Illinois Biometric Information Privacy Act of 2008 requires that companies gather consent from customers to collect and store biometric information from their customers. The law covers everything from fingerprints to facial recognition markers. Several companies have faced lawsuits alleging violations of the law. Facebook and Google have both waged battles against the act over their facial-recognition and photo-sorting software.
The latest case to be decided on the legislation was brought against Six Flags, which fingerprinted a minor without his parents’ permission. The theme park contested the claim arguing that since the plaintiff had not proven or even declared actual injury, the park could not be held liable for damages and filed a motion to dismiss. A lower circuit court agreed with Six Flags and dismissed the case as did the appellate court.
However, it seems clear in the law's wording in section 20 that tangible damages are not necessary.
Any person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party. A prevailing party may recover for each violation:
(1) against a private entity that negligently violates a provision of this Act, liquidated damages of $1,000 or actual damages, whichever is greater;
(2) against a private entity that intentionally or recklessly violates a provision of this Act, liquidated damages of $5,000 or actual damages, whichever is greater;
(3) reasonable attorneys’ fees and costs, including expert witness fees and other litigation expenses; and
(4) other relief, including an injunction, as the State or federal court may deem appropriate.
So if no damages are stated or proven, then the penalties laid out under the legislation default to $1,000-5,000 in damages, plus legal fees and possible injunctions.
With encouragement from groups concerned with personal rights and privacy including Electronic Privacy Information Center, American Civil Liberties Union, the Center for Democracy and Technology, and the Electronic Frontier Foundation (EFF), the plaintiffs took the case to the Illinois Supreme Court. Upon consideration of the law as written, the high court overturned the appellate court’s ruling and referred the matter back to the Ninth Circuit.
"The judgment of the appellate court is therefore reversed, and the cause is remanded to the circuit court for further proceedings."
“Contrary to the appellate court’s view, an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act,” the ruling reads. “Whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded.”
Privacy advocates applauded the high court’s decision. Had it upheld the appellate court’s opinion, BIPA would have suffered a crippling blow, which would have set a legal precedent allowing companies to ignore the law.
“As biometric collection, use, and sharing become more widespread and invasive every year, it only becomes more important that private citizens can sue under laws like BIPA to protect their privacy,” said the EFF of the ruling.
The Illinois Chamber of Commerce was not in favor of the decision. It feels that the ruling will “open the floodgates” for further frivolous litigation and that it will harm the “commercial health” of Illinois.