Rosenbach v. Six Flags Entertainment Corp.: Implications for the Right to Biometric Privacy

With new technological advances, many companies have begun collecting the biometric data of consumers, such as fingerprints, facial scans, and DNA samples. Accordingly, state governments, concerned with the protection of individuals’ rights and privacy, have taken action. The Illinois Biometric Information Privacy Act (BIPA) imposes strict regulations on businesses that collect biometric data, requiring them to obtain an individual’s written consent prior to collecting biometric data and inform the individual of how this data will be used and stored [1]. Additionally, this law allows an individual to sue for damages if a business has violated these regulations. In 2016, Stacey Rosenbach sued Six Flags Entertainment Corporation under this law [2]. She alleged that Six Flags had improperly collected the fingerprint data of her son at an amusement park, in violation of the BIPA. Rosenbach v. Six Flags Entertainment Corp. (2019), reached the Illinois Supreme Court on appeal. Importantly, the court was not deliberating on the constitutionality of the law itself, but instead on questions over the correct implementation of the law. Nonetheless, Rosenbach sets a precedent in biometric privacy law that could be a deciding factor in a related biometric privacy case likely to be brought before the Supreme Court. 

In Rosenbach, the plaintiff sought damages on the grounds that the defendant had collected biometric information without informing the plaintiff of how it would be used or that this collection had even occurred [3]. The defendant argued that the plaintiff could not seek damages because neither the plaintiff nor her son had suffered any legitimate injury or damage. In the defendant’s interpretation of the BIPA, an individual could only sue if they had “sustained some actual injury or harm, apart from the statutory violation itself.” [4] In other words, the plaintiff could not sue merely because the defendant had violated the law. 

Thus, the court identified the central legal question in the case as whether an individual could seek “statutory liquidated damages” and “injunctive relief” when the only injury alleged by the individual was “a violation of §15(b) of the Act by a private entity who collected his biometric identifiers and/or biometric information without providing him the required disclosures and obtaining his written consent as required by §15(b) of the Act.” [5] The underlying question of this case centers on the individual’s right to ensure their biometric information remains private. Specifically, this case addresses the question of whether, under the BIPA, a violation of an individual’s right to biometric privacy is an injury that warrants redress. 

Ultimately, the court ruled in favor of the plaintiff, establishing that under the BIPA, “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act” to be entitled to seek damages and injunctive relief [6]. The court concluded that the legislature, in creating the BIPA, intended to allow individuals to bring legal action under the act without having “sustained actual damage beyond violation of his or her rights.” [7] 

This ruling establishes a precedent that could lead to an abundance of future legal action, particularly on the topic of biometric privacy. The court acknowledged that “substantial and irreversible harm… could result if biometric identifiers and information are not properly safeguarded.” [8] They identified this fact, that the mismanagement of biometric information could lead to “substantial and irreversible harm,” as the reason individuals can sue for damages if their right to biometric privacy is violated. The ruling establishes a clear precedent: under the BIPA, the violation of the right to biometric privacy provides standing to sue. This new precedent opens the door for new cases to be filed under the BIPA. Rosenbach may encourage more individuals to sue companies using the BIPA framework. As a result, any business that collects biometric information, such as apps that use facial recognition technology and ancestry testing websites that collect customer’s DNA, could be subject to a series of new lawsuits. 

This new threat of legal action can be seen most prominently with Facebook and its use of facial recognition technology. In Patel v. Facebook (2019), plaintiffs filed a lawsuit against Facebook using Rosenbach as precedent. In this case, a group of Facebook users sued Facebook under the BIPA, alleging that Facebook’s use of facial recognition technology violated this law [9]. Importantly, this case was not decided in the Illinois Supreme Court, but instead in the United States Court of Appeals for the Ninth Circuit. As in Rosenbach, the court sided with the plaintiffs. In the decision, the court cited and affirmed Rosenbach, arguing that the BIPA was “established to protect an individual’s ‘concrete interests’ in privacy, not merely procedural rights.” [10] This is identical to the reasoning in Rosenbach regarding the intended effects and application of the law. 

Importantly, Patel conflicts with another case in which a federal court ruled on the BIPA. Boyd Garriot and Megan Brown, two lawyers specializing in litigation support for technology clients, explain in their article “How Patel v. Facebook Might Tee Up a Privacy Battle at the Supreme Court” that “Patel appears to create a circuit split with a Second Circuit decision from 2017, Santana v. Take-Two Interactive Software, Inc.” [11] Patel ruled that violations of the BIPA, without other injuries sustained, allowed an individual to sue under the act. However, Santana v. Take-Two Interactive Software, Inc. (2017), decided in the United States Court of Appeals for the Second Circuit, ruled the opposite: violations of the BIPA, without other injuries sustained, were insufficient grounds to sue under the act [12]. A significant part of the Supreme Court’s responsibilities is to resolve a legal issue when two courts of appeals disagree on this issue [13]. Therefore, this disagreement among two circuit courts may cause the Supreme Court to rule on this dispute. 

However, a key difference separates Santana and Patel. Patel relied on the arguments articulated in Rosenbach, while Santana did not, as Rosenbach had not been issued at the time of the Santana ruling. The precedent set in Rosenbach is partially responsible for producing the dispute between Patel and Santana. Patel cited Rosenbach in ruling that an individual could sue for damages under the BIPA if the only injury sustained was a violation of their right to biometric privacy. Thus, in the potential Supreme Court case, Rosenbach could provide crucial precedent in a decision. In the deliberations on these two decisions, Rosenbach, due to its interpretation of the BIPA and biometric privacy, must be included. Herein lies the significance of the case. Because this case set precedent used in Patel, it could be the central feature of future Supreme Court cases regarding biometric privacy. 

[1] “Illinois Supreme Court Holds That Biometric Privacy Law Does Not Require Actual Harm for Private Suits,” Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates, January 29, 2019, https://www.skadden.com/insights/publications/2019/01/illinois-supreme-court.

[2] Rosenbach v. Six Flags Entertainment Corp., No. 123186 (The Supreme Court of Illinois January 25, 2019), 5.

[3] Ibid., 4.

[4] Ibid., 7.

[5] Ibid., 5.

[6] Ibid., 10.

[7] Ibid., 7.

[8] Ibid., 9.

[9] Sandra Ikuta, Patel v. Facebook, No. 18–15982 (United States Court of Appeals for the Ninth Circuit August 8, 2019), 6.

[10] Ibid., 18

[11] Boyd Garriot and Megan Brown, “How Patel v. Facebook Might Tee Up a Privacy Battle at the Supreme Court,” Wiley Connect, October 16, 2019, https://www.wileyconnect.com/home/2019/10/16/how-patel-v-facebook-might-tee-up-a-privacy-battle-at-the-supreme-court.

[12] Ibid.

[13] Ibid.