'Spokeo' Standing Analysis After 'Rosenbach v. Six Flags'
Two cases, one from the U.S. Supreme Court and one from the Illinois Supreme Court, have set the venue for the enforcement and interpretation of an Illinois privacy law squarely in the Illinois state courts, to the exclusion of the federal courts.
July 18, 2019 at 02:50 PM
8 minute read
Two cases, one from the U.S. Supreme Court and one from the Illinois Supreme Court, have set the venue for the enforcement and interpretation of an Illinois privacy law squarely in the Illinois state courts, to the exclusion of the federal courts. This situation is likely to spread as other states move to pass their own privacy and cybersecurity laws. As such, state courts are likely to be on the forefront of enforcing state privacy and cybersecurity laws, especially those that provide procedural protections to guard against harms that are difficult to quantify.
The story starts with the Supreme Court's decision in Spokeo v. Robins, 136 S.Ct. 1540 (2016), a case involving allegations of violations of the Fair Credit Reporting Act. In Spokeo, the Supreme Court reiterated that to have standing to bring a claim in federal court under Article III of the U.S. Constitution, the plaintiff, among other things, must have suffered an injury in fact. That is, he or she must have suffered an invasion of a legally protected interest that is concrete and particularized and actual and imminent, not conjectural or hypothetical. The court stated that to be concrete, an injury must be real and not abstract, although it does not necessarily have to be tangible. While the court noted that Congress can elevate intangible harms to meet the injury in fact requirement, plaintiffs do not “automatically satisfy the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.” Thus, plaintiffs cannot meet the Article III standing requirement by alleging “a bare procedural violation, divorced from any concrete harm.”
Although Spokeo was a case arising under the Fair Credit Reporting Act, the standing analysis quickly spread to other privacy laws. One of those laws was the Illinois Biometric Information Privacy Act (BIPA), 740 ILCS/1, et seq. BIPA imposes numerous requirements on entities that collect biometric identifiers or biometric information, such as fingerprints or retina scans. Specifically, an entity cannot collect a person's biometric data without first informing that person that his or her biometric data is being captured and stored, informing that person of the specific purpose for which his or her biometric data is being collected, and receiving a written release from the individual whose biometric data is being collected. BIPA creates a private right of action and statutory or actual damages for any person “aggrieved by” a violation of the statute.
Soon after the Supreme Court decided Spokeo, several BIPA cases made their way to federal district courts by way of diversity jurisdiction. Those cases involved allegations that the defendant collected the plaintiff's biometric information without providing the required notices or receiving the required release. They did not involve a security breach that exposed this information or a subsequent disclosure of any biometric information to a third party. Using the Spokeo analysis, the federal courts dismissed these suits for lack of standing. They reasoned that the cases involved “bare procedural violations” of BIPA, and without more to demonstrate concrete harm, the plaintiffs lacked standing under Article III.
Meanwhile, BIPA faced a similar debate in Illinois state courts that were dealing with the interpretation of BIPA itself. Some state courts had ruled that to be “aggrieved by” a violation of BIPA, and therefore have a right of action, an individual must have sustained some actual injury or harm beyond the statutory violation itself. Other state court decisions rejected this idea, ruling that the violation of an individual's statutory rights to notice and consent under BIPA is alone sufficient to make that individual “aggrieved” under the statute with standing to sue.
Ultimately, the Illinois Supreme Court was called on to resolve the debate in Rosenbach v. Six Flags Entertainment, — N.E.3d —, 2019 IL 123186 (2019). The Rosenbach court ruled that “an individual need not allege some actual injury or adverse effect, beyond violation of his rights under [BIPA], in order to qualify as an 'aggrieved' person” with a right of action.
The court's analysis centered on the generally understood meaning of the word “aggrieved.” It rejected the lower court's statement that “mere technical” violations of BIPA do not make one “aggrieved” under the statute. In doing so, the court noted that in passing BIPA, the Illinois General Assembly sought to give individuals control over their biometric information by requiring that they be given notice and the “power to say no by withholding consent.” Therefore, it reasoned, the procedural protections in BIPA were critical to protect individuals from the harm that the General Assembly sought to avoid, the right to maintain one's biometric privacy. According to the court, violation of the procedural protections in BIPA, therefore, is “no mere 'technicality.'” Rather, the injury from a procedural violation “is real and significant.”
