BIPA protects biometric information, which it defines to include:
- Retina or iris scans
- Fingerprints
- Voiceprints
- Scans of hand or face geometry
BIPA prohibits a private entity from collecting, capturing, purchasing, receiving or obtaining an individual’s biometric information, unless it provides certain notice and obtains written consent. Additionally, a private entity in possession of biometric information must (1) develop a written policy and (2) make this written policy available to the public. BIPA further restricts private entities from selling, leasing, trading or profiting from a person’s biometric information.
BIPA provides a private right of action for statutory damages for each violation. BIPA allows for an individual to recover:
- Statutory damages of $1,000 or actual damages, whichever is greater for a negligent violation;
- Statutory damages of $5,000 or actual damages, whichever is greater for an intentional violation;
- Reasonable attorneys’ fees and costs, including expert witness fees and other litigation expenses; and
- Any other relief the court may deem appropriate, including injunctive relief.
11 years later, Illinois courts start to interpret BIPA
Standing to sue under BIPA is broader than under federal law. After BIPA was enacted in 2008, it remained stagnant for 11 years before the Illinois Supreme Court had a chance to interpret the statute after an increase in the adoption of biometric technology and the corresponding explosion of litigation in Illinois state and federal courts.
The first key decision was Rosenbach v. Six Flags Entm’t Corp., in which the Illinois Supreme Court held that “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under [BIPA], in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to [BIPA].” 2019 IL 123186, ¶40. This case introduced a significant amount of commentary and analysis due to Six Flags conflicting with the U.S. Supreme Court decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), which requires a concrete harm to have Article III standing.
The Seventh Circuit analyzed this issue in Bryant v. Compass Group USA, Inc. and acknowledged that “standing requirements in Illinois courts are more lenient than those imposed by Article III.” 958 F.3d 617, 622 (7th Cir. May 5, 2020). The Seventh Circuit further acknowledged that federal courts and Illinois courts define “injury-in-fact” differently. Id. The Seventh Circuit reasoned that section 15(b) of BIPA inflicts a concrete injury on consumers because by failing to make the requisite disclosures required under BIPA, the defendant “inflicted the concrete injury BIPA intended to protect against, i.e. a consumer’s loss of the power and ability to make informed decisions about the collection, storage, and use of her biometric information.” Id. at 626-627.
The statute of limitations for BIPA is five years. On February 2, 2023, the Illinois Supreme Court analyzed what was the applicable statute of limitations in Tims v. Black Horse Carriers, Inc. The court determined that since there was no specific statute of limitations under BIPA, it would be “best to apply the five-year catchall limitations period codified in section 13-205 of the Code.” 2023 IL 127801, ¶ 32. The court reasoned that the longer statute of limitations aligns with the General Assembly’s policy concerns, such as “the public welfare, security and safety,” when enacting BIPA. Id. at ¶ 39.
Each violation of BIPA is an independent claim for damages. On February 17, 2023, the Illinois Supreme Court announced its highly anticipated decision from a certified question from the Seventh Circuit regarding damages for BIPA that could significantly alter the course of litigation. In Cothorn v. White Castle Sys., the Illinois Supreme Court held that under BIPA, each time a consumer’s biometric information is unlawfully collected constitutes an independent violation of BIPA. 2023 IL 128004, ¶45. The court had previously recognized the potential for significant damages under BIPA and that the purpose of the statute is to give private entities “the strongest possible incentive to conform to the law and prevent problems before they occur.” Id. at ¶41 (quoting Rosenbach, 2019 IL 123186, ¶ 37).
Insurance policy considerations
The above recent Illinois court decisions have swung the door wide open to potential liability for companies using biometric technology. That also means that biometric exclusions seeking to specifically exclude coverage for actions alleging BIPA violations are becoming more common in insurance policies, particularly in employment practices liability (EPL) and cyber policies. Policyholders should carefully review all policies that may be triggered by a BIPA claim (including cyber liability, commercial general liability, EPL, directors and officers liability, and errors and omissions) for any potentially exclusionary language.
In West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc. in 2021, the Illinois Supreme Court held that a general liability insurer owed a duty to defend in an underlying action alleging that its policyholder had disclosed customers’ biometric information to another vender in violation of the BIPA statute. The court reasoned that the allegations of a nonbodily personal injury or advertising injury fell within policy coverage and the alleged sharing of biometric identifiers constituted a “publication” because that term was undefined and ambiguous as written. The court also rejected the insurer’s argument that the policy’s “Violation of Statutes” exclusion barred coverage, concluding that this exclusion applies only to statutes that regulate certain methods of sending information, such as the Telephone Consumer Protection Act. The court reasoned that BIPA does not regulate the methods of communication of biometric information. Rather, it regulates the collection, storage, handling and use of that information. Courts have also rejected the application of employment-related practices exclusion in general liability policies, concluding that the practice of requiring employees to clock in and out using a biometric time clock was not an employment-related practice of the type contemplated by the exclusion. See State Auto Mut. Ins. Co. v. Tony’s Finer Foods Enters., Inc., No. 20-CV-6199, 2022 WL 683688, at *9 (N.D. Ill. Mar. 8, 2022) (J. Seeger); Am. Fam. Mut. Ins. v. Carnagio Enters., Inc., No. 20 C 3665, 2022 WL 952533 *5-6 (N.D. Ill. Mar. 30, 2022) (J. Lee).
With respect to coverage under EPL policies, in Church Mutual Insurance Company v. Prairie Village Supportive Living, LLC, the insured’s former employee brought a class action alleging the insured unlawfully collected, used and disseminated employee biometric identifiers (fingerprints) in violation of BIPA, and the insured sought coverage from its insurer under its EPL policies. No. 21 C 3752, 2022 U.S. Dist. LEXIS 143495 (N.D. Ill. Aug. 11, 2022). The court concluded that an exclusion titled “Violation of Laws Applicable to Employers” barred coverage. That said, the dearth of case law suggests that there are plenty of EPL policies that do not incorporate such exclusions. Where policyholders have EPL coverage that does not contain a Violation of Laws Applicable to Employers exclusion, they should pursue EPL coverage for employee-based BIPA litigation without any discouragement from the Church Mutual opinion. Indeed, in Twin City Fire Ins. Co. v. Vonachen Servs., No. 20-cv-1150-JES-JEH, 2021 U.S. Dist. LEXIS 201174 (C.D. Ill. Oct. 19, 2021), the court found a duty to defend coverage existed for the insured under an EPL policy for employee-based BIPA litigation.
With respect to cyber policies, those policies typically only provide coverage for a data breach involving sensitive customer information or some other network security failure. If a cyber policy’s definition of “confidential information or data” is broad enough, it could like cover biometric data for any BIPA claims involving allegations of privacy breaches, although this may not include “technical” violations of BIPA, such as at issue in Rosenbach.
Companies should review all of their existing insurance policies for potential coverage for any current or future BIPA-related lawsuits. While there are several pro-policyholder cases requiring insurers to provide coverage to their policyholders, insurers will try to exclude these claims in the future through newly added biometric exclusions, or at least significantly limit coverage.