• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

Illinois Supreme Court Empowers Claims Under Biometric Information Privacy Act

January 28, 2019 By Michael Young

In an opinion issued Friday, the Illinois Supreme Court handed a potentially significant victory to plaintiffs advancing claims under Illinois’ Biometric Information Privacy Act and seeking statutory damages under that law. The Court held that plaintiffs do not need to assert injury or harm outside of a relevant violation of the statute itself in order to bring claims and seek statutory damages for relevant violations of the statute. Friday’s decision represents a potentially significant victory for members of the class action plaintiffs’ bar seeking to bring claims under the law.

Illinois’s Biometric Information Privacy Act governs the collection and receipt of biometric identifiers such as retina or iris scans, fingerprints, voiceprints, hand-scans and facial geometry. Companies regulated under the Act must provide notice and obtain an executed “written release” from the individual. The statute provides that anyone “aggrieved” by a violation of the statute shall have a right of action and may be entitled to recover statutory damages between $1,000 (for negligent violations) – $5,000 (for intentional or reckless violations) for each violation. As the use of biometric information becomes increasingly common, the Act is expected to increasingly impact businesses who collect or receive biometric information.

Friday’s opinion arises from a case where the defendants were alleged to have collected fingerprint information without providing required notice or obtaining consent. The plaintiffs did not allege harm or injury outside of the violation of the statute. The defendants argued that, without such an allegation, the plaintiffs’ were not “aggrieved” under the meaning of the statute and should not be permitted to seek statutory damages and relief.

The Illinois’s Supreme Court rejected the defendant’s argument. In interpreting the word “aggrieved,” the Court held that “a person need not have sustained actual damage beyond violation of his or her rights under the Act in order to bring an action under it.” Where a private entity is alleged to have failed to meet the notice and consent requirements, that violation “in itself, is sufficient to support the individual’s or customer’s statutory cause of action.” The Court characterized such a violation as being in itself an “injury” that is “real and significant”:

To require individuals to wait until they have sustained some compensable injury beyond violation of their statutory rights before they may seek recourse, as defendants urge, would be completely antithetical to the Act’s preventative and deterrent purposes.

After Friday’s decision, companies which collect or receive biometric information without meeting the relevant requirements of the Biometric Information Privacy Act likely find themselves with a more limited set of legal defenses in actions brought under the statute.

Filed Under: Privacy, Privacy Litigation Tagged With: Biometric Privacy, Class Actions, Illinois

About Michael Young

Michael is counsel on the Privacy & Data Security Team. Michael focuses his practice on data privacy advising and technology transactions.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • European Commission Adopts Draft UK Adequacy Decision
  • NYDFS Issues Best Practices for Cyber Insurance Risk Management
  • Fifth Circuit Decision Raises Cyber Enforcement Complications for the U.S. Department of Health and Human Services
  • Virginia Ready to Pass First State Privacy Statute after CCPA
  • The EDPB-EDPS Joint Opinion on Data Processing Standard Contractual Clauses: Key Takeaways
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.