ Biometric Information Privacy Act just withstood a major challenge. The state’s Supreme Court has returned a BIPA dispute back to circuit courts after rejecting claims that would have significantly limited the law’s reach. Six Flags had fingerprinted a 14-year-old guest without his parents’ approval, violating BIPA’s requirement for obtaining consent, but had contended that it wasn’t liable if the plaintiff couldn’t show evidence of damages. A lower appeals court had sided with Six Flags, but the Supreme Court said this went against “accepted principles” of constructing laws.
BIPA “does not contain” a definition of what it means to suffer injuries, the court said, and in “popularly understood” terms, you’ve faced those damages simply through the violation of the law. The court added that the whole point of the law was to give users greater control over when and how companies collect biometric data. If firms can escape liability so long as they don’t cause tangible harm, your right to control your privacy “vanishes into thin air.”
The state’s Chamber of Commerce objected to the ruling, claiming that it would “open the floodgates” to lawsuits that would hurt the Illinois economy.
That’s not necessarily the case. Still, there’s little doubt the decision will have significant ramifications. Google, Facebook and others have faced lawsuits accusing them of violating BIPA by tagging faces in photos without asking users. Google recently had a Photos-related case tossed out because the plaintiffs couldn’t show that they’d faced “concrete injuries,” but that argument might not hold up after the Six Flags ruling.
(10)