Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
The Courts Privacy

Illinois Supreme Court Rules Against Six Flags in Lawsuit Over Fingerprint Scans, Says Actual Harm Unnecessary For Biometric Case (chicagotribune.com) 84

The family of a teenager whose fingerprint data was collected in 2014 when he bought a season pass to Six Flags Great America had the right to sue the amusement park company under an Illinois privacy law, the state Supreme Court ruled Friday. Chicago Tribune reports: The case is being closely watched by tech giants such as Facebook, who have pushed back against the Illinois Biometric Information Privacy Act (BIPA). The law requires companies collecting information such as facial, fingerprint and iris scans to obtain prior consent from consumers or employees, detailing how they'll use the data and how long the records will be kept. It also allows private citizens to sue, while other states let only the attorney general bring a lawsuit.

The opinion, which overturns an appeals court ruling in favor of Six Flags, has the potential to effect biometrics lawsuits playing out in courtrooms across the country. The Illinois law is one of the strictest of its kind in the nation and has turned the state into a hotbed of lawsuits over alleged misuses of biometric data. Privacy experts say protecting that type of information is critical because, unlike a credit card or bank account number, it's permanent.
The National Law Review adds: In short, individuals need not allege actual injury or adverse effect, beyond a violation of his/her rights under BIPA, in order to qualify as an "aggrieved" person and be entitled to seek liquidated damages, attorneys fees and costs, and injunctive relief under the Act. Potential damages are substantial as the BIPA provides for statutory damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation of the Act. To date, no Illinois court has interpreted the meaning of "per violation," but the majority of BIPA suits have been brought as class actions seeking statutory damages on behalf of each individual affected.
This discussion has been archived. No new comments can be posted.

Illinois Supreme Court Rules Against Six Flags in Lawsuit Over Fingerprint Scans, Says Actual Harm Unnecessary For Biometric Cas

Comments Filter:
  • Good (Score:5, Insightful)

    by Geoffrey.landis ( 926948 ) on Friday January 25, 2019 @01:42PM (#58022006) Homepage

    Good.
    A law saying it's illegal to collect such information without consent would be completely worthless you were not allowed to sue the company for violating it.

    • by Anonymous Coward

      A law saying it's illegal to collect such information without consent would be completely worthless you were not allowed to sue the company for violating it.

      Which, except for all of those other cases which have been decided in favor of corporations saying that you had to prove actual harm to have any merit.

      They're literally been saying in the courts that "sure, this happened, but since you can't prove someone has stolen your identity or your money you have no standing to sue".

    • by torkus ( 1133985 )

      You can always sue, but this actually outlines damages much more clearly than most situations. It also (potentially, IANAL) could be filed in small claims court which greatly lowers the bar and avoids paying lawyers buckets of money for a class action.

      My only question though - isn't it extremely simple to just publish the most open set of rules possible about your biometrics and not be on the hook for anything? Six flags isn't a necessary service so they can absolutely refuse your business, and if accepti

      • by rtb61 ( 674572 )

        Damage is a contentious issue in this case because of permanence of intent with regard to damage ie the data was not collected for today it basically was collected forever and hence the damage must reflect all potential damage throughout your life. That kind of damage reflects pretty much any potential, from a criminal using that data to track you down and kill you, or another to use that data to steal you identity, or someone using that data against your interest to manipulate you. That is the real problem

  • Glad to see this (Score:3, Interesting)

    by Anonymous Coward on Friday January 25, 2019 @01:50PM (#58022052)

    I have a pass at that very Six Flags, and I have to fight almost every time to not do the fingerprint scan. This ruling may change that.

  • by Lucas123 ( 935744 ) on Friday January 25, 2019 @01:51PM (#58022060) Homepage

    A hair and saliva sample later.

    Seriously, why would anyone have thought this was a good idea?

    • Wanna bet they don't actually store the fingerprint, but instead something akin to a hash?

  • by will_die ( 586523 ) on Friday January 25, 2019 @01:59PM (#58022128) Homepage
    That article sure left lots of questions unanswered, anyhow here are the details
    The mother of the kid purchased season pass, for the kid, at Six Flags.
    The kid, age 14, went to six flags and picked up his ticket and at that time was fingerprinted, per standard policy for season tickets.
    Mother sued six flags since she had not given premission and him being a minor.
    Various courts have tossed it back and forth on the bases that the mother could show no type of injury.
    This time the Illinois Supreme Court ruled against six flags. The reason being that the state law does not require them to sure injury.
    • by Nkwe ( 604125 ) on Friday January 25, 2019 @02:35PM (#58022404)
      As a season pass holder at Six Flags, you can opt out of the fingerprint scanner. You have to ask for a pass with a picture when you process your season pass. You may have to escalate your request to a manager. I am a pass holder and have opted out every year since they added the scanners. That being said, the kid in this story may not have known he had this option and being a minor may not have been capable of making such a decision (to opt out.) I am not disputing that there is a case here, but the fingerprinting process isn't actually "mandatory" at Six Flags.
      • isn't a photograph biometric information? Or is the law specific about it's definition?

