Six Flags Biometrics Suit Should Raise Red Flags for Businesses

After a teenage boy was fingerprinted without written consent when he purchased a season pass to Great America, his mother sued Six Flags for violation of the Illinois Biometrics Act.  In January the Illinois Supreme Court unanimously found that plaintiffs can bring a private cause of action for violations of the state’s biometric privacy law’s notice and consent requirements, even if they can’t show any harm.

The court found (Rosenbach v. Six Flags Entertainment Corporation) that individuals have control of, and a right to privacy over, their biometric identifiers, such as voice samples, retina scans and facial geometry, in addition to fingerprints. Because neither the son nor the mother consented in writing nor signed a written release for the taking of the fingerprint, and because Six Flags did not provide documentation about how long they might retain the data before destroying it, the court found the theme park violated these rights.

This decision underscores the fact that biometric privacy is quickly becoming an area of the law with greater application for businesses—and that they need to start paying attention, particularly as technology ramps up to a whole new level with the advent of microchips.  About the size of a grain of rice, these chips have been voluntarily implanted in the hands of employees at several companies and work like a card reader, providing the ability to open doors, get into company accounts and order from company vendors.

Those who are uncomfortable with chipping say people are too weirded out by the concept of implants like those used for animals, cite concerns about infection and health risks, and wonder how a chip gets removed when an employee leaves, is fired or no longer wants the chip inside of them.  Supporters say chipping is not that different carrying an electronic access card like those used to gain entry into a building or buy lunch at the company café.  They say the devices are not only safe but also convenient because they can’t be forgotten, lost or stolen.

And supporters note they’ve only been used voluntarily and that several states have passed laws prohibiting mandatory implantation. But opponents wonder how voluntary this really is, given potential perks like instant security authorizations that those with chips might have, and they wonder about the security and potential uses of the data stored in those chips—like learning employees’ whereabouts at any given time, or selling the data to third parties.

Supporters answer that transparency, disclosure and consent will help employers manage these issues, much as they currently do with mobile phones and other devices. And they note that some companies might consider implanting these chips into waterproof bracelets, rather than employees’ hands, to address the health concerns as well as the tendency to get weirded out.

Whether it’s more “traditional” biometric data like fingerprints or the brave new world of chip implantation, employers are going to have challenging issues to navigate on this front in the coming years as they seek to balance convenience, privacy, transparency and normalcy.   And with this decision, Illinois will be come the hotbed of lawsuits for any unauthorized use of biometric data.   Online companies like FaceBook that use facial recognition tech will become targets particularly since under Illinois law, plaintiffs are not required to prove actual damages.  Any business that uses fingerprint, voice or facial identifiers should be rethinking their use of biometric data.