Six Flags collected fingerprints of theme park visitors without their consent but will now pay $36 million USD fine

Amusement park operating company Six Flags reached a settlement to pay $36 million USD as part of a class action lawsuit accusing the company of collecting fingerprint records from its visitors. The Illinois Supreme Court ruled that this practice violates the Biometric Information Privacy Act (BIPA), in effect in this state.

This legislation was passed in 2008 and regulates the way companies collect and use biometric information from users, including retinal records, fingerprints, voice records and facial recognition. One of the most important rules in this regard is that companies require the express consent of individuals to collect this kind of information.

This case began with Stacy Rosenbach, a mother who filed a lawsuit against Six Flags in 2016 accusing park staff in Gurnee, Illinois, of scanning her 14-year-old son’s fingerprints without first seeking his consent and without mentioning details of how the company uses these records.

After a lengthy legal process, the case reached the state Supreme Court, where Six Flags argued that the plaintiff had failed to demonstrate actual harm as set forth in BIPA. The Court dismissed Six Flags’ arguments, ruling that it is not necessary that an actual harm arising from the collection of this data has been presented to consider a person as a victim under the BIPA.

At the conclusion of an arduous mediation process, it was agreed that Six Flags would pay up to $200 USD to people whose biometric data was recorded in its U.S. parks between October 1, 2013 and April 30, 2016. On the other hand, people whose biometric records were scanned between May 1, 2016 and December 31, 2018 could receive up to $60 USD.

This isn’t the first time a company has faced multiple lawsuits for non-compliance with BIPA. A couple of years ago, the American Civil Liberties Union (ACLU) sued startup Clearview AI, arguing that the company maintained a biometric database of billions of people, sharing the data with third-party companies. Vimeo, the popular ad-free video platform, was also the subject of a lawsuit for non-compliance with BIPA.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.