Six Flags Biometric Privacy Case Explained

How a theme park fingerprint dispute helped define biometric privacy rights in Illinois.

By Medha deb
Created on

The dispute involving Six Flags and fingerprint scanning became one of the most important cases in the modern debate over biometric privacy. At its core, the case asked a simple question with broad consequences: can a company collect a person’s fingerprint without following strict notice-and-consent rules, and can that person sue even if no traditional financial loss can be shown? Illinois courts answered yes, and that answer helped turn biometric compliance into a major legal issue for businesses across the country.

This article explains the legal background of the case, why it mattered, what the Illinois Biometric Information Privacy Act requires, and why companies that use fingerprint or facial-recognition systems now face much higher compliance expectations.

Why the case drew national attention

The controversy gained attention because it involved an amusement park, a child, and a common convenience feature: fingerprint scanning for entry. Six Flags used finger-scan gates for access control at one of its parks, and the plaintiffs alleged that the park collected biometric information without obtaining the legally required written consent and disclosures.[10]

What made the dispute especially significant was not only the technology involved, but the legal theory behind it. The plaintiffs argued that biometric data is highly sensitive because it is tied to a person’s physical identity and cannot easily be changed if exposed or misused. That concern helped push the case beyond a narrow consumer dispute and into a broader policy debate about digital identity, privacy rights, and corporate responsibility.

Read More

How to Deal With Insurance Companies >

How to Deal With Insurance Companies

What Illinois law requires

The Illinois Biometric Information Privacy Act, commonly called BIPA, is one of the strongest biometric privacy laws in the United States. The law requires private entities to give people written notice before collecting biometric identifiers or biometric information, explain why the data is being collected, state how long it will be kept, and obtain a written release before collection begins.

BIPA also restricts how companies may use, disclose, sell, or profit from biometric data. In addition, businesses must publish a retention policy and destroy biometric information according to the statute’s schedule.

  • Written notice must be provided before collection.
  • Written consent or a written release is required.
  • The purpose of collection and retention period must be disclosed.
  • Biometric data may not be sold or improperly shared.
  • Companies must maintain a destruction policy and follow it.

These requirements are strict by design. Unlike ordinary account data, biometric identifiers are treated as especially sensitive because they are permanent, difficult to replace, and closely linked to personal identity.

How the Six Flags lawsuit developed

The lawsuit arose after a parent alleged that Six Flags scanned a minor’s fingerprint without the proper disclosures and consent required by BIPA.[10] The legal issue was not whether the park used technology for a legitimate operational purpose, but whether it followed the statutory process before collecting the biometric information.

Six Flags argued that the plaintiff should not be allowed to sue without showing actual harm, such as identity theft or financial loss. That argument reflected a common defense in privacy litigation: if there is no visible injury, then there should be no case. The Illinois Supreme Court rejected that view.

The court held that a person does not need to prove additional injury beyond the violation of statutory biometric rights in order to pursue relief. That ruling transformed BIPA from a statute that could be ignored until harm appeared into a law with immediate enforcement consequences.

Why the court’s reasoning mattered

The most important part of the decision was the court’s treatment of “harm.” The court recognized that biometric privacy itself is a protected interest, and that losing control over one’s fingerprint or similar identifier is not a minor technical issue. In other words, the injury is the unlawful collection or handling of the biometric data, not only the downstream misuse that might follow.

That approach matters because many privacy violations do not produce instant, visible damage. A company may scan, store, or retain biometric data in a way that appears harmless at first, yet still expose the person to risks that are difficult to measure. The Illinois Supreme Court’s decision acknowledged that the legislature created BIPA to prevent that risk before it grows into something worse.

The decision also strengthened the private right of action under the statute. Once the court confirmed that a statutory violation is enough to bring suit, BIPA cases became much easier to file and much harder to dismiss early.

What businesses learned from the ruling

For businesses, the case delivered a blunt message: biometric systems cannot be treated like ordinary badge scans or customer sign-in tools. A company using fingerprint readers, facial recognition, or similar systems in Illinois must verify that notice, consent, retention, and destruction procedures are fully aligned with the statute.

That requirement has practical implications across industries. Theme parks, gyms, warehouses, schools, healthcare facilities, and software platforms may all rely on biometric tools for convenience or security. But convenience does not reduce compliance duties. If the data collected is biometric and the law applies, the company must follow the statute before the first scan occurs.

Issue What BIPA demands Why it matters
Notice Clear written disclosure before collection People must know what is being collected and why
Consent Written release before collection Unauthorized collection can create liability
Retention Published retention and destruction policy Limits how long biometric data may remain stored
Use and disclosure Restricted sharing, sale, and profit Biometric data cannot be treated like a normal asset

Because BIPA permits damages for each violation, businesses may face large exposure if their practices affect many users over time. That risk is one reason biometric compliance programs now receive far more attention from legal and technology teams than they did when the law was first enacted.

