Rosenbach v. Six Flags Entertainment Corp.
2019 IL 123186
Ill.2019Background
- Six Flags used fingerprint scans to issue season passes; a 14-year-old (Alexander) had his thumb scanned during a school field trip and a season pass issued.
- Neither Alexander nor his mother (Stacy Rosenbach, next friend) received written notice of collection, purpose, retention period, nor gave a written release or consent as required by the Biometric Information Privacy Act (BIPA) §15(b).
- Rosenbach sued on Alexander’s behalf under BIPA §20 seeking liquidated damages and injunctive relief for the statutory violations; defendants retained his biometric data after the visit.
- The trial court denied dismissal of the BIPA claims; defendants appealed under Illinois Supreme Court Rule 308, and the appellate court held a statutory violation alone was not enough — plaintiff must allege additional injury beyond the violation.
- The Illinois Supreme Court granted review to decide whether a person is “aggrieved” under BIPA §20 when alleging only a statutory violation (without separate actual injury).
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether a person is “aggrieved” under BIPA §20 and may recover liquidated damages when the complaint alleges only a violation of §15(b) (no separate actual injury) | Rosenbach: statutory rights were invaded by the collection without required notice/consent; that invasion itself makes one "aggrieved" and supports damages | Six Flags: a statutory violation alone is merely "technical"; plaintiff must allege actual injury or adverse effect beyond the statutory breach to sue | Held: No separate actual injury is required; violating §15(b) itself invades statutory rights and makes the person "aggrieved," permitting recovery of liquidated damages |
| Whether a person is “aggrieved” under BIPA §20 and may seek injunctive relief when alleging only a §15(b) violation | Rosenbach: statutory procedural rights (notice/consent) define the privacy interest; their violation supports injunctive relief to prevent future breaches | Six Flags: injunctive relief should be limited to those with actual/requested-injurious consequences beyond statutory noncompliance | Held: Violation of §15(b) constitutes an invasion of statutory rights and authorizes injunctive relief under §20 without pleading additional injury |
Key Cases Cited
- Cochran v. Securitas Security Services USA, Inc., 2017 IL 121200 (standard for section 2‑615 review and taking well-pleaded facts as true)
- Glos v. People, 259 Ill. 332 (definition of “aggrieved” as denial of a legal right)
- Doe v. Chand, 335 Ill. App. 3d 809 (holding that actual damages need not be proven under a statute that grants a right of action to an "aggrieved" person)
- Patel v. Facebook Inc., 290 F. Supp. 3d 948 (federal court recognizing the real privacy harms from biometric collection and the importance of BIPA‑style protections)
- In re Facebook Biometric Info. Privacy Litig., 326 F.R.D. 535 (federal district court decision rejecting the argument that a statutory violation alone is insufficient to plead injury under BIPA)