In 2008, Illinois enacted a groundbreaking law to allow individuals to control their own biometric data –fingerprints, DNA, facial scans, and other biological information that can be used to identify an individual. The Biometric Information Privacy Act (BIPA) prohibits private companies from collecting a person’s biometric information unless they first obtain the person’s written consent. The company must inform the person about what information it is collecting, how the information will be used, and how long it will be kept. The law also requires companies to protect the confidentiality of biometric information and prohibits them from selling or disclosing the information in most circumstances.
Stacy Rosenbach sued amusement park giant Six Flags after the corporation took her son’s fingerprints, without the notice and consent required under BIPA, when he purchased a season pass to Great America. This is exactly the type of situation that BIPA is meant to address. Nonetheless, an Illinois Appellate Court held that Ms. Rosenbach and her son could not sue under the statute because Six Flags had committed only a “technical violation” of the statute that did not cause any “actual injury.”
The ACLU and other privacy organizations filed an amicus brief in the case, urging the Illinois Supreme Court to allow the case to move forward. We argued that biometric information is particularly sensitive because – unlike a driver’s license or social security number – it cannot be changed in the event of a security breach. Individuals must be able to make an informed decision about whether to allow a company to collect this information. When a company violates BIPA’s notice and consent requirements, it is not a mere “technical violation” but a direct blow to the individual’s ability to protect his or her own personal information.