A patron presses her thumb to a scanner station posted at the entrance of a theme park. The finger scan is converted to a numeric algorithm that serves to validate the patron’s identity for future visits. The entire transaction, in which the patron transferred her fingerprint, i.e., her biometric information, to the park, occurred in a matter of seconds. The park did not explain the significance of the scan and, consequently, the patron did not provide informed consent.
Aside from being a roller coaster fanatic or water slide enthusiast, is the patron also an “aggrieved” plaintiff? If the patron is at Six Flags in Illinois, you bet. If the patron is wearing mouse ears en route to Magic Kingdom in Orlando, no. Well, not yet anyway. (We do not address Wally World in this article because Clark Griswold, a fictional character, has no access to courts.)
Broadly defined, biometric information refers to the intrinsic physical or behavioral characteristics of an individual. Examples include DNA, retina, voice, fingerprints and facial geometry. This special category of personally identifiable information has recently taken center stage in the unfolding drama that is information privacy.
In Rosenbach v. Six Flags Entertainment. the Illinois Supreme Court held that a prospective plaintiff has a cognizable injury under the Biometric Information Privacy Act, or BIPA, based on mere collection of her biometric information without informed consent. In other words, under Illinois’ BIPA, our hypothetical patron is an aggrieved plaintiff even if she suffered nothing further than the unconsented collection of her biometric information.
Just like our hypothetical patron, the plaintiff in Rosenbach scanned her fingerprint into Six Flags’ biometric information capture system without any prior notice of the scan’s purpose. Specifically, Six Flags did not publicly disclose what was done with the biometric information or how long it would be retained. Moreover, Six Flags failed to maintain a written policy delineating guidelines related to the collection of patrons’ biometrics.
Illinois’ BIPA prohibits a private entity from collecting biometric information without providing requisite disclosures and obtaining written consent. In defending against the alleged BIPA violation, Six Flags argued that the plaintiff lacked standing to sue because he did not suffer any actual injury apart from the violation itself. In other words, Six Flags invoked the old adage, “no harm, no foul.”
Section 20 of Illinois’ BIPA states, in pertinent part, that “any person aggrieved by a violation of this act shall have a right of action in state circuit court … .” Interpreting this language, the Illinois high court turned the “no harm, no foul” adage on its head in concluding that the foul is the harm. The court held that actual injury is inherent in the unconsented-to collection of biometric information.
While the Illinois Supreme Court looked to the ordinary definition of “aggrieved” in reasoning its way to a holding, the driving force was legislative intent. The court emphasized the fact that the Illinois legislature vested “in individuals and customers the right to control their biometric information by requiring notice before collection and giving them the power to say no by withholding consent.” As noted by the court, the legislature appreciated the unique nature of biometrics—i.e., the fact that, unlike other personally identifiable information, biometric information is biologically unique to the individual. Consequently, the legislature afforded biometrics a heightened level of protection, in which infringement on the right to control one’s biometrics is, inherently, a compensable grievance under the law.
Perhaps taking a cue from Illinois, a Florida lawmaker introduced BIPA-style legislation. Mirroring Illinois’ BIPA, the bill would have permitted a cause of action for “any person aggrieved by a violation” of Florida’s BIPA. The bill died in committee May 3, in the final hours of the session. But, for Florida theme parks utilizing biometrics, such as Disney World, the question remains whether Florida courts will require some injury beyond violation of the Act to confer standing.
To date, Florida courts, in other data privacy contexts, have required a realized economic detriment to confer standing. However, a reading of the tea leaves tells us that, like Illinois, Florida may distinguish biometrics on account of its inherently sensitive and unique nature. Similar to Rosenbach, we may soon see a Florida DCA case holding that when a Florida company fails to adhere to Florida’s BIPA, “the right of the individual to maintain [his or] her biometric privacy vanishes into thin air” resulting in a “real and significant” injury.
Justin Guido is an associate with Shutts & Bowen in Miami.