Locke Lord QuickStudy: Biometrics: Illinois Appellate Court Potentially Revives “No-Injury” Lawsuits Under the Biometric Information Privacy Act

Locke Lord LLP
October 4, 2018
On September 28, 2018, an Illinois Appellate Court issued an opinion that will likely increase class-action filings under Illinois’s Biometric Information Privacy Act (“BIPA”). In Sekura v. Krishna Schaumburg Tab, Inc., 2018 IL App (1st) 180175, the court held that BIPA’s plain language does not require a plaintiff who alleges a statutory violation to allege an additional injury in order to state a claim. This decision from the First District deviates from the Second District’s 2017 holding in Rosenbach v. Six Flags Entertainment Corp., which held that a BIPA plaintiff who alleges a statutory violation without a resulting injury may not sue under the statute. 2017 IL App (2d) 170317.

This split will be resolved soon, as the Illinois Supreme Court recently heard oral argument in Rosenbach and should therefore definitively decide who a “person aggrieved” is under BIPA.

BIPA prohibits private entities from obtaining or using an individual’s biometric information without first providing defined notices and obtaining written consent to do so. 740 ILCS 14/15(a), (b). BIPA allows any “person aggrieved” by a statutory violation to sue for either actual damages or “liquidated damages” of between $1,000 and $5,000, plus attorneys’ fees and injunctive relief. 740 ILCS 14/20.

“Person aggrieved” is not defined in the statute, which has led to conflicting decisions about whether an actual injury is required to have standing to sue. Compare McCollough v. Smarte Carte, Inc., 2016 WL 4077108, at *4 (N.D. Ill. Aug. 1, 2016) (dismissing BIPA action for lack of actual damages) and Vigil v. Take-Two Interactive Software, Inc., 235 F. Supp. 3d 499, 521 (S.D.N.Y. 2017) (dismissing BIPA claim where there was no injury attributable to procedural BIPA violation) (aff’d 2017 WL 5592589 (2nd Cir. Nov. 21, 2017)) with Monroy v. Shutterfly, Inc., 2017 WL 4099846, at *9 (N.D. Ill. Sept. 15, 2017) (rejecting argument that “person aggrieved” requires an actual injury) and In re Facebook Biometric Information Privacy Litigation, 2018 WL 1794295, at *7 (N.D. Cal. Apr. 16, 2018) (holding that a statutory violation is an invasion of privacy sufficient to create statutory standing to sue, and that no further tangible injury (such as identity theft or financial loss) needs to be shown).

The defendant in Sekura operated a tanning salon that allegedly collected class members’ fingerprints in connection with purchases of services and enrollment in defendant’s national membership database. The plaintiff alleges that she was required to scan her fingerprint each time she visited the defendant, and that the defendant disclosed this fingerprint data to an out-of-state third-party vendor. The defendant allegedly did not provide the specific notice or receive from plaintiff the written release required by BIPA. Plaintiff alleges that she was deprived of her legal rights by the defendant’s violation of the statute and that she suffers from mental anguish.   

The appellate court rejected the holding in Rosenbach that if a technical violation of the statute was actionable it would render the word “aggrieved” superfluous, finding that the statute’s plain language “does not state that a person aggrieved by a violation of this Act—plus some additional harm—may sue.” 2018 IL App (1st) 180175, ¶¶ 50-55 (“If the drafters had intended to limit the pool of plaintiffs to those plaintiffs who had been both aggrieved by a violation of the Act and aggrieved by some additional harm or injury, they could have easily stated that.”). In its analysis, the court reviewed the definition of “aggrieved” and was satisfied that a deprivation of legal rights would render a person “aggrieved” under the statute. Id. at ¶¶ 52-53. The court also found persuasive BIPA’s legislative history and similarities with other statutes that use the term “aggrieved.” 

Notably, the Sekura court observed that even if it agreed with the Rosenbach decision, the facts in Sekura would be distinguishable because plaintiff in Sekura alleged “(1) an injury to her legal right to privacy of her own biometric information; by the disclosure of this information to an out-of-state third party vendor, and (2) mental anguish.” Id. at ¶¶ 76-77 (“To be clear, we find that the statutory violations to plaintiff’s privacy constituted harm even without disclosure, but the disclosure in the case at bar makes it distinguishable from Rosenbach.”).   

Given the district split at the appellate level, the Sekura defendant will very likely appeal to the Illinois Supreme Court, which is slated to decide in the Rosenbach appeal whether a “person aggrieved” includes a plaintiff who has experienced only a technical statutory violation or whether an actual injury is required as well. That decision—which could potentially address Sekura as well if the appeals are consolidated—will bind Illinois courts and federal courts applying BIPA. While an affirmance in Rosenbach would not necessarily be dispositive in Sekura given plaintiff’s alleged injuries, it would nonetheless make class certification difficult due to individualized injury determinations. And, of course, if the Supreme Court decides that BIPA has no actual-injury requirement, a wave of new class actions will be sure to follow.