Chicago, IL - Last week, the Illinois Supreme Court refused to undermine the Illinois Biometric Privacy Act (BIPA), a decision supported by Lucy Parsons Labs in our amicus brief. BIPA protects biometric data and is one of the most robust privacy laws in the country–which is why companies like Facebook and Google have been aggressively lobbying against it. In spite of that pressure, on January 25th the State Supreme Court held that an individual can sue a private business for collecting their biometric data without their informed consent.
BIPA was enacted over a decade ago, as a reaction to the increasing collection and use of biometric information. Under BIPA, if a business wants to collect someone’s biometrics, the business must obtain written consent beforehand. BIPA also allows individuals to sue businesses that violate the law. However, until last week, it was unclear whether a technical violation of the statute could trigger a lawsuit. Those hoping to undermine BIPA argued that an individual bringing a claim under the law needed to prove not only a violation of their statutory right to control their data, but also an injury resulting from that violation.
In 2014, Alexander Rosenbach, a minor, bought a season pass to Six Flags Great America. Six Flags fingerprinted Rosenbach, without his or his parents’ informed consent. When the family sued Six Flags under BIPA, Six Flags challenged the grounds of their suit. They argued that, aside from violating his statutory rights, they hadn’t actually injured Alex. Merely violating BIPA, they argued, wasn’t enough for a lawsuit. The Supreme Court disagreed— holding that merely violating BIPA was injury enough.
Lucy Parsons Labs joined a ‘friend of the court’ brief alongside the Electronic Frontier Foundation, ACLU, CDT, PIRG and the Chicago Alliance Against Sexual Exploitation. We argued that because collecting biometrics without consent is a harm under BIPA, suing for damages is appropriate.
Much of the court’s decision looked to the legislature’s intent in enacting BIPA. Citing Patel v. Facebook Inc., a similar case pending in the 9th Circuit, the court argued that “when a private entity fails to adhere to [BIPA’s] statutory procedures,” an individual shouldn’t have to show any harm beyond the violation. In violating BIPA, “the precise harm the Illinois legislature sought to prevent is…realized.” The court held that violating BIPA means more than violating a mere technicality, it means violating someone’s “right to control their biometric information”. The legislature intended, the court reasoned, for individuals to be able to file suit to protect that right.
In the preamble to BIPA, the legislature appreciated that BIPA would protect “public welfare, security, and safety.” But they conceded that “the full ramifications of biometric technology are not fully known.” A decade after BIPA’s enactment, those ramifications are still not fully known, but the legislature’s unease was prescient. As our brief argued, banks’, shopping malls’, or the police’s use of biometrics are not necessarily benign. To make matters worse, biometric technology is notoriously inaccurate, racist, and often abused.
With last week’s ruling, there are more robust safeguards in place to protect against these dangers. In the wake of Rosenbach, Lucy Parsons Lab expects more lawsuits in Illinois demanding respect for privacy. Alongside these suits, we also expect tech companies to ramp up their lobbying efforts, in order to prevent similar laws nationwide. As this fight continues, Lucy Parsons Lab will continue to advocate for privacy, in all its forms.