In an opinion issued Friday, the Illinois Supreme Court handed a potentially significant victory to plaintiffs advancing claims under Illinois’ Biometric Information Privacy Act and seeking statutory damages under that law. The Court held that plaintiffs do not need to assert injury or harm outside of a relevant violation of the statute itself in order to bring claims and seek statutory damages for relevant violations of the statute. Friday’s decision represents a potentially significant victory for members of the class action plaintiffs’ bar seeking to bring claims under the law.
Illinois’s Biometric Information Privacy Act governs the collection and receipt of biometric identifiers such as retina or iris scans, fingerprints, voiceprints, hand-scans and facial geometry. Companies regulated under the Act must provide notice and obtain an executed “written release” from the individual. The statute provides that anyone “aggrieved” by a violation of the statute shall have a right of action and may be entitled to recover statutory damages between $1,000 (for negligent violations) – $5,000 (for intentional or reckless violations) for each violation. As the use of biometric information becomes increasingly common, the Act is expected to increasingly impact businesses who collect or receive biometric information.
Friday’s opinion arises from a case where the defendants were alleged to have collected fingerprint information without providing required notice or obtaining consent. The plaintiffs did not allege harm or injury outside of the violation of the statute. The defendants argued that, without such an allegation, the plaintiffs’ were not “aggrieved” under the meaning of the statute and should not be permitted to seek statutory damages and relief.
The Illinois’s Supreme Court rejected the defendant’s argument. In interpreting the word “aggrieved,” the Court held that “a person need not have sustained actual damage beyond violation of his or her rights under the Act in order to bring an action under it.” Where a private entity is alleged to have failed to meet the notice and consent requirements, that violation “in itself, is sufficient to support the individual’s or customer’s statutory cause of action.” The Court characterized such a violation as being in itself an “injury” that is “real and significant”:
To require individuals to wait until they have sustained some compensable injury beyond violation of their statutory rights before they may seek recourse, as defendants urge, would be completely antithetical to the Act’s preventative and deterrent purposes.
After Friday’s decision, companies which collect or receive biometric information without meeting the relevant requirements of the Biometric Information Privacy Act likely find themselves with a more limited set of legal defenses in actions brought under the statute.