A unanimous ruling by the Illinois Supreme Court says that companies that improperly gather people’s data can be sued for damages even without proof of concrete injuries, opening the door to legal challenges that Facebook, Google, and other businesses have resisted.
The decision on Friday came in a landmark lawsuit against the theme park Six Flags, which recorded the thumbprint of a 14-year-old boy without notice or written consent while issuing him a season pass in 2014. For many companies, collecting biometric data like this is business as usual. But Illinois, where the incident occurred, has the strictest law around biometric data privacy in the country.
The law, called the Biometric Information Privacy Act, requires that companies explicitly inform a person about what biometric data–including fingerprints, facial scans, iris scans, or other biological information–they will collect and how it will be stored and used. Then, the company must also obtain prior consent from that person. While other states only allow attorneys general to sue companies, the Illinois law gives individuals the right to sue companies and collect damages of $1,000 (or $5,000, if the court finds a company deliberately or recklessly flouted the law).
Because Six Flags did not notify the boy’s mother, Stacy Rosenbach, about obtaining his fingerprints, she sued Six Flags for violation of the law. In its defense, Six Flags made the case that because Rosenbach couldn’t demonstrate that taking his fingerprints had done “harm” to the boy (for instance, there was no data breach or security problem), the company wasn’t liable for damages.
After the case bounced around the Illinois courts, on Friday the state’s Supreme Court ruled that Six Flags had violated the law and would need to pay the boy damages, even though there was no “harm” shown. Six Flags did not immediately reply to a request for comment.
The ruling sets a precedent in Illinois that if a company violates a citizen’s privacy without notice or consent and the citizen sues, the plaintiff doesn’t need to demonstrate harm for the law to protect them. Contrary to a core argument used by many corporate defendants, the court said that violating the privacy law was harmful in itself.
“An individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief,” the court wrote in its 13-page opinion.
Neema Singh Guliani, senior legislative counsel at the American Civil Liberties Union, praised the decision.
“The tech industry insists that consumers shouldn’t be able to take companies to court merely because the companies violate privacy laws,” Guliani told Fast Company. “We applaud the Illinois Supreme Court for rejecting these self-serving arguments and making clear that companies that fail to comply with Illinois’ biometric law can be sued for damages.”
A new lawsuit over Google’s faceprints
The Six Flags ruling opens up the possibility for more Illinois-based lawsuits against companies for any violation of the state’s biometric privacy law–something Facebook is currently lobbying against.
It also builds a stronger case for other ongoing lawsuits, including one against Facebook regarding the company’s facial recognition-based photo-tagging tool and one filed against Google in state court on Thursday. The Google lawsuit was dismissed by a federal District Court Judge last month due to a lack of standing.
“The decision is a victory for consumers across Illinois over Facebook and other tech giants, who argue in courts that consumers do not face ‘harm’ from privacy violations and have pushed legislation in recent years to undermine the Illinois law,” the Illinois Public Interest Research Group said in a statement to the blog Capitol Fax.
In essence, the decision establishes that having your biometric data used without your knowledge or consent impacts you adversely, period, and that companies who do so are liable for damages. After all, you can’t get your fingerprints back once a company has taken them. And once a company has taken them, your data is open to all sorts of untold privacy harms, from abusive data mining to cybertheft.
“To require individuals to wait until they have sustained some compensable injury beyond violation of their statutory rights before they may seek recourse, as defendants urge, would be completely antithetical to the Act’s preventative and deterrent purposes,” the court wrote.
Guliani, of the ACLU, said the ruling should set a model for a federal privacy law.
“The ability to sue companies, otherwise known as a ‘private right of action,’ is critical to holding privacy-violating companies accountable for their actions,” she said. “Congress and legislators should follow Illinois’ example and ensure that any privacy legislation include a similar private right of action.”
In the complaint filed against Google on Thursday, Lindabeth Rivera and Joseph Weiss allege that the company “failed to obtain consent from anyone when it introduced its facial recognition technology.” Weiss alleged that Google created a faceprint of him after he uploaded his photos to Google Photos, and Rivera, who said she doesn’t have a Google Photos account, alleges Google mined her face after someone else uploaded photos of her to the service.
The Illinois privacy law has led to at least 110 lawsuits against businesses in the state since 2008, according to officials with the Illinois Chamber of Commerce. Most of the suits are against businesses that use fingerprints to track employees’ time worked, the organization says.
Chamber of Commerce president and CEO Todd Maisch said in a statement that Friday’s ruling would hurt the state’s employers. “We fear that today’s decision will open the floodgates for future litigation at the expense of Illinois’ commercial health,” Maisch said.
But consumer activists hailed the decision as a significant victory, especially when it comes to large tech companies.
“Your biometric information belongs to you and should not be left to corporate interests who want to collect detailed information about you for advertising and other commercial purposes,” wrote senior staff counsel Rebecca Glenberg of the ACLU of Illinois in a statement. “The Court recognized that individuals must have the right to sue companies that unlawfully collect their personal information; otherwise, the companies will not be held accountable.”
Rosenbach v. Six Flags Ente… by on Scribd