Six Flags to Pay $36M Over Collection of Fingerprints | Threatpost

Theme park operator Six Flags has agreed to pay $36 million to settle a class-action lawsuit over its acquisition of the fingerprint data of visitors to its theme parks.

The Illinois Supreme Court ruled in the case Rosenbach v. Six Flags that collecting biometric data at premises’ gates by scanning fingerprints of people who enter the company’s theme park violates Illinois Biometric Information Privacy Act (BIPA).

Passed in 2008, the BIPA regulates how companies collect and use someone’s biometric data, such as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. The law mandates that a company must obtain a person’s written consent before acquiring and storing this type of data.

The case involved a mother, Stacy Rosenbach, who in 2016 sued Six Flags Entertainment Corp. after the Gurnee, Illinois, branch of the theme park scanned the fingerprint of her 14-year-old son Alex without obtaining written consent and without properly disclosing the company’s business practices as to how they would use the data.

After passing through lower courts, the case made it to the Illinois Supreme Court, where Six Flags filed a motion to dismiss the case, claiming that Rosenbach was not an “aggrieved party” according to the BIPA because she had not proven an actual injury under the law.

However, the court denied the motion, ruling that someone “need not allege some actual injury or adverse effect, beyond violation of his or her rights” to qualify as an “aggrieved” person under the law, according to its decision.

Mediation between the parties occurred, after which they agreed to a settlement that entitles anyone who first had their finger scanned by Six Flags Great America when entering the  park between October 1, 2013, and April 30, 2016, to receive up to $200. People who first had their finger scanned when entering the park between May 1, 2016, and December 31, 2018, could receive up to $60.

Win for Privacy Advocates

The case is not the first time the BIPA has been cited by a lawsuit aiming to limit a company’s collection of biometric data, which in and of itself has been a hotbed of controversy for its privacy implications.

In a high-profile case still being heard, the American Civil Liberties Union (ACLU) sued New York-based startup Clearview AI on behalf of a number of organizations comprised of vulnerable communities for amassing a database of biometric face-identification data of billions of people and selling it to third parties without their consent or knowledge.

Previously, Vimeo, the popular ad-free video platform, also was slapped with a lawsuit for alleging storing people’s facial biometrics without their consent or knowledge.

The court’s decision in the Rosenbach case now sets a precedent for how the BIPA can be used legally in the future, clearly setting limits on companies’ collection of biometric data and seeming to side in favor of private citizens’ rights.

Indeed, one privacy organization backed Rosenbach’s case against Six Flags with a legal brief called an amicus to lend support for its position against the collection of biometric data by amusement parks.

The Electronic Privacy Information Center (EPIC) first identified the risk of this practice in a document published in 2018, Theme Parks and Your Privacy, which “noted that it is disproportionate and unnecessary for theme parks to collect biometric identifiers from attendees,” according to the brief.

The filing went on to cite numerous security risks that people face the moment they give up biometric-identity data as reasons the court needs to hold companies accountable for breaking laws like the BIPA intended to limit the collection of this data.

“A private entity that chooses to collect biometric information in violation of BIPA should not be allowed to ignore its legal obligations,” EPIC wrote in the brief.

Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free!