Finger Scanning Costs Six Flags $36m

Written by

Theme park operator Six Flags Great America has agreed to pay $36m to settle a class-action lawsuit concerning the gathering and collection of its customers' biometric data.

Filed in Lake County, Illinois, the lawsuit alleges that the use of finger-scanning equipment used at Six Flags entry gates violated the Prairie State's Biometric Privacy Act.

The act regulates how companies collect and use an individual's retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Under the law, which was passed in 2008, a company must obtain an individual's written consent before gathering and storing their biometric data. 

A company that violates the law must pay damages of $1,000 for each negligent violation and $5,000 for each intentional or reckless violation.

Lead plaintiff in the case against the amusement park operator, Stacy Rosenbach, sued the Gurnee branch of Six Flags in 2016 on behalf of her son, Alexander. Rosenbach said her son had supplied his fingerprint to gain access to the park, without first consenting to the collection and storage of his biometric information.

The case landed in the Illinois Supreme Court, where Six Flags argued that no injury had been done to Rosenbach's son, because the biometric data had not been exposed or stolen. 

However, the Court ruled in 2019 that for an individual to qualify as an "aggrieved" person under the Biometric Privacy Act and be entitled to relief and damages, that individual "need not allege some actual injury or adverse effect, beyond violation of his or her rights.”

After a period of mediation, a settlement was proposed that entitles people who first had their finger scanned when entering Six Flags Great America between October 1, 2013, and April 30, 2016, to receive up to $200. People who first had their finger scanned when entering the park between May 1, 2016, and December 31, 2018, could receive up to $60.

Under the agreement, Six Flags, which is headquartered in Arlington, Texas, does not accept any liability or admit any fault. The agreement is provisional and scheduled to be approved at a court hearing in October.

What’s hot on Infosecurity Magazine?