LOADING ...

Six Flags Biometric Case Could Turn One of the Toughest Privacy Laws in the U.S. Upside Down

Rhett Jones Nov 27, 2018. 10 comments

For the last decade, Illinois has had the nation’s most rigorous law protecting citizens’ biometric privacy information. It’s also a heavily litigated piece of legislation that’s pulled high-profile companies like Google and Facebook into class action lawsuits. Now, Six Flags is contesting a suit that threatens to totally defang the statute.

The Biometric Information Privacy Act (BIPA), passed by Illinois lawmakers in 2008, stipulates that a company doing business in the state must obtain explicit written consent from an individual before collecting their biometric identifiers, such as fingerprints. Penalties are set at a $1,000 fine per violation, and $5,000 per violation if an offending company is found to be violating the statute either intentionally or recklessly. The problem is, the state doesn’t prosecute BIPA violations, it only grants individuals the right to sue. Six Flags is trying to make that very difficult.

The case revolves around the question of whether a company can be held liable for violating BIPA if a plaintiff is unable to demonstrate “harm.” Stacy Rosenbach claims that the theme park fingerprinted her 14-year-old son when he was picking up a season pass to the park on a group trip. Rosenbach says she did not give permission for the company to collect and store her son’s fingerprints. Six Flags argues that for Rosenbach to qualify as a “person aggrieved,” she must demonstrate that the collection of her son’s identifiable biometric information resulted in some type of injury.

The Illinois Supreme Court held appellate hearings on the case last week, and according to Law360, at least three of the seven justices hearing the case were skeptical of the arguments made by attorneys representing Six Flags. The initial trial court rejected Six Flags’ argument, but it certified two questions for appeal that revolve around the definition of “aggrieved.” Last December, the Second District Appellate Court agreed with Six Flags, and now the case is in the hands of the states’ highest court. What’s at stake is a legal definition that could affect a similar pending lawsuit against Facebook that could potentially result in billions of dollars worth of fines.

According to Law360's account of last week’s proceedings, Justice Anne Burke told Six Flags’ attorneys that their argument does not consider the initial violation of the statute. “How does one challenge that, if that isn’t harm,” Justice Burke asked. “There’s no opportunity for the guardian to say no or [be] given the information of what they could do.”

Six Flags and business interests that support its argument are looking to narrowly define BIPA as a statute that could be acted on in a case in which, for example, a company collected fingerprint information and suffered a data breach or accidentally posted that information publicly.

From Law360:

Violating BIPA’s consent and disclosure requirements is one thing, but “it is a separate legal question” of whether an individual is aggrieved by that violation, [Six Flags Attorney Kathleen] O’Sullivan argued. And just because Illinois lawmakers enacted BIPA out of concern for biometric data that had previously been compromised, it “did not mean the Legislature intended to create a private right of action for someone whose biometric data has not been compromised at all,” she argued.

But it is “too late to wait” for the compromise to happen once a person’s biometrics have been collected without their informed consent because at that point, “they can’t do anything about it,” Justice Burke countered.

“They may never know, and you can’t get your fingerprints back. It’s irreparable harm,” she said.

Rosenbach’s attorney Phillip Bock pointed to Illinois’ AIDS Confidentiality Act as another statute that could be affected by the court’s decision. That law requires informed consent from an individual before an entity tests their blood for HIV, and it is likewise only enforceable through private suits. Bock told the court that it “doesn’t make any sense to say ‘aggrieved’ means this statute, or that statute, can’t be enforced when the defendant does exactly what is prohibited.”

Six Flags didn’t immediately respond to a request for comment on this story.

In an amicus brief, the ACLU, Electronic Frontier Foundation, and other groups that fight for privacy rights argued that the absence of enforcement powers for the Illinois Attorney General coupled with mandated statutory damages and the ability to recoup attorney’s fees indicates “the Illinois legislature’s intent to create a robust enforcement regime that relies on private litigants to ensure compliance with BIPA’s requirements of notice and informed consent.” The groups argued that adopting Six Flags’ reading of BIPA “would effectively gut the statute’s primary purpose and leave Illinoisans without meaningful recourse in a world of rapidly advancing technology and proliferating uses of biometric information.”

