In the past 20 years, the number of electronic privacy statutes enacted in the United States and abroad has grown substantially. These laws, from the EU’s General Data Protection Regulation (GDPR) to California’s Consumer Privacy Act, impact the means of collecting, storing, selling, and/or deleting personal information from internet users by private entities.
One law that is a growing cause for concern in connection with corporate liability risk is the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (BIPA). Biometric information is one of the most personal forms of information and, as such, is often subject to separate and stricter protection when compared with other electronic data. BIPA, first enacted in 2008, has been the basis for significant litigation venued in Illinois and elsewhere in the United States. Unlike other iterations of biometric laws found in Texas and Washington, BIPA provides a private right of action, making it the subject of many resulting class action settlements in the millions of dollars. As the legislatures in New York and Maryland have now proposed legislation similar to BIPA, insurers should be aware of how the BIPA statute works, its growing application, and its potential impact in the years to come.
Defining BIPA Biometric data involves unique physical characteristics by which a person can be recognized, such as fingerprints, retina or iris scan, facial geometry, or a recording of the voice. Biometrics are being used in a number of areas, including law enforcement and health care, as well as for physical access to buildings and consumer identification. This includes collection of such data by private entities in connection with the work of their own employees, as well as with respect to customers and external users.
Illinois was one of the first states to address the concerns of biometric privacy with the passage of BIPA in 2008. As the 740 ILCS 14/5(g) statute itself notes:
- BIPA was adopted in connection with the growing use of biometrics “in the business and security screening sectors and appears to promise streamlined financial transactions and security screenings.”
- An “overwhelming majority of members of the public are weary of the use of biometrics when such information is tied to finances and other personal information.”
- BIPA created a means of regulating the “collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.”
- BIPA outlined that no private entity “may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless” they receive informed written consent.
- Under BIPA “no private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person's or a customer's biometric identifier or biometric information.”
- BIPA provides a private right of action against a private entity that negligently or intentionally violates the Act, allowing for liquidated damages of $1,000 to $5,000, plus reasonable attorneys’ fees and costs.
Two other states, Texas and Washington, notably addressed the protection of biometric information. The Texas law, Chapter 503, Title 11, which has been in place since 2009, outlines that a person may not capture biometric information for a commercial purpose unless that person is informed and consents. Chapter 19.375 of the Revised Code of Washington also requires similar consent.
That said, under the Texas and Washington laws, only the state attorney general can bring an action for a violation of biometric privacy. As a result of this lack of “private action,” the number of matters involving the biometric protection of Texas and Washington residents is far fewer compared with those brought under BIPA.
Litigation What has made BIPA stand out is its private right of action to address damages in connection with a private entity’s use of biometric information. One of the most significant cases involving BIPA is the January 2019 decision by the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corporation, 2019 IL 123186 (Ill 2019), which held that a plaintiff need only allege a violation of BIPA and not “actual harm” to satisfy the statutory requirements for bringing a claim as an “aggrieved person.”
More than two years later, on May 14, 2021, the court in Rosenbach, Case No. 16-CH-13, Lake County, IL, Circuit Court, approved a class action settlement of $36 million on behalf of individuals who had their fingerprints scanned at the Six Flags theme park between October 1, 2013, and December 31, 2018. The court is expected to rule on final approval after a settlement fairness hearing scheduled for October 29, 2021.
Following the Rosenbach decision, the number of class actions involving BIPA grew exponentially. The most prominent of these is In Re Facebook Biometric Information Privacy Litigation (15-cv-3747), which is still before the U.S. District Court for the Northern District of California. In 2019, the Ninth Circuit affirmed the District Court’s order certifying a class of Illinois Facebook users who alleged BIPA violations in connection with Facebook’s use of facial-recognition technology “without obtaining a written release and without establishing a compliant retention schedule.” Patel v. Facebook, Inc., 932 F.3d 1264, 1267 (9th Cir. 2019), cert. denied, 140 S. Ct. 937, 205 L. Ed. 2d 524 (2020). In January 2021, the Court rejected the parties’ initial settlement proposal of $550 million as being inadequate to compensate the roughly six million Illinois residents. The parties re-negotiated a settlement at $650 million, which the Northern District of California approved.
Additional Cases There have been other significant settlements under BIPA, including the tentative $92 million class action settlement in In Re TikTok, Inc Consumer Privacy Litigation, 20-cv-04699 (N.D. Ill). To date, the court has not granted preliminary approval of the settlement over concerns about potential opt-outs and the settlement’s value for the class of Illinois TikTok users.
