A recent decision by an intermediate Illinois appellate court, Rosenbach v. Six Flags Entm’t Corp.,[1] suggests that state courts—which are not bound by federal Article III standing limitations in entertaining suits—will not necessarily provide a more plaintiff-friendly forum for data privacy suits than their federal counterparts.

Earlier this month, we wrote about the Second Circuit’s summary order in Vigil v. Take-Two Interactive Software, Inc.[2]  There, the court affirmed the dismissal of a class action lawsuit brought in the Southern District of New York under the Illinois Biometric Information Privacy Act[3] (“BIPA”) for want of Article III standing because the plaintiffs had failed to allege an injury-in-fact, but remanded the case with instructions to amend the judgment and enter a dismissal without prejudice.[4]  The district court had ruled that the BIPA’s limitation of the private right of action to a “person aggrieved by a violation” meant that the plaintiffs’ failure to allege an injury-in-fact was also fatal to their claims as a matter of state law, meaning that the case should be dismissed with prejudice for failure to state a claim.[5]  The Second Circuit vacated that portion of the ruling on jurisdictional grounds, which left the door open for the plaintiffs to attempt to bring their claims in state court without any allegation of actual harm.

Based on the Illinois appellate court’s interpretation of the BIPA in Rosenbach, that door appears to be closed.  In Rosenbach, the plaintiff on behalf of a purported class alleged that a theme park collected fingerprints in violation of the BIPA’s notice and consent provisions, but otherwise alleged no “actual injury” beyond technical violations.[6]  The lower court found that this was sufficient to state a claim under the BIPA, but certified an interlocutory appeal on the issue.[7]  Focusing on the text of the BIPA, and what it means to be “aggrieved,” the appellate court in Rosenbach disagreed, holding that, under Illinois law, a “‘person aggrieved’ by such a violation [of the BIPA] must allege some actual harm.”[8]  According to the appellate court, “[a]lleging only technical violations of the notice and consent provisions of the statute, as plaintiff did here, does not equate to alleging an adverse effect or harm.”[9]

The appellate court drew support for its interpretation of “aggrieved,” which is not defined in the BIPA, from several sources, including Black’s Law Dictionary, which defines “‘aggrieved party’ as ‘[a] party entitled to a remedy; esp., a party whose personal, pecuniary, or property rights have been adversely affected by another person’s actions or by a court’s decree or judgment,”’ and from federal decisions (including the lower court’s decision in Vigil), which have interpreted the BIPA as requiring an actual injury.[10]  The appellate court also looked to how other state courts had interpreted the term “aggrieved” in other statutes, observing that those courts had concluded that “the terms ‘aggrieved’ and ‘injured’ are nearly synonymous and that ‘aggrieve’ means ‘to inflict injury upon,’ which requires a showing of some actual injury or harm.”[11]  Rosenbach rejected the argument that the Illinois legislature intended the BIPA to be a functionally strict liability statute, concluding that “[a] determination that a technical violation of the statute is actionable would render the word ‘aggrieved’ superfluous.”[12]

While the appellate court in Rosenbach found the allegations before it to be insufficient, it also noted that an injury need “not be pecuniary” and that there was no allegation of “any harm or injury to a privacy right.”[13]  It remains to be seen what type of allegations could allege a harm to a privacy right under the BIPA; what is clear is that the allegations must allege an actual injury to be sufficient.

Rosenbach demonstrates that the inquiry of whether a data privacy suit is sufficient to allege a claim under a statute may be functionally coextensive with the Article III standing inquiry.  The language of the specific data privacy statute matters.  The recent decisions addressing the BIPA show that courts will continue to grapple with standing and injury issues as privacy and data breach litigation proliferates.


[1] 2017 IL App (2d) 170317.

[2] 2017 WL 5592589 (2d. Cir. Nov. 21 2017).

[3] 740 Ill. Comp. Stat. 14/1 et seq.

[4] 2017 WL 5592589, at *5.

[5] Vigil v. Take-Two Interactive Software, Inc., 235 F. Supp. 3d 499, 519-21 (S.D.N.Y. 2017) (citation omitted) (emphasis added).

[6] 2017 IL App (2d) 170317, ¶¶ 1, 18.

[7] Id. ¶ 1.

[8] Id.

[9] Id. ¶ 21.

[10] Id. ¶¶ 20-21 (citations omitted).

[11] Id. ¶ 22 (citation omitted).

[12] Id. ¶ 23.

[13]Id. ¶¶ 20 n.1, 28.