Lexplug logoLexplug

Rosenbach v. Six Flags Entertainment Corp.

Illinois Supreme Court
432 Ill. Dec. 654, 2019 IL 123186, 129 N.E.3d 1197 (2019)
ELI5:

Rule of Law:

An individual does not need to allege an actual injury or adverse effect beyond the violation of their statutory rights under the Biometric Information Privacy Act (BIPA) to qualify as an 'aggrieved' person and bring a cause of action for liquidated damages and injunctive relief.


Facts:

  • Stacy Rosenbach purchased a season pass online for her 14-year-old son, Alexander, to visit a Six Flags amusement park.
  • In mid-2014, upon his first visit, Alexander was required to scan his thumbprint into Six Flags' biometric data capture system to complete the season pass registration process.
  • Six Flags did not inform Alexander or his mother, Rosenbach, in writing that his biometric information was being collected or stored.
  • Six Flags also failed to provide written information about the specific purpose and length of time for which the thumbprint data would be collected, stored, and used.
  • Six Flags did not obtain a written release from either Alexander or his mother before collecting his thumbprint.
  • Rosenbach first learned of the fingerprint collection after Alexander returned from the park.
  • Six Flags retained Alexander's biometric information after his visit, without making a public policy available regarding its retention schedule and guidelines for destruction.

Procedural Posture:

  • Stacy Rosenbach, on behalf of her son Alexander, filed a class action lawsuit against Six Flags Entertainment Corporation in the circuit court of Lake County, Illinois (a state trial court), alleging violations of the Biometric Information Privacy Act.
  • Six Flags filed a motion to dismiss, arguing that because Alexander had not suffered any actual injury beyond the alleged statutory violation, he was not an 'aggrieved' person under the Act.
  • The circuit court denied Six Flags' motion to dismiss the BIPA claims.
  • The circuit court then certified two questions of law for an interlocutory appeal, asking the appellate court to decide whether a person is 'aggrieved' under the Act based solely on a violation of its provisions.
  • The Illinois Appellate Court, Second District, answered the certified questions in the negative, holding that a plaintiff must allege some injury beyond a technical violation of the Act.
  • Rosenbach, as the appellant, was granted leave to appeal the appellate court's decision to the Illinois Supreme Court.

Locked

Premium Content

Subscribe to Lexplug to view the complete brief

You're viewing a preview with Rule of Law, Facts, and Procedural Posture

Issue:

Does an individual qualify as an 'aggrieved' person with a right to sue under the Illinois Biometric Information Privacy Act when the only injury alleged is a violation of the Act's notice and consent requirements, without any additional actual injury or adverse effect?


Opinions:

Majority - Chief Justice Karmeier

Yes. An individual qualifies as an 'aggrieved' person under the Biometric Information Privacy Act (BIPA) when a private entity violates the Act's provisions, as the violation itself constitutes the injury the legislature sought to prevent. The court determined that the plain language and historical legal meaning of 'aggrieved' refers to the invasion of a legal right, not necessarily the suffering of a consequential damage. The court reasoned that BIPA's legislative intent was preventative; its purpose is to ensure individuals have control over their unique and unchangeable biometric identifiers before they can be compromised. To require a plaintiff to wait for an additional, consequential harm would be 'completely antithetical to the Act's preventative and deterrent purposes.' The court characterized the violation not as a mere 'technicality,' but as a 'real and significant' injury because the individual loses the right to control their biometric privacy, which is the precise harm the Act was designed to prevent.



Analysis:

This decision solidifies the Illinois Biometric Information Privacy Act (BIPA) as one of the strongest privacy statutes in the United States by establishing that a procedural violation alone constitutes a cognizable injury. It significantly lowers the threshold for bringing a BIPA claim, removing the need for plaintiffs to demonstrate tangible harm like monetary loss or data misuse. As a result, this ruling has paved the way for a surge in BIPA class-action litigation against companies in Illinois that use biometric technology (e.g., fingerprint timeclocks, facial recognition) without strictly adhering to the Act's notice, consent, and data retention policy requirements. The precedent establishes that the loss of control over one's biometric data is a concrete injury in itself, providing a powerful deterrent for non-compliant businesses.

G

Gunnerbot

AI-powered case assistant

Loaded: Rosenbach v. Six Flags Entertainment Corp. (2019)

Try: "What was the holding?" or "Explain the dissent"