The case also brings up the more abstract question of whether violating someone’s legal expectation of privacy is a form of harm unto itself. Nothing like this case falls under the four main types of invasion of privacy claims considered under law, but we’re dealing with new, untested issues, and few states even have laws protecting this kind of personal information. It’s an early test case on how privacy legislation in the era of biometrics and massive data collection will need to be written if the intent is to work as a preventative measure.

[Law360 via The Verge]

10 Comments

Other Rhett Jones's posts

Why Doesn’t Trump Tell Us About the Aliens? Why Doesn’t Trump Tell Us About the Aliens?

It may be the most important and least talked about question of our era. In the last few years, we’ve seen the U.S. government be more open about encounters that members of its services have had with unidentified flying objects and its efforts to fully investigate such incidents, leading to all kinds of speculation about alien alloys and requests...

Regal Cinemas' MoviePass-Style Unlimited Plan Will Start at $18 Per Month Regal Cinemas' MoviePass-Style Unlimited Plan Will Start at $18 Per Month

MoviePass may be limping along in zombie form, just waiting for some finance bro to put it out of its misery, but its unlimited subscription model continues to spread and mutate. On Friday, Regal Cinemas announced that it’s launching its own version of an unlimited movie plan that should be a pretty decent deal for anyone who sees more...

Amazon Apparently Wants to Destroy TiVo Now Amazon Apparently Wants to Destroy TiVo Now

Poor TiVo. The pioneer of live TV recording was just minding its own business, muddling along in a world it doesn’t recognize when news broke that Amazon is looking to start a fight. That’s all it takes to send investors fleeing. But why does Amazon reportedly want in on this antiquated market?Bloomberg reported this afternoon that Amazon is deep in...

Senators Ask Jeff Bezos Just How Many Complaints Amazon's Received About Eavesdropping Echoes Senators Ask Jeff Bezos Just How Many Complaints Amazon's Received About Eavesdropping Echoes

Lawmakers in the U.S. have taken a greater interest in the failures of tech companies lately but most of the focus has been on Facebook and Google while Jeff Bezos has been busy making a reported $230,000 a minute. Now it’s Amazon’s turn in the barrel.On Thursday, Senators sent a list of questions regarding numerous privacy concerns about the...

Suggested posts

Google Has Lawsuit in Illinois Over Facial Recognition Scanning in Google Photos Dismissed Google Has Lawsuit in Illinois Over Facial Recognition Scanning in Google Photos Dismissed

Google has had a lawsuit in Illinois over its facial-recognition software thrown out, with a judge dismissing the case on the grounds that the plaintiff in the case did not suffer “concrete injuries,” Bloomberg reported on Saturday. The ruling puts to rest one of three lawsuits against major tech companies for alleged violations of the state’s Biometric Information Privacy...

Six Flags' New 4D Batman Coaster Looks Like a Super Fun Vomit Factory Six Flags' New 4D Batman Coaster Looks Like a Super Fun Vomit Factory

Your browser does not support HTML5 video tag.Click here to view original GIFGuess what’s finally built and undergoing extensive testing at Six Flags’ Fiesta Texas amusement park in San Antonio? The park’s brand new Batman coaster that was teased last year with 4D thrills courtesy of seats that are free to rotate 360-degrees during your vomit-filled ride.Last year we were...

This Trippy Roller Coaster Ride-Along Will Make You Vomit Faster Than the Real Thing This Trippy Roller Coaster Ride-Along Will Make You Vomit Faster Than the Real Thing

Your browser does not support HTML5 video tag.Click here to view original GIFGIF: YouTubeJeb Corliss brought along a GoPro Fusion 360-degree camera during a ride on Six Flags Magic Mountain’s Goliath roller coaster. But instead of using the footage to create an immersive VR experience, he instead turned it into a fantastically trippy 2D video that will make you dizzier...

The New VR Coaster at Six Flags Is the Future of Vomiting The New VR Coaster at Six Flags Is the Future of Vomiting

Rollercoasters make people puke. VR makes people puke. Previously, we wondered what kind of monster would try to combine these two things. But now that we have our first hands-on video of the new Occulus-augmented coaster at Six Flags and… it actually looks like a lot of fun.The ride basically involves flying around and killing aliens and has a...

Language