This SportTechie Legal article was written by Rob Newman, an attorney in the Chicago office of Loeb & Loeb LLP.
After piloting biometric ticketing at a handful of ballparks, Major League Baseball is planning to expand its use of fingerprint-based tickets around the country in 2019. Biometric identification has hit the big leagues.
The league is partnering with airport security company Clear and Tickets.com, the MLB’s wholly owned ticketing tech provider, to ditch paper and mobile tickets. On game days, baseball fans with a Clear profile and an MLB.com account will be able to tap or swipe their fingers to enter ballparks. Fans will also be able to use Clear’s biometric identity platform to pay for concessions, including validating their age to purchase beer.
Biometric technology can identify individuals using unique physical attributes including their fingerprints, face, retinas, and voice. Businesses have been using biometrics for security purposes for years. Many employers scan employees’ biometrics to access company devices, including laptops and smartphones, and to clock in and out of work. The most common type of biometric authentication used is fingerprint scanning, followed by facial recognition, according to the Society for Human Resource Management.
Many consumers have become familiar with fingerprint scanning through services provided by Clear that allow passengers to move more quickly through security lines at airports. Others increasingly use their fingerprints or their faces to unlock their phones.
But the MLB-Clear partnership marks the first time a major sports organization has used biometrics to identify fans, and although the league won’t store the data itself, the general collection and use of sports fans’ biometric data raises a number of privacy considerations. For example, one of the core advantages of biometric data is that it generally cannot be changed. While this makes it effective from an authentication perspective, its use also increases the potential impact of a data incident.
Regulation of the use of biometric information is still in its infancy. Only three states have passed laws to protect biometric information. No federal legislation has been enacted.
In 2008, Illinois passed the Biometric Information Privacy Act in order to prohibit the collection of a person’s biometric information without his or her written consent. The Illinois law requires organizations obtaining biometric identifiers or biometric information to inform individuals that their biometric data is being collected, the purpose of the collection, and how long it will be used and stored.
Texas and Washington have passed similar legislation, and several other states, including Alaska, Connecticut, Montana, and New Hampshire, have considered, but not yet enacted, their own laws. However, Illinois’s BIPA is the only law that includes a private right of action for those “aggrieved” by a violation of the statute. That detail has meant that nearly all litigation over the collection of biometric data has occurred in Illinois or under the Illinois statute.
A recent decision by the Illinois Supreme Court involved the use of consumer fingerprinting to access a season pass at a theme park. The result of the closely watched case sheds at least some light on what a plaintiff needs to allege to support a BIPA claim.
In Rosenbach v. Six Flags Entertainment Corp., Stacy Rosenbach sued a Six Flags theme park after her son was fingerprinted in order to access a season pass she had purchased for him. Rosenbach argued that the park violated BIPA because it did not get her son’s written consent to be fingerprinted, or disclose what it does with the biometric data. Rosenbach admitted that her family had not suffered any harm, although she asserted that she would not have purchased the season pass for him had she known he would be fingerprinted.
The trial court rejected the argument advanced by Six Flags that Rosenbach’s suit must fail because she did not allege any actual harm as a result of the allegedly illegal data collection. But the court agreed to present to the appeals court the question of whether a person “aggrieved” by a violation of BIPA must allege “some actual harm.” In December 2017, the appeals court reversed the trial court’s decision, opining that a plaintiff must allege actual harm as a result of the alleged violation to maintain a claim, although the harm need not be financial.
Rosenbach then appealed to the Illinois Supreme Court on the narrow question of whether a party is an “aggrieved party” if the only injury is the collection of data without the proper disclosures and consent. Last month, that court answered with a yes, holding that an individual can be an “aggrieved party” where there is only an invasion of a legal right, without actual harm.
Citing a 1913 case, Glos v. People, the Illinois Supreme Court noted the definition of an “aggrieved party” refers to either a person who has suffered a pecuniary harm or one who has had “a legal right invaded by the act complained of.” Therefore, “when a private entity fails to comply with [BIPA’s consent and disclosure] requirements, that violation constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach.”
While Illinois’ BIPA is—for now—the only state statute that gives consumers a right to sue for violations, its application may not be restricted to the collection and use of biometric data in that state. Litigation could turn on where the biometric information is collected, where the fans are from, where the data is stored, and where a biometric ticketing vendor is located.
The use of individuals’ unique biometric data as an identification tool has been both effective and controversial in other industries, and brings a variety of potential legal considerations. As MLB expands biometric ticketing nationwide, and more fans become exposed to it, legal discussion is set to continue.
Correction: An earlier version of this article implied that MLB stored the data itself and that data collection in some instances might be involuntary. All biometric data collection is voluntary and MLB does not store the data.