        • by Nkwe ( 604125 )

          isn't a photograph biometric information? Or is the law specific about it's definition?

          That's a fair and interesting question.

          From a practical point of view the photo they take and print on the pass is poor quality, black and white (barely even gray scale), and low resolution, so I doubt it is has much practical biometric value

          I have no idea on the legal distinction between a photo and a fingerprint scan. As an aside, by entering a Six Flags park (as well as the other major amusement part chains) you usually also agree to be photographed and used in marketing materials. This kind of pho

      • by sjames ( 1099 )

        As far as this case goes, I believe you've got it. The state law requires the parent's affirmative permission to fingerprint a minor. They didn't have that.

        The part the State Supreme court was hearing was Six Flag's claim that there were no actual damages, so no ability to sue. The verdict was that the law includes a presumptive damage of $1000 so the mother need not show actual damage to sue.

      • by Wolfrider ( 856 )

        --There is NO WAY that an AMUSEMENT PARK should be requiring fingerprint scans or other biometric data (besides a picture ID.) What the hell were they thinking??

    • The reason being that the state law does not require them to sure injury.

      Hmm, wonder if the same logic would apply to someone suing the State of Illinois over collecting biometric information for Driver's License? Yes, height, weight, picture are "biometric info" used to identify the user....

      • by will_die ( 586523 ) on Friday January 25, 2019 @03:43PM (#58022902) Homepage
        The law specifically states that biometric info does not include "physical descriptions such as height, weight, hair color, or eye color".
        Also states and the federal government are very good at putting a phrase such as "Person is consenting for the collection of this data. If the data is not provided it will affect how quickly the government provides the service requested."
  • Can i someone in Illinois sue google for allowing google photo to identify there face in a picture they didn't upload?

  • by grep -v '.*' * ( 780312 ) on Friday January 25, 2019 @02:54PM (#58022582)

    Scott McNealy: You have zero privacy anyway. Get over it. [wired.com]

    If Privacy is really dead, then Scott should publish his Name, Address, Account Numbers and passwords, location schedule, and DNA profile and always keep them all current. Until then, it's NOT.

    It's one thing to lose my credit card number. Annoying, but I can get another. Same for my throw-away online accounts.

    It's slightly harder for more important accounts, like my slashdot account -- I'd lose all my Karma standing and have to start over! Other accounts are the same: VERY annoying but not Earth shattering.

    Getting doxed - the info used to be in the physical phone book, but now it's easy to tie "a fact" to "someone" and "know where they live." Now bother becomes heightened senses if not outright fear, and possibly having to actually uproot and move. Across the street, across town, across the country.

    Now you lose my name and reputation with Identity Theft. Inverse doxing, I'm still me but so is someone ELSE. I _COULD_ change my name, but I don't want to. And it's Hell trying to prove what's actually you and what isn't.

    FINALLY, you lose my biometrics? Movie hacker: "Computer: 'Override.' We're in." [networkworld.com] I _CAN'T_ change those, period. At all.

    Just because I have nothing to hide doesn't mean that I want you to see.

    • If Privacy is really dead, then Scott should publish his Name, Address, Account Numbers and passwords, location schedule, and DNA profile and always keep them all current. Until then, it's NOT.

      I understand your larger point, and I quite agree that anyone who claims they don't care about privacy is lying, but you'll understand if I don't want someone else's choices determining the value of my privacy. I say privacy matters to us all even if someone claims otherwise (as glib sycophants on /. sometimes claim w

  • In our State Constitution.

    As does the entire nation of Canada.

    And most of the EU.

    Ooh, going to be a lot of suits.

  • As it is commonly pointed out on Slashdot, fingerprints are usernames, not passwords.
    So what if an amusement park uses them? They are less privacy invading than a simple picture, and very convenient.
    The ones who should be sued are not companies who collect them but the ones who use them for reasons others than checking your physical presence. The way Six Flags uses them is exactly how they are meant to be used.
    Of course, they are still personal data but why focus specifically on fingerprints when they are n

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...