A case that could ultimately defang Illinois’ biometric privacy law is now underway before the state’s Supreme Court.
It revolves around the Illinois Biometric Information Privacy Act, or BIPA, a law passed back in 2008 that essentially requires organizations to obtain informed consent from individuals before collecting their biometric data. The biometric revolution in consumer tech exploded in the years after the law was enacted, with companies like Facebook and Google using facial recognition to identify individuals in photos uploaded to their services; and both of these companies, among others, have faced legal action over alleged violations of BIPA.
The case in question doesn’t involve a tech company, however, but rather the Six Flags amusement park chain. When Stacy Rosenbach’s then 14-year-old son went to Six Flags to collect a season pass, he was fingerprinted by the company for authentication purposes; she has brought the case forward, arguing that she didn’t give the company permission to collect her son’s biometrics.
Six Flags’ defense is arguing that the victim of a BIPA violation must show that some kind of harm was done by the violation – an argument that could considerably restrict the scope of the law if the Illinois Supreme Court accepts it.
It’s not at all clear that it will. The court held appellate hearings last week, and Law360 reports that three of the seven judges already showed some overt skepticism about Six Flags’ argument. Meanwhile, Illinois’ newly-elected Attorney General, Kwame Raoul, has signaled that he is a staunch supporter of BIPA, and presumably a broad interpretation of it, which may reflect wider legal attitudes in the state.
Of course, this is just the beginning. It’s too early to say which way this case will go, but a lot of organizations will be watching closely, with many viewing it as an early test case of the limits of biometric data collection in today’s society.
November 28, 2018 – by Alex Perala