STACY ROSENBACH, as Mother and Next Friend of Alexander Rosenbach, Appellant, v. SIX FLAGS ENTERTAINMENT CORPORATION et al., Appellees.
123186
Supreme Court of Illinois
January 25, 2019
2019 IL 123186
Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186
Decision Under Review: Appeal from the Appellate Court for the Second District; heard in that court on appeal from the Circuit Court of Lake County, the Hon. Luis A. Berrones, Judge, presiding.
Judgment: Certified questions answered. Appellate court judgment reversed. Cause remanded.
Counsel on Appeal: Phillip A. Bock and David M. Oppenheim, of Bock, Hatch, Lewis & Oppenheim, LLC, of Chicago, and Ilan Chorowsky and Mark Bulgarelli, of Progressive Law Group, LLC, of Evanston, for appellant.
Debra R. Bernard, of Perkins Coie LLP, of Chicago, and Kathleen M. O‘Sullivan, of Perkins Coie LLP, of Seattle, Washington, for appellees.
Rebecca K. Glenberg, Megan Rosenfeld, and Michael C. Landis, all of Chicago, Joseph Jerome, of Washington, D.C., Adam Schwartz, of San Francisco, California, and Nathan Freed Wessler, of New York, New York, for amici curiae American Civil Liberties Union et al.
Adam J. Levitt and Amy E. Keller, of DiCello Levitt & Casey LLC, of Chicago, and Marc Rotenberg, Alan Butler, and Natasha Babazadeh, of Washington, D.C., for amicus curiae Electronic Privacy Information Center.
Melissa A. Siebert and Bonnie Keane DelGobbo, of Baker Hostetler LLP, of Chicago, and Angelo I. Amador, of Washington, D.C., for amici curiae Restaurant Law Center et al.
Gary M. Miller, of Shook, Hardy & Bacon L.L.P., of Chicago, for amici curiae Illinois Retail Merchants Association et al.
Michele Odorizzi and Michael A. Scodro, of Mayer Brown LLP, of Chicago, and Lauren R. Goldman and Michael Rayfield, of Mayer Brown LLP, of New York, New York, for amicus curiae Internet Association.
Noah A. Finkel and Thomas E. Ahlering, of Seyfarth Shaw LLP, of Chicago, for amicus curiae Illinois Chamber of Commerce.
OPINION
¶ 1 The Biometric Information Privacy Act (Act) (
¶ 2 BACKGROUND
¶ 3 The question the appellate court was asked to consider in this case arose in the context of a motion to dismiss pursuant to
¶ 4 Six Flags Entertainment Corporation and its subsidiary Great America LLC own and operate the Six Flags Great America amusement park in Gurnee, Illinois. Defendants sell repeat-entry passes to the park. Since at least 2014, defendants have used a fingerprinting process when issuing those passes. As alleged by the complaint, their system “scans pass holders’ fingerprints; collects, records and stores ‘biometric’ identifiers and information gleaned from the fingerprints; and then stores that data in order to quickly verify customer identities upon subsequent visits by having customers scan their fingerprints to enter the theme park.” According to the complaint, “[t]his makes entry into the park faster and more seamless, maximizes the time pass holders are in the park spending money, and eliminates lost revenue due to fraud or park entry with someone else‘s pass.”
¶ 5 In May or June 2014, while the fingerprinting system was in operation, Stacy Rosenbach‘s 14-year-old son, Alexander, visited defendants’ amusement park on a school field trip. In anticipation of that visit, Rosenbach had purchased a season pass for him online. Rosenbach paid for the pass and provided personal information about Alexander, but he had to complete the sign-up process in person once he arrived at the amusement park.
¶ 6 The process involved two steps. First, Alexander went to a security checkpoint, where he was asked to scan his thumb into defendants’ biometric data capture system. After that, he was directed to a nearby administrative building, where he obtained a season pass card. The card and his thumbprint, when used together, enabled him to gain access as a season pass holder.
¶ 7 Upon returning home from defendants’ amusement park, Alexander was asked by Rosenbach for the booklet or paperwork he had been given in connection with his new season pass. In response, Alexander advised her that defendants did “it all by fingerprint now” and that no paperwork had been provided.
¶ 8 The complaint alleges that this was the first time Rosenbach learned that Alexander‘s fingerprints were used as part of
¶ 9 The school field trip was Alexander‘s last visit to the amusement park. Although he has not returned there since, defendants have retained his biometric identifiers and information. They have not publicly disclosed what was done with the information or how long it will be kept, nor do they have any “written policy made available to the public that discloses [defendants‘] retention schedule or guidelines for retaining and then permanently destroying biometric identifiers and biometric information.”
