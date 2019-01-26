A unanimous ruling by the Illinois Supreme Court says that companies that improperly gather people’s data can be sued for damages even without proof of concrete injuries, opening the door to legal challenges that Facebook, Google, and other businesses have resisted.

The decision on Friday came in a landmark lawsuit against the theme park Six Flags, which recorded the thumbprint of a 14-year-old boy without notice or written consent while issuing him a season pass in 2014. For many companies, collecting biometric data like this is business as usual. But Illinois, where the incident occurred, has the strictest law around biometric data privacy in the country.

The law, called the Biometric Information Privacy Act, requires that companies explicitly inform a person about what biometric data–including fingerprints, facial scans, iris scans, or other biological information–they will collect and how it will be stored and used. Then, the company must also obtain prior consent from that person. While other states only allow attorneys general to sue companies, the Illinois law gives individuals the right to sue companies and collect damages of $1,000 (or $5,000, if the court finds a company deliberately or recklessly flouted the law).

Because Six Flags did not notify the boy’s mother, Stacy Rosenbach, about obtaining his fingerprints, she sued Six Flags for violation of the law. In its defense, Six Flags made the case that because Rosenbach couldn’t demonstrate that taking his fingerprints had done “harm” to the boy (for instance, there was no data breach or security problem), the company wasn’t liable for damages.

After the case bounced around the Illinois courts, on Friday the state’s Supreme Court ruled that Six Flags had violated the law and would need to pay the boy damages, even though there was no “harm” shown. Six Flags did not immediately reply to a request for comment.

The ruling sets a precedent in Illinois that if a company violates a citizen’s privacy without notice or consent and the citizen sues, the plaintiff doesn’t need to demonstrate harm for the law to protect them. Contrary to a core argument used by many corporate defendants, the court said that violating the privacy law was harmful in itself.

“An individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief,” the court wrote in its 13-page opinion.