Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Illinois high court rules Six Flags must face biometrics lawsuit

Reprints
Illinois high court rules Six Flags must face biometrics lawsuit

Plaintiffs can sue firms under the Illinois’ Biometric Information Privacy Act for allegedly failing to properly notify people about their policies even if no actual harm is claimed, the Illinois Supreme Court said Friday in a unanimous opinion involving Six Flags Entertainment Corp. 

The law imposes numerous restrictions on how private entities collect, retain, disclose and destroy biometric identifiers, including retina or iris scans, fingerprints, voiceprints, scans of hand or face geometry, or biometric information, according to court documents in Rosenbach v. Six Flags Entertainment Corp. Under the law, any person “aggrieved” by a violation of its provisions has a private right of action against an offending party and may recover for each violation the greater of liquidated damages or actual damages, reasonable attorney fees and costs, and any other relief, including an injunction, that the court deems appropriate.

Six Flags Entertainment and its Great America LLC subsidiary own and operate the Six Flags Great America amusement park in Gurnee, Illinois, and sell repeat-entry passes to the park and have used a fingerprinting process when issuing those passes since at least 2014, according to court documents. In 2014, Stacy Rosenbach’s 14-year-old son visited the park on a school field trip. She purchased a season pass for her son online, but he had to complete the sign-up process in person once he arrived at the amusement park, including scanning his thumb into the park’s biometric data capture system, which Ms. Rosenbach was allegedly unaware would happen. Neither she or her minor son were informed in writing or in any other way of the specific purpose and length of term for which his fingerprint had been collected nor did they sign a written release for the fingerprint taking, according to court documents.

The central issue in the case decided by the state Supreme Court is whether one qualifies as an “aggrieved” person and may seek liquidated damages and injunctive relief if he or she has not alleged some actual injury or adverse effect, beyond violation of his or her rights under the statute. The appellate court said no because of its view that a person who only alleges a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person, but the Illinois Supreme Court reversed and remanded the case to the circuit court for further proceedings.

The Illinois legislature codified in the statute that individuals possess a right to privacy in and control over their biometric identifiers and biometric information, according to the state Supreme Court’s ruling. When a private entity fails to comply with one of the statute’s requirements, “that violation constitutes an invasion, impairment or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach,” the court stated.

Given this authority, such a person or customer would clearly be “aggrieved” and entitled to seek recovery under that provision, according to the court.

“No additional consequences need be pleaded or proved,” the court stated. “The violation, in itself, is sufficient to support the individual’s or customer’s statutory cause of action.”

“Contrary to the appellate court’s view, an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the act,” the court concluded.

A spokesperson for Six Flags could not be immediately reached for comment.

 

 

 

Read Next

  • Biometric data predicted to be at risk for cyberattacks

    Cyberattacks will zero in on biometric hacking and exposure vulnerabilities in touch identification sensors, facial recognition and passcodes in 2019, Experian Data Breach Resolution predicts in a report issued Monday.