In coming to its conclusion, the Illinois Supreme Court gave weight to the General Assembly's assessment that biometric data is inherently different from other forms of personal data. When passing BIPA, the General Assembly noted that other forms of personal data, such as Social Security numbers, could be changed if compromised. But biometric information is “biologically unique to the individual” and therefore cannot so easily be changed if compromised. As such, the court essentially concluded that there is no such thing as a “mere technical” violation of BIPA. Violation of the procedural provisions of BIPA violates the substantive right that BIPA is designed to protect.
Thus, did Rosenbach change anything with respect to the Article III standing analysis in BIPA cases? It has not yet, although Rosenbach was just decided in January 2019. Granted, the issues raised in Rosenbach and Spokeo are two separate questions, one dealing with state law statutory construction, and one dealing with constitutional interpretation. Yet the questions are related. In Spokeo, the Supreme Court ruled that “a bare procedural violation” of a statute is not enough to establish Article III standing absent any concrete harm. It also noted, however, that Congress plays an important role in identifying intangible harms that meet the concrete harm requirement. And the Rosenbach court determined that the Illinois General Assembly had found that the risk associated with having one's biometric data collected without notice and consent created a “real and significant” injury.
In other words, Rosenbach stands for the proposition that a “mere procedural violation” of BIPA creates an appreciable risk of the very harm the statute was designed to prevent, individuals losing control over their biometric information. While the Illinois General Assembly cannot elevate this intangible harm to meet the injury in fact requirement as Congress can, its assessment and the Rosenbach decision should at least inform the analysis of whether a “mere procedural violation” of BIPA creates a risk of real harm that is concrete enough to satisfy Article III standing requirements.
In any event, for the time being, BIPA cases alleging no more than a procedural violation are essentially nonremovable under Spokeo, even if there is diversity of citizenship. An individual whose biometric information is collected without the requisite notice or consent is an aggrieved person under the statute, and therefore, has a right of action in state court. That same individual, however, has not necessarily suffered a concrete injury for purposes of Article III analysis under Spokeo. Therefore, if a diverse defendant attempts to remove the case, the district court will likely remand it for lack of standing if it sticks to pre-Rosenbach analysis. As more states pass their own biometric privacy laws, this may become the case for those laws as well, depending on the statutory language and how the state courts interpret it. For now, unless the federal courts are willing to view biometric data differently than they view other forms of personal data, it appears that state courts will largely be on the forefront of enforcing notice and consent provisions in biometric privacy laws, with federal courts mere observers based on constitutional standing principles.
Brian Kint is a Philadelphia-based member of the data privacy & security practice at Cozen O'Connor. Both an attorney and a certified information privacy professional (CIPP/US), he can speak the language of the law as well as the language of the IT professionals responsible for developing and implementing technology solutions to adhere to the law and to the organization's data security strategy. Contact him at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllPa. Federal District Courts Reach Full Complement Following Latest Confirmation
The Defense Bar Is Feeling the Strain: Busy Med Mal Trial Schedules Might Be Phila.'s 'New Normal'
7 minute readFederal Judge Allows Elderly Woman's Consumer Protection Suit to Proceed Against Citizens Bank
5 minute readJudge Leaves Statute of Limitations Question in Injury Crash Suit for a Jury
4 minute readTrending Stories
- 1Call for Nominations: The Recorder and Law.com's California Legal Awards 2025
- 2The Week in Data Dec. 13: A Look at Legal Industry Trends by the Numbers
- 3Antitrust Class Actions Against CVS, Other Pharmacy Benefit Managers Are Piling Up
- 4Judge Grinds NY's Cannabis Licensing Regime to a Halt Again
- 5On the Move and After Hours: Barclay Damon; VLJ; Barnes & Thornburg
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250