Back in 2008, the state of Illinois passed a Biometric information Privacy Act (BIPA), which protects people against the storage and collection of their biometric information without their express permission. BIPA was proposed in order to establish standards of conduct for any private entities that either collect or are/will be in possession of biometric information.
Now, in a new case, Rosenbach v. Six Flags, a 14 year old challenged an amusement park that collected his fingerprint without his consent, which came in direct violation of BIPA. While the lower appeals court sided with Six Flags, stating that if the Rosenbach party could not show evidence of any damages, Six Flags was not liable, the Supreme Court decided that Six Flags‘ decision went against the law.
BIPA is unclear on exactly what ‘damages’ means means, though:
“[…] the Act does not contain its own definition of what it means to be “aggrieved” by a violation of the law.” the ruling analysis states “Where, as here, a statutory term is not defined, we assume the legislature intended for it to have its popularly understood meaning. Likewise, if a term has a settled legal meaning, the courts will normally infer that the legislature intended to incorporate that established meaning into the law.”
The court’s decision will most likely see the ripples of this ruling stretch much wider than initially expected: companies like Google and Facebook have themselves been put face to face with lawsuits of this kind.
Google recently won a similar case simply by stating that the plaintiffs “have not alleged an injury in-fact.“
On the other hand, Facebook has been accused of violating BIPA by tagging people’s faces in photos without the users’ prior consent. If the ‘injury in-fact‘ argument will still hold in court after this ruling, that remains to be seen.