¶ 10 In response to the foregoing events, Rosenbach, acting in her capacity as mother and next friend of Alexander (see
¶ 11 The complaint, as amended, is in three counts. Count I seeks damages on the grounds that defendants violated
¶ 12 Defendants sought dismissal of Rosenbach‘s action under both
¶ 13 Following a hearing, and proceeding only under
¶ 14 Defendants sought interlocutory review of the circuit court‘s ruling under
(1) “[w]hether an individual is an aggrieved person under §20 of the Illinois Biometric Information Privacy Act,
740 ILCS 14/20 , and may seek statutory liquidated damages authorized under §20(1) of the Act when the only injury he alleges is a violation of §15(b) of the Act by a private entity who collected his biometric identifiers and/or biometric information without providing him the required disclosures and obtaining his written consent as required by §15(b) of the Act,” and(2) “[w]hether an individual is an aggrieved person under §20 of the Illinois Biometric Information Privacy Act,
740 ILCS 14/20 , and may seek injunctive relief authorized under §20(4) of the Act, when the only injury he alleges is a violation of §15(b) of the Act by a private entity who collected his biometric identifiers and/or biometric information without providing him the required disclosures and obtaining his written consent as required by §15(b) of the Act.”
¶ 15 The appellate court granted review of the circuit court‘s order and answered both certified questions in the negative. In its view, a plaintiff is not “aggrieved” within the meaning of the Act and may not pursue either damages or injunctive relief under the Act based solely on a defendant‘s violation of the statute. Additional injury or adverse effect must be alleged. The injury or adverse effect need not be pecuniary, the appellate court held, but it must be more than a “technical violation of the Act.” 2017 IL App (2d) 170317, ¶ 28.
¶ 16 Rosenbach petitioned this court for leave to appeal.
¶ 17 ANALYSIS
¶ 18 Because this appeal concerns questions of law certified by the circuit court pursuant to
¶ 19 The Biometric Privacy Information Act (
¶ 20 Section 15 of the Act (
“(b) No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person‘s or a customer‘s biometric identifier or biometric information, unless it first:
(1) informs the subject or the subject‘s legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored;
(2) informs the subject or the subject‘s legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
(3) receives a written release executed by the subject of the biometric identifier or biometric information or the subject‘s legally authorized representative.”
Id. § 15(b) .
¶ 21 These provisions are enforceable through private rights of action. Specifically, section 20 of the Act provides that “[a]ny person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.”
“[a] prevailing party may recover for each violation:
(1) against a private entity that negligently violates a provision of this Act, liquidated damages of $1,000 or actual damages, whichever is greater;
(2) against a private entity that intentionally or recklessly violates a provision of this Act, liquidated damages of $5,000 or actual damages, whichever is greater;
(3) reasonable attorneys’ fees and costs, including expert witness fees and other litigation expenses; and
(4) other relief, including an injunction, as the State or federal court may deem appropriate.”
Id.
¶ 22 As noted earlier in this opinion, Rosenbach‘s complaint alleges that defendants violated the provisions of section 15 of the Act when it collected her son‘s thumbprint without first following the statutorily
¶ 23 While the appellate court in this case found defendants’ argument persuasive, a different district of the appellate court subsequently rejected the identical argument in Sekura v. Krishna Schaumburg Tan, Inc., 2018 IL App (1st) 180175. We reject it as well, as a recent federal district court decision correctly reasoned we might do. In re Facebook Biometric Information Privacy Litigation, 326 F.R.D. 535, 545-47 (N.D. Cal. 2018).
¶ 24 We begin our analysis with basic principles of statutory construction. When construing a statute, our primary objective is to ascertain and give effect to the legislature‘s intent. That intent is best determined from the plain and ordinary meaning of the language used in the statute. When the statutory language is plain and unambiguous, we may not depart from the law‘s terms by reading into it exceptions, limitations, or conditions the legislature did not express, nor may we add provisions not found in the law. Acme Markets, Inc. v. Callanan, 236 Ill. 2d 29, 37-38 (2009).
¶ 25 Defendants read the Act as evincing an intention by the legislature to limit a plaintiff‘s right to bring a cause of action to circumstances where he or she has sustained some actual damage, beyond violation of the rights conferred by the statute, as the result of the defendant‘s conduct. This construction is untenable. When the General Assembly has wanted to impose such a requirement in other situations, it has made that intention clear.
¶ 26 In contrast is the AIDS Confidentiality Act (
¶ 27 Section 20 of the Act (
¶ 29 As with the AIDS Confidentiality Act, the Act does not contain its own definition of what it means to be “aggrieved” by a violation of the law. Where, as here, a statutory term is not defined, we assume the legislature intended for it to have its popularly understood meaning. Likewise, if a term has a settled legal meaning, the courts will normally infer that the legislature intended to incorporate that established meaning into the law. People v. Johnson, 2013 IL 114639, ¶ 9. Applying these canons of construction, it is clear that defendants’ challenge to Rosenbach‘s right to bring suit on behalf of her son is meritless.
¶ 30 More than a century ago, our court held that to be aggrieved simply “means having a substantial grievance; a denial of some personal or property right.” Glos v. People, 259 Ill. 332, 340 (1913). A person who suffers actual damages as the result of the violation of his or her rights would meet this definition of course, but sustaining such damages is not necessary to qualify as “aggrieved.” Rather, “[a] person is prejudiced or aggrieved, in the legal sense, when a legal right is invaded by the act complained of or his pecuniary interest is directly affected by the decree or judgment.” (Emphasis added.) Id.
