Illinois Expands Protection of Biometric Information – Who’s Next? Opening the gates to expensive class actions and “sue and settle” lawsuits

By Michael Gold and Bob Braun

A new ruling by the Illinois Supreme Court could trigger expensive class action lawsuits and private litigation against businesses, even where plaintiffs do not allege actual injury. The case demands attention, not only from those doing business in Illinois, but throughout the nation.

The Case and Its Holding

On January 25, 2019, the Illinois Supreme Court issued its long-awaited decision in Rosenbach v. Six Flags – and the unanimous opinion doesn’t do any favors for business.  The Court ruled that individuals alleging violations of the Illinois Biometric Information Privacy Act (BIPA) in state court – like using a thumbprint to clock in and out of work on a biometric time clock, without the statutorily required notice and acknowledgments in place – do not need to allege concrete injury in order to sue.  Rather, simply pleading a violation of BIPA’s technical requirements will be enough, without alleging any actual injury.  Because each violation carries a substantial fine, and the statute provides for a private right of action and recovery of attorneys’ fees, the Court has effectively opened the doors to the next wave of extremely risky and costly litigation for Illinois businesses.

Warning Signs

The decision is a warning sign, not only for Illinois businesses that use biometric information, but for businesses generally.

The case is one of a series that make it easier for plaintiffs to bring claims without asserting damages.  In other words, plaintiffs do not need to make one of the essential allegations of any lawsuit claiming money damages – that they have been harmed in fact.  This has, for years, been a stumbling block for lawsuits arising out of data breaches, as the existence of damages has been difficult to prove.  Just as more courts are willing to assume damages in those kinds of cases,  the Illinois court has done the same for violations of BIPA.  Importantly, this will not only ease the burden for individual plaintiffs; it is likely to expand the availability of class action claims as well.

The case is also demonstrative of the increasing willingness to reshape statutes that may not originally have been treated or viewed as privacy protection statutes.  The Federal Trade Commission, many attorneys general, local district attorneys and private plaintiffs have used laws prohibiting “unfair and deceptive trade practices” to address perceived privacy and security shortcomings. The use of BIPA in this context may well embolden governmental and private plaintiffs alike to consider whether existing statutes can be used to bring claims.

Finally, the Court’s opinion reflects a shift in attitude that underlies privacy legislation in the United States.  Just as the European Union and other jurisdictions have adopted the position that personal information belongs to the individual, this case recognizes the same trend in the United States. This decision, along with the California Consumer Privacy Act, and proposed laws in Washington, Vermont and other states – as well as measures being considered by the federal government – point to a new attitude toward the use of personal information by businesses.

Actions to Take

The Rosenbach case has implications far beyond Illinois.  Businesses operate in a world where regulators, law enforcement, and private individuals actively seek ways to hold companies responsible for ensuring personal privacy.  Part of their method is to use laws that may have been ignored, or to find ways to interpret existing laws, to support damage claims.  This creates a challenge for companies, since addressing the challenges posed by these laws requires companies to focus not on reacting to events, but on establishing information governance systems that addresses the collection and use of personal data.

These developments also cannot be effectively addressed solely at a technical level – in particular, they cannot be delegated to an information technology department.  Rather, the active involvement of senior management is crucial to evaluating the risks a company is willing to take in the context of existing and emerging privacy laws, and ensuring deployment of governance frameworks that realistically address these risks without undermining the company’s business mission.

The JMBM Cybersecurity and Privacy Group counsels companies on incorporating privacy and information security into enterprise governance.  For additional information, contact Michael Gold ( or Bob Braun (