At a Six Flags in Gurnee, IL, a 14-year-old boy was picking up a season pass that his mother had bought him. In doing so, the amusement park took his fingerprints to attach to the season pass records. This process seems like a safe way to ensure that no one else can use his season pass but they did this without his mother’s consent. And that is what brought the case of Rosenbach vs. Six Flags in front of the Illinois Supreme Court.
In 2008, Illinois lawmakers passed the Illinois Biometric Information Privacy Act, or BIPA, which established legal rules for how biometric data could be collected from individuals, namely that you would need explicit consent. Illinois was among the first states to create a legal precedent for this growing phenomenon.
The question posed to the Supreme Court now is whether or not someone can be considered aggrieved or harmed merely by having their biometric data collected without consent, despite them not having been misused or sold to a third-party. Their ruling will also determine when a lawsuit can be brought against the wrongful party in light of the law. The Court is poised to rule if BIPA counts towards to the collection of the data alone, or if the “victim” needs to prove that they have been injured or wronged by it.
The Electronic Frontier Foundation, the ACLU, and other organizations are seeking a verdict that would protect people’s right to a lawsuit regardless of injury. They are looking that the court upholds someone’s privacy in a world where that is not easily done. On the other side, the defendants are urging that the Supreme Court not allow lawsuits because of the collection of the data if the person has not been aggrieved by a violation or injury. They say that since nothing financially or otherwise was done wrong, no harm was done.
This case leads to a broader discussion about how much of someone’s private information someone can take hold of as long as it doesn’t meet a harm or injury threshold. Biometric data is unchangeable, once someone has it – they have it forever. In today’s tech-saturated society, simple letter and number passwords are becoming less secure and more obsolete. Biometric data is becoming more and more critical to protect as it is becoming a standard method for keeping out other data safe.
While no harm has been done to this 14-year-old’s fingerprints at this point, that does not mean that in the future there isn’t a possibility that his data is stolen or sold and then compromised.
This case is going to be important in determining the role the Illinois Biometric Information Privacy Act has in protecting people’s biometric data. Will the verdict decide that this act is only able to recover damages after something happens to their private information or will it be able to protect them from it even happening in the first place?