¶ 31 This understanding of the term has been repeated frequently by Illinois courts and was embedded in our jurisprudence when the Act was adopted. See American Surety Co. v. Jones, 384 Ill. 222, 229-30 (1943); In re Estate of Hinshaw, 19 Ill. App. 2d 239, 255 (1958); In re Estate of Harmston, 10 Ill. App. 3d 882, 885 (1973); Greeling v. Abendroth, 351 Ill. App. 3d 658, 662 (2004). We must presume that the legislature was aware of that precedent and acted accordingly. See People v. Cole, 2017 IL 120997, ¶ 30.
¶ 32 The foregoing understanding of the term is also consistent with standard definitions of “aggrieved” found in dictionaries, which we may consult when attempting to ascertain the plain and ordinary meaning of a statutory term where, as here, the term has not been specifically defined by the legislature. In re M.I., 2016 IL 120232, ¶ 26. Merriam-Webster‘s Collegiate Dictionary, for example, defines aggrieved as “suffering from an infringement or denial of legal rights.” Merriam-Webster‘s Collegiate Dictionary 25 (11th ed. 2006). Similarly, the leading definition given in Black‘s Law Dictionary is “having legal rights that are adversely affected.” Black‘s Law Dictionary 77 (9th ed. 2009). This is therefore the meaning we believe the legislature intended here.
¶ 34 In reaching a contrary conclusion, the appellate court characterized violations of the law, standing alone, as merely “technical” in nature. 2017 IL App (2d) 170317, ¶ 23. Such a characterization, however, misapprehends the nature of the harm our legislature is attempting to combat through this legislation. The Act vests in individuals and customers the right to control their biometric information by requiring notice before collection and giving them the power to say no by withholding consent. Patel, 290 F. Supp. 3d at 953. These procedural protections “are particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual‘s unique biometric identifiers—identifiers that cannot be changed if compromised or misused.” Id. at 954. When a private entity fails to adhere to the statutory procedures, as defendants are alleged to have done here, “the right of the individual to maintain [his or] her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.” Id. This is no mere “technicality.” The injury is real and significant.
¶ 35 This construction of the law is supported by the General Assembly‘s stated assessment of the risks posed by the growing use of biometrics by businesses and the difficulty in providing meaningful recourse once a person‘s biometric identifiers or biometric information has been compromised. In enacting the law, the General Assembly expressly noted that
“[b]iometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”
740 ILCS 14/5(c) (West 2016).
The situation is particularly concerning, in the legislature‘s judgment, because “[t]he full ramifications of biometric technology are not fully known.”
¶ 36 The strategy adopted by the General Assembly through enactment of the Act is to try to head off such problems before they occur. It does this in two ways. The first is by imposing safeguards to insure that individuals’ and customers’ privacy rights in their biometric identifiers and
¶ 37 The second of these two aspects of the law is as integral to implementation of the legislature‘s objectives as the first. Other than the private right of action authorized in section 20 of the Act, no other enforcement mechanism is available. It is clear that the legislature intended for this provision to have substantial force. When private entities face liability for failure to comply with the law‘s requirements without requiring affected individuals or customers to show some injury beyond violation of their statutory rights, those entities have the strongest possible incentive to conform to the law and prevent problems before they occur and cannot be undone. Compliance should not be difficult; whatever expenses a business might incur to meet the law‘s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded; and the public welfare, security, and safety will be advanced. That is the point of the law. To require individuals to wait until they have sustained some compensable injury beyond violation of their statutory rights before they may seek recourse, as defendants urge, would be completely antithetical to the Act‘s preventative and deterrent purposes.
¶ 38 In sum, defendants’ contention that redress under the Act should be limited to those who can plead and prove that they sustained some actual injury or damage beyond infringement of the rights afforded them under the law would require that we disregard the commonly understood and accepted meaning of the term “aggrieved,” depart from the plain and, we believe, unambiguous language of the law, read into the statute conditions or limitations the legislature did not express, and interpret the law in a way that is inconsistent with the objectives and purposes the legislature sought to achieve. That, of course, is something we may not and will not do. Solich v. George & Anna Portes Cancer Prevention Center of Chicago, Inc., 158 Ill. 2d 76, 83 (1994); Exelon Corp. v. Department of Revenue, 234 Ill. 2d 266, 275 (2009).
¶ 39 CONCLUSION
¶ 40 For the foregoing reasons, we hold that the questions of law certified by the circuit court must be answered in the affirmative. Contrary to the appellate court‘s view, an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act. The judgment of the appellate court is therefore reversed, and the cause is remanded to the circuit court for further proceedings.
¶ 41 Certified questions answered.
¶ 42 Appellate court judgment reversed.
¶ 43 Cause remanded.