What Employers Everywhere Can Learn from Six Flags and the Illinois Biometric Information Privacy Act

February 2019

An emerging trend in employment law and many consumer industries is the collection of “biometric information,” including “biometric identifiers” like fingerprints, retina or iris scans, hand or facial scans, and voiceprints. With great power, however, comes great responsibility. Large national employers such as Facebook and Google have been embroiled in privacy lawsuits arising from their collection of biometric information.

On January 25, 2019, the Illinois Supreme Court ruled against Six Flags in a landmark decision that affects every “private entity,” including companies, individuals, and other non-public groups, that collects biometric information-in particular those with operations or offices in Illinois, Washington, or Texas.

The Illinois Biometric Information Privacy Act

In 2008, Illinois passed the Biometric Information Privacy Act (“BIPA”). Under the BIPA, if a private entity collects biometric information or identifiers, it must first inform the subject in writing that the information is being collected or stored, inform the subject in writing of the specific purpose and the length of the term of collection, storage, or use of the information, and receive a written release from the subject.

The penalties for non-compliance under the BIPA are substantial. Any person “aggrieved” by a violation of the BIPA can file a lawsuit and recover: (1) liquidated damages of up to $1,000 for each negligent violation of the statute, liquidated damages of up to $5,000 for each intentional or reckless violation, or actual damages, whichever is greater; and (2) reasonable attorneys’ fees and other court costs.

Rosenbach v. Six Flags

In 2014, a 14-year-old boy named Alexander took a school field trip to the Six Flags Great America amusement park in Gurnee, Illinois. In advance of the trip, Alexander’s mother purchased a season pass for him online. To complete the sign-up process, Alexander visited a security checkpoint at the park, where he was asked to scan his thumb into Six Flags’ biometric-data-capture system. Six Flags uses a biometric-data system to speed entry into the park and eliminate fraud and lost revenue that results when individuals enter the park using someone else’s pass. When Alexander’s mother learned his fingerprints were taken without prior written notice or any explanation, she filed a lawsuit on behalf of Alexander and numerous other similarly-situated people whose biometric information was collected by Six Flags.

On January 25, 2019, the Illinois Supreme Court ruled that Six Flags and other private entities can be sued in Illinois for violating the BIPA even if no actual harm results from its collection of biometric information. The Court held that an individual is “aggrieved” under the BIPA, and can therefore sue and seek liquidated damages, if her rights are violated under the statute-whether or not she also suffers monetary or any other harm.

Explicit in the Court’s ruling is a requirement that private entities must comply with the BIPA’s requirements at the outset of any biometric-data-collection. Because a biometric-privacy violation cannot be undone, the Court explained, BIPA gives individuals and customers an opportunity to control their biometric information by requiring notice before collection and giving the subject an opportunity to withhold consent. Failure to comply with the BIPA’s requirements denies individuals the chance to protect their personal information, and therefore carries severe penalties for non-compliance, even if nobody is actually harmed.

What You Can Learn From Six Flags’ Mistakes

The Six Flags ruling is a stark reminder that employers, companies, and individuals collecting biometric information, for any purpose, may be subject to one or more states’ privacy laws. If you are a company or individual that currently collects biometric information, or if you are considering collecting this information in the future, contact FMJ to discuss the requirements in Illinois, Washington, Texas, and other states.

Although Minnesota has not yet passed a biometric-privacy statute, Minnesota employers should closely monitor this situation. In May of 2018, a Minnesota House of Representatives informational brief concluded that “legislative action may be required to deter companies’ use of biometric information if consumers perceive this identification to be compromising their privacy.” Legislative action in Minnesota may soon follow. FMJ’s HR & Employment and Litigation attorneys are available to consult with you regarding biometric-privacy issues.

About FMJ’s HR & Employment Group
When an employment issue arises, not only do you need an attorney who knows the law, but also someone who understands and appreciates your business. Our HR & Employment Group combines our knowledge of the law with specifics of our clients’ businesses to produce optimal outcomes, despite sometimes challenging circumstances. We guide our clients through the complexities of employment procedures and policies, employee benefits, hiring and termination practices and compliance with ever-changing employment laws.

For more information on the group, click here.