Skip to Main Content



David E. Morrison, a principal in the firm's Labor & Employment and Litigation groups, was quoted in "Illinois Ruling Highlights Risks of Biometric Identifier Use," published in the Jan. 29, 2019, edition of HRDIVE.

The article discusses the Illinois Supreme Court ruling in Rosenbach v. Six Flags Entertainment Corporation et al. that plaintiffs alleging harm under that state's Biometric Information Privacy Act (BIPA) need not prove any injury beyond a violation of their rights in order to seek liquidated damages and injunctive relief. 

"This is a very significant decision considering that many companies have been using biometric identifiers without complying with the statute."
~ David Morrison

The case involved a 14-year-old who was required to provide a fingerprint scan to buy a season pass at a Six Flags amusement park; neither he nor his parents signed a written release or was informed about the purpose and length of retention of the fingerprint data, according to court documents.

Six Flags argued that the plaintiff had suffered no actual or threatened injury and therefore lacked standing to sue, but the Illinois Supreme Court said he was “aggrieved” within the meaning of the statute simply because the business failed to comply with BIPA’s requirements. Accordingly, it reversed a lower court’s ruling in favor of Six Flags and remanded the case for further proceedings.

BIPA imposes numerous restrictions on how private entities collect, retain, disclose and destroy biometric identifiers, including retina or iris scans, fingerprints, voiceprints, scans of hand or face geometry, or biometric information. Any person “aggrieved” by a violation of BIPA is entitled to recover damages, attorney fees and costs and other relief (including injunctive) deemed appropriate by a court.

The Illinois Supreme Court noted that Six Flags had retained the plaintiff’s biometric identifiers and information without publicly disclosing “what was done with the information or how long it [was to] be kept.” This alone was sufficient to give the plaintiff standing to sue, the court said, even absent a showing of actual damages: “Through the Act, our General Assembly has codified that individuals possess a right to privacy in and control over their biometric identifiers and biometric information.”

The court continued, arguing that compliance should not be difficult. ”[W]hatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded,” it said.

While Rosenbach deals with a business’ interaction with the public, Mr. Morrison addressed the implications that this ruling has for employers in Illinois. He said: "This is a very significant decision considering that many companies have been using biometric identifiers without complying with the statute. Employers are going to need to revisit using this technology, and work with counsel to come up with compliant policies and procedures." 

He concluded that if the Illinois Supreme Court “were to decide that a failure to provide notice and obtain consent, standing alone, is enough to sustain a BIPA action” — which is precisely what happened — “employers are almost certain to see an increase in BIPA litigation.”