The Law Q&A | Illinois law keeps an eye on biometric privacy

The Law Q&A | Illinois law keeps an eye on biometric privacy

Under Illinois law, when a business collects biometric information from you, like a fingerprint, eye scan, face scan or hand scan, but fails to notify you about collecting such info, or discloses such info to third parties without your consent, can you get money compensation from the business without showing any actual economic or physical harm?

You bet your sweet iris you can.

So said the Illinois Supreme Court in January. The ruling arises out of a claim based on the Illinois Biometric Information Privacy Act, passed in 2008. That act prohibits anyone, other than a government agency, judge or court clerk, from collecting such biometric information without first disclosing in writing to the person being collected from that such info is being collected, the purpose of such collection and the amount of time such identifiers will be stored or used.

The act further prohibits the collector from making a profit from that info. Nor can it disclose such info without the consent of the subject person, and the disclosure is used to complete a financial transaction requested by the subject person — unless disclosure is required by some specific law or court subpoena.

Among some of the things excluded from the BIPA definition of biometric information are organ and tissue donations, blood donations, film like X-rays and MRIs and the like, or genetic info which has its own privacy law.

Collectors of such biometrics must use care to store and protect disclosure of all such identifiers with as much or more protection as is used to protect other confidential information, such as credit card numbers.

Now, here's the deal: If there was a negligent violation of the act, the act allows the holder of such info to be sued by such violated person for $1,000 or actual damages, whichever is greater.

An intentional or reckless violation provides an award of five grand or actual damages, whichever is greater. And in either case, you get your attorney's fees paid if you win.

The mom of a 14-year-old sued Six Flags for violating the act, claiming her kid was forced to give a fingerprint to get a season pass. No disclosure was allegedly given or authority asked by Six Flags. In defense to the suit, Six Flags claimed the kid (or mom) suffered no harm.

The act says, "Any person aggrieved by a violation shall have a right of action." No real injury thus no aggrievance thus you can't sue, said Six Flags.

The Illinois Supremes were not amused by the amusement park's argument and concluded that one is aggrieved by the mere happenence of a violation. The law would otherwise have no teeth. Lost credit card numbers can be changed. Stolen fingerprints cannot.

Business lobbies have been pushing back against such legislation. Only two other states have biometric privacy laws. Since January, however, new biometric privacy bills are in the works in seven states.

In the age of Big Brother, Six Flags just got flagged for possibly demanding an illegal fingerprint.

Which resulted in a legal finger being stuck in its corporate eye.

Brett Kepley is a lawyer with Land of Lincoln Legal Aid Inc. You can send your questions to The Law Q&A, 302 N. First St., Champaign, IL 61820. Questions may be edited for space.

-