Why plaintiffs’ lawyers viewed the case as a turning point

For consumer advocates and privacy lawyers, the ruling confirmed that a privacy statute can have real force even when a plaintiff cannot show conventional injury. That is important in data cases because a person often does not discover misuse until long after the data has been collected.

The decision also gave plaintiffs a straightforward theory: if a company collected biometric data without the procedures required by law, the statute itself supplies the basis for a claim. That clarity made BIPA one of the most closely watched privacy statutes in the country.

In practice, the case encouraged more litigation over collection practices, consent forms, retention schedules, and biometric system design. It also pushed companies to ask whether their internal policies could survive scrutiny if challenged in court.

How the settlement phase reinforced the stakes

Later reporting showed that Six Flags agreed to a multimillion-dollar settlement over alleged BIPA violations, reinforcing the idea that biometric privacy claims can carry substantial financial exposure. The settlement structure reflected the large number of affected people and the seriousness of the alleged noncompliance.

That outcome did not just resolve a single dispute. It also signaled to other companies that biometric privacy litigation could produce expensive class-action consequences, especially where a business uses the same collection method on many customers or employees over a long period.

Practical lessons for organizations that use biometrics

Organizations that rely on fingerprint, face, iris, or voice recognition tools should treat the Six Flags case as a compliance warning. The lesson is not simply that biometric data is regulated; it is that procedural compliance must happen before collection begins.

  • Audit every system that captures biometric information.
  • Confirm whether written notice is delivered before first use.
  • Review consent language for specificity and clarity.
  • Adopt and publish a retention and destruction policy.
  • Limit vendor access, storage, and downstream disclosure.

These steps matter because biometric systems often involve multiple actors, including device manufacturers, software vendors, and service providers. If any part of the process fails to match the statute, the legal risk can spread quickly.

Frequently asked questions

Did the court say a person must show identity theft or financial loss to sue? No. The Illinois Supreme Court held that a BIPA violation itself is enough to support a claim for relief.

Why are fingerprints treated differently from ordinary customer data? Fingerprints and similar identifiers are biometric data, which is considered uniquely sensitive because it is tied to the body and cannot easily be replaced if compromised.

Does the case only matter for amusement parks? No. The ruling affects any private entity using biometric systems in Illinois, including employers, retailers, schools, and technology companies.

Can companies avoid liability by arguing the violation was technical? The Illinois Supreme Court rejected the idea that violating BIPA is merely a technical problem without legal consequence.

Why did this case become so influential outside Illinois? Because it showed that biometric privacy laws can create meaningful private rights and substantial exposure, which influenced how businesses and lawmakers think about biometric governance more broadly.

What the case represents now

The Six Flags biometric privacy dispute stands as a landmark example of how state privacy law can reshape business practices. It demonstrated that collection rules are not optional, that consent must be informed and documented, and that courts may treat biometric privacy as a legal right worthy of direct enforcement.

For companies, the case remains a reminder that data governance is not only about cybersecurity. It is also about respecting the legal limits placed on how personal identifiers are gathered, stored, and used.

For consumers, it confirms that biometric data is not just another form of account information. It is a personal identifier with long-term consequences, and in Illinois at least, the law gives people a direct way to challenge misuse.

References

  1. Six Flags agrees to $36 million settlement over alleged BIPA violations — Capitol News Illinois. 2024-01-11. https://capitolnewsillinois.com/news/six-flags-agrees-to-36-million-settlement-over-alleged-bipa-violations/
  2. Rosenbach v. Six Flags Entertainment Corp.: Implications for the Right to Biometric Privacy — Columbia Undergraduate Law Review. 2019-01-01. https://www.culawreview.org/journal/rosenbach-v-six-flags-entertainment-corp-implications-for-the-right-to-biometric-privacy
  3. Victory! Illinois Supreme Court Protects Biometric Privacy — Electronic Frontier Foundation. 2019-01-25. https://www.eff.org/deeplinks/2019/01/victory-illinois-supreme-court-protects-biometric-privacy
  4. Six Flags biometric data lawsuit could impact use of fingerprints — blooloop. 2018-05-02. https://blooloop.com/theme-park/news/six-flags-fingerprint-lawsuit/
  5. What a Trip to Six Flags Means for Facebook, Data Privacy, & You — Relativity. 2019-01-25. https://www.relativity.com/blog/trip-to-six-flags-facebook-data-privacy-and-you/
  6. The Implications of Six Flags Biometrics Ruling on Silicon Valley — WTTW. 2019-01-29. https://news.wttw.com/2019/01/29/implications-six-flags-biometrics-ruling-silicon-valley
  7. Rosenbach v. Six Flags — American Civil Liberties Union of Illinois. 2019-01-25. https://www.aclu-il.org/cases/rosenbach-v-six-flags/
Medha Deb is an editor with a master's degree in Applied Linguistics from the University of Hyderabad. She believes that her qualification has helped her develop a deep understanding of language and its application in various contexts.

Read full bio of medha deb