Consumers Win This Round in Illinois Biometric Data Case

In Rosenbach v. Six Flags, the Illinois Supreme Court addressed the threshold issue of who is considered an “aggrieved” person capable of suing under the private right of action provided for in Illinois’ Biometric Information Privacy Act. The high court unanimously found that the plaintiffs in this case could bring claims for alleged violations of BIPA’s notice and consent requirements without alleging separate, real-world harm.


In 2008, Illinois became the first state to regulate the collection of biometric information, defined as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Though Texas and Washington have also enacted biometric privacy laws in the interim, BIPA is the most stringent biometric privacy law in the US. BIPA, which provides a private right of action for “any person aggrieved by a violation of [the] Act,” is still being interpreted in the courts with more than 200 cases currently pending. 

What Happened?

A class action lawsuit was filed against theme park Six Flags in 2016 for collecting thumbprints from park-goers without informed consent. Named plaintiff Rosenbach alleged that her 14-year-old son was required to scan his thumbprint to access a season pass and she neither consented to nor received any information about the park’s collection and storage of this biometric information. She further alleged that she would never have purchased the season pass if she had known the full extent of Six Flags’ conduct.

While a previous state appellate court ruling adopted a narrower view of “aggrieved” person, the Illinois Supreme Court held that Rosenbach’s son would be considered an “aggrieved” person based merely on the fact that his thumbprint was taken without consent, in violation of BIPA. 

“To require individuals to wait until they have sustained some compensable injury beyond violation of their statutory rights before they may seek recourse, as defendants urge, would be completely antithetical to the act's preventative and deterrent purposes,” wrote Chief Justice Lloyd Karmeier. “[W]hatever expenses a business might incur to meet the law's requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded; and the public welfare, security and safety will be advanced.”

Practical Tips

If collecting biometric information in a state that regulates the collection of such information, it is important to know what the law requires and what it prohibits:

Informed Consent. You must obtain written, informed consent to collect, capture, purchase or otherwise obtain an individual’s biometric information.

Retention and Destruction Policy. You must develop, and make publicly available, a written retention and destruction policy for biometric information.

Reasonable Security Measures. You must use the reasonable standard of care within your industry to store, transmit and protect from disclosure all biometric information.

Prohibition On Sale. You are prohibited from selling, leasing, trading or otherwise profiting from an individual’s biometric information.

Prohibition On Disclosure. Except in limited circumstances (e.g., where required by law), you are prohibited from disclosing or otherwise disseminating an individual’s biometric information without consent.

Continue Reading