In a test of the enforceability of the Illinois Biometric Information Privacy Act, the Illinois Supreme Court ruled that a 14-year-old boy was entitled to statutory damages – between $1,000 to $5,000 – after a Six Flags amusement park issuing a season pass didn’t get his express permission before fingerprinting him.

“The Illinois law does not specify that the individual has to suffer any cognizable harm in order to collect damages,” which has placed it at odds with the U.S. Supreme Court’s Spokeo ruling, said Dorsey & Whitney Partner Robert Cattanach.

In Spokeo the court said “that absent some cognizable harm, individuals complaining of privacy violations had no standing to bring actions against entities alleged to have violated their privacy,” said Cattanach. If the ruling is “allowed to stand – an appeal to the United States Supreme Court would appear to be likely –  the Illinois Court’s ruling would signal a significant sea change in how courts allow claims without actual damages to proceed, and open the floodgates to class actions claiming privacy violation seven without any showing of actual harm,”  

Justin Kay, a lawyer at law firm Drinker Biddle & Reath in Chicago, said the ruling will likely intensify a push to amend the statute, noting that amendment efforts in the wake of lawsuits against Facebook and other tech companies over facial recognition software and other attempts to “reign in the scope of the Illinois law” did not succeed.

“The issue for the court to decide in [the] Rosenbach [case] was whether the Illinois Biometric Information Privacy Act would be a ‘gotcha’ statute, based on the failure of businesses to use magic words when using technology that incorporates biometrics,” said Kay. “With their ruling today, it is.”

He explained the court, in essence, said “a company that tells you verbally they are going to take your fingerprint for access control or security purposes – or that doesn’t tell you, but you know, based on the context – but that fails to inform you in writing that they are doing exactly what it is obvious they are doing, is still on the hook for thousands of dollars in statutory damages” regardless of if it has “military-level encryption and security protocols to safeguard your fingerprint information.”