Illinois Supreme Court Rules Against Six Flags in Lawsuit Over Fingerprint Scans, Says Actual Harm Unnecessary For Biometric Case

The family of a teenager whose fingerprint data was collected in 2014 when he bought a season pass to Six Flags Great America had the right to sue the amusement park company under an Illinois privacy law, the state Supreme Court ruled Friday. Chicago Tribune reports: The case is being closely watched by tech giants such as Facebook, who have pushed back against the Illinois Biometric Information Privacy Act (BIPA). The law requires companies collecting information such as facial, fingerprint and iris scans to obtain prior consent from consumers or employees, detailing how they'll use the data and how long the records will be kept. It also allows private citizens to sue, while other states let only the attorney general bring a lawsuit.

The opinion, which overturns an appeals court ruling in favor of Six Flags, has the potential to effect biometrics lawsuits playing out in courtrooms across the country. The Illinois law is one of the strictest of its kind in the nation and has turned the state into a hotbed of lawsuits over alleged misuses of biometric data. Privacy experts say protecting that type of information is critical because, unlike a credit card or bank account number, it's permanent. The National Law Review adds: In short, individuals need not allege actual injury or adverse effect, beyond a violation of his/her rights under BIPA, in order to qualify as an "aggrieved" person and be entitled to seek liquidated damages, attorneys fees and costs, and injunctive relief under the Act. Potential damages are substantial as the BIPA provides for statutory damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation of the Act. To date, no Illinois court has interpreted the meaning of "per violation," but the majority of BIPA suits have been brought as class actions seeking statutory damages on behalf of each individual affected.

Good

[Geoffrey.landis]

Good.
A law saying it's illegal to collect such information without consent would be completely worthless you were not allowed to sue the company for violating it.

Re:Fingerprints now

[b0s0z0ku]

But an RFID badge can be used by someone with a similar face; fingerprints make this more difficult. I see Six Flags' point, but it's also a stupid way go about things -- they might gain a bit of revenue from people not sharing badges, but they'll lose on public goodwill. Not to mention that people who share season badges might otherwise not go. Even if they don't pay for their visit, they'll probably still buy food, drinks, and whatever else isn't included in a badge.

You have zero privacy anyway. Get over it?

[grep+-v+'.*'+*]

Scott McNealy: You have zero privacy anyway. Get over it.

If Privacy is really dead, then Scott should publish his Name, Address, Account Numbers and passwords, location schedule, and DNA profile and always keep them all current. Until then, it's NOT.

It's one thing to lose my credit card number. Annoying, but I can get another. Same for my throw-away online accounts.

It's slightly harder for more important accounts, like my slashdot account -- I'd lose all my Karma standing and have to start over! Other accounts are the same: VERY annoying but not Earth shattering.

Getting doxed - the info used to be in the physical phone book, but now it's easy to tie "a fact" to "someone" and "know where they live." Now bother becomes heightened senses if not outright fear, and possibly having to actually uproot and move. Across the street, across town, across the country.

Now you lose my name and reputation with Identity Theft. Inverse doxing, I'm still me but so is someone ELSE. I _COULD_ change my name, but I don't want to. And it's Hell trying to prove what's actually you and what isn't.

FINALLY, you lose my biometrics? Movie hacker: "Computer: 'Override.' We're in." I _CAN'T_ change those, period. At all.

Just because I have nothing to hide doesn't mean that I want you to see.

Re:Conservative lifetime appointments say otherwis

[ShanghaiBill]

Photography is protected by the first amendment as affirmed by federal courts.

Photography in public, where there is no expectation of privacy, for noncommercial purposes is protected. Most people would not consider a fingerprint scanner to be collecting public information.

The collection of facial biometrics can be defended based on that.

Quite likely. But they didn't scan the kid's face. They scanned his fingerprints. Most people would consider that a greater impingement on privacy.

Furthermore, the collection of fingerprints can be argued to be a form of photography.

Maybe. But that is the point of this ruling: they have to make that argument in court. They can't just have the case dismissed with a lack of standing argument. The court didn't say the plaintiff win, just that the case can proceed.

Six Flags may also argue that they didn't store the fingerprint, but only a hash. Since there are many ways to generate a hash, and not every hash is unique, they could argue a hash is not "personally identifying information". Not sure if the court would agree.