Collecting Biometric Data or Other Confidential Information May Carry Significant Liability Risks
March 14, 2019
The Chicago Daily Law Bulletin recently published Tabet DiVito & Rothstein associate Jacob Berger’s article (subscription may be required) regarding the Illinois Supreme Court’s decision in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186. That decision may have significantly expanded the scope of liability under the Illinois Biometric Privacy Act, 740 ILCS 14/1 et seq.
The Illinois Biometric Privacy Act requires any company that collects biometric data to establish written policies regarding the handling of biometric data and to make them available to the public. To permissibly collect biometric data, a company must (a) inform the subject in writing that the company is collecting biometric data, (b) inform the subject in writing as to the purpose for which the biometric data will be collected and how long it will be stored, and (c) obtain written consent from the subject to collect his or her biometric data. The Act also requires a company to store biometric data at least as securely as other confidential information, such as social security numbers.
In Rosenbach, the Illinois Supreme Court held that a plaintiff could sue for a violation of the Act without the need to allege an additional injury or adverse effect beyond a violation of the Act. As a result, companies may face significant liability risks for technical or procedural violations of the Act.
The effects of this decision could be significant and far-reaching. As a result, as soon as possible companies should develop and/or review their written policies regarding handling biometric data or other confidential information to ensure that they comply with the Act.