There also are a number of BIPA cases currently on appeal to the Illinois appeals court and the Seventh Circuit. In McDonald v. Symphony Bronzeville Park, LLC, No. 1-19-2398, the Illinois Supreme Court will answer whether the Illinois Workers’ Compensation Act bars claims for statutory damages under BIPA after both the trial and appellate courts held there was no such bar. Tims v. Black Horse Carriers, which is on appeal before the Illinois Appellate Court for the First District, will answer the certified question of whether a five-year or a one-year statute of limitations governs BIPA, while in Marion v. Ring Container Techs. LLC, the Illinois Appellate Court for the Third District will resolve whether a one-year, two-year, or five-year limitations period governs. Finally, Cothron v. White Castle System, Inc., No. 20-3202, currently before the Seventh Circuit, is addressing whether each time biometric information is collected without consent is a separate event.
There are a significant number of lawsuits that remain pending involving BIPA, and there does not appear to be any slowdown.
Other Legislative Initiatives With the growing rise in BIPA litigation, it is not surprising that other states are considering similar legislation. New York’s state assembly at the beginning of 2021 proposed Assembly Bill 27, the Biometric Privacy Act (BPA). Similar to BIPA, the proposed New York law is focused on the need for a company to have a publicly available written policy on getting informed consent for the retention, collection, disclosure, and destruction of a person’s biometric information. Significantly, like BIPA but unlike the laws in Texas and Washington, the proposed BPA provides a private right of action for any person “aggrieved by a violation” of the proposed bill. The potential liquidated damages for negligent violation of BPA is similar to BIPA, with damages between $1,000 and $5,000, plus reasonable attorneys’ fees and costs.
Maryland’s bill, Biometric Identifiers and Biometric Information Privacy Act, H.B. 218 and S.B. 16, is similar to BIPA and the proposed New York law in requiring that a private entity possessing biometric information needs to have a written policy regarding the collection, retention, and destruction of the biometric information. However, the Maryland bill notes that such a policy may not necessarily be made public if the collection of such information applies only to employees and is used for the organization’s internal operations. Similar to Illinois, the Maryland bill specifically states that a private entity “may not sell, lease, trade, or otherwise profit from an individual’s biometric identifiers or biometric information.” The potential damages under the proposed Maryland law of $1,000 to $5,000, plus attorneys’ fees, is similar to BIPA and the proposed New York bill.
Analysis Given the amount of litigation stemming from BIPA, the proposed bills in New York and Maryland have the potential to generate an influx in the number of claims regarding collection, storing, dissemination, and/or destruction of biometric information. While BIPA only applies to Illinois residents, companies often engage in interstate commerce, and complying with the most restrictive statute can help limit potential liability. Further, if legislation such as those proposed in New York and Maryland are enacted, being proactive and transparent with corporate policies on biometrics will help with compliance.
That said, insurers should be aware of the potential liability for organizations related to their insureds’ collection of biometric information and identifiers.
- On a basic level, insurers should be made aware if their insured is collecting biometric information and the purpose for such collection.
- There also should be an understanding of the insured’s corporate policies involving biometric data and whether they are ensuring proper security around such data.
- Further, the insurer should determine if there is a policy by the insured that prohibits the sale of biometric data, since none of the current or proposed statutes permit such a sale.
- If the insured is collecting such information, it should advise whether it has a written release and disclosures for end users and employees that are compliant with BIPA and related statutes.
These points are important because recent insurance coverage cases involving BIPA demonstrate that such violations may be covered under commercial general liability policies. One recent example is West Bend Mutual Ins. Co. v. Krishna Schaumburg Tan Inc., 2021 IL 125978 (May 20, 2021), where the Illinois Supreme Court held that a general liability insurer must defend a tanning salon against a customer’s BIPA claims because the proposed class action alleged a privacy violation that was potentially covered. This issue continues to be litigated, as reflected in Citizens Insurance Co. v. Wynndalco Enterprises LLC, 20-cv-03873, in the U.S. District Court for the Northern District of Illinois, where there is declaratory judgment action and pending motion for judgment on pleadings for BIPA coverage under a general liability insurance policy.
Cases such as Rosenbach, In Re Facebook, and In Re TikTok, Inc. reflect the potential significant damages to an insured and its insurer for noncompliance with BIPA. While those example cases involved only Illinois residents, if the proposed New York and Maryland laws are enacted, many of their state residents of 20 million and 6 million, respectively, are potential plaintiffs.
Biometric data has potential benefits to increase efficiencies and security for business, but with that great power comes great responsibility. With the increase in sophistication of biometric technology, the risks involving biometric information likely will continue to increase in 2021 and beyond, and insurers should be aware of the potential risks.
Also published on the PLUS Blog. To view, please click here.