Court ruling on biometric data enables US citizens the right to sue tech companies

The ruling in the case of Rosenbach v. Six Flags Entertainment involves an interpretation of the controversial Illinois biometric data law, which is formally known as the Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”). In this case, the mother of a 14-year-old minor sued the Six Flags theme park for improperly collecting the fingerprints of her son in order to issue a season pass for the park.

This right is enabled even if there was no “harm” to the individuals. Simply by violating the personal privacy of an individual, a corporation can cause harm – and there is no need to prove that any other malicious event has occurred.

The Illinois biometric data law was introduced back in 2008 and states that all businesses in the state of Illinois must follow very strict rules whenever they are collecting, storing and sharing biometric data of customers and clients. As a result, companies must obtain written consent, must have in place policies for the retention and destruction of biometric data, and must have secure safeguards in place to protect that biometric data.

Legislation such as BIPA (and similar biometric laws that has been passed in Washington State and Texas) provides a way for US citizens to claim damages any time they have been “aggrieved” or “harmed” by biometric technology. That is because the Illinois law specifically grants a “private right of action” (i.e. the right to sue a company) to citizens, enabling them to claim damages of up to USD 1,000 if their biometric identifiers (such as fingerprints or facial scans) are used in any way that causes harm to them.

As a result, this important court ruling on biometric data could set the new standard nationwide. So far only three US states – Illinois, Washington and Texas – have laws on the books related to biometric data. However, a handful of other states – Michigan, New Hampshire, Alaska and Montana – have pending legislation related to biometric data, according to CPO Magazine. Based on this ruling, they might be willing to also give a private right to action to its own citizens, thereby holding tech companies to the same rigorous standard as Illinois.