Viewpoint: Illinois Supreme Court Decision Will Spur a Spike in BIPA Claims

The collection and use of biometric information as a means for verifying security and transactions is now commonplace. The result is a recent wave of legislation aimed at protecting individuals from the unauthorized collection, use and disclosure of biometric data, which can involve everything from unlocking an iPhone using facial geometry to clocking in at work using a fingerprint.

As the Supreme Court of Illinois recently made clear in Cothron v. White Castle System Inc.,1 a violation of the Biometric Information Privacy Act (BIPA) accrues every time a company scans or transmits an individual’s biometric data without informed consent. This may open the floodgates to significant damages awards against businesses that use or collect biometric information. Brokers and companies facing these suits and potential liabilities should be considering insurance coverage that may provide both a defense and indemnity to insureds in connection with them.

Biometric Data Use and Legislation

The past decade has seen an explosion in the corporate collection and use of biometric data. This includes facial-recognition technology, fingerprint scans, iris and retina scans, palm-print readings and voiceprints.

Among other applications, companies now use facial-recognition technology to verify access for security systems, fingerprint scanning to complete admission and purchases for theme park and grocery store visitors, and voiceprint technology to track customers’ purchasing patterns. The use of this data also extends to the fashion industry, as brands use virtual try-on technology to allow potential customers to “see” how clothing and accessories look. Although convenient, the use of biometric data to verify security and transactions presents an ongoing risk if compromised because this data is unique and cannot be replaced or altered.

Legislative Response

In response to these concerns, several municipal and state legislatures enacted laws to protect consumers against the collection and use of biometric data. Among them are Arkansas, California, Colorado, New York, Oregon, Texas, Virginia and Washington, as well as Baltimore and New York City. More proposed legislation from various states and cities is on the way. The first and most heavily litigated of these statutes was the Biometric Information Privacy Act (BIPA), which Illinois passed in 2008. BIPA has produced the most litigation over biometric data because it created a private right of action for violating the statute.

BIPA operates as an informed-consent statute, meaning that companies may not collect, use or transmit consumers’ biometric data to third parties without first obtaining their written consent. BIPA lawsuits have already resulted in some eye-catching settlements. Facebook paid $650 million to settle a lawsuit claiming that the company improperly collected users’ photos without consent; TikTok’s parent company paid $92 million to settle a similar claim. Other settlements of class-action BIPA claims have continued to make headlines in recent months. As remarkable as those numbers may seem, the trend is likely to continue following Cothron.

Damages Under BIPA

Companies that collect or use biometric data should be aware of Cothron. There, the plaintiff manager alleged that White Castle improperly scanned and transmitted her fingerprint data to a vendor to verify her access to pay stubs and company computers. This is a common allegation, as many employees bring BIPA claims alleging that their employers violated the statute by requiring them to clock in and out of their shifts using fingerprint access systems. In response, White Castle argued that the manager’s BIPA claim was time-barred, because it accrued upon the time of the first fingerprint scan in 2008. The plaintiff countered by arguing that a new BIPA claim accrued each time White Castle scanned her fingerprints and transmitted them to the vendor.

The Supreme Court of Illinois agreed with the manager, holding that a separate claim accrues each time a company scans or transmits biometric data. The decision will undoubtedly have massive repercussions, because BIPA allows a successful claimant to recover damages up to $1,000 for each negligent violation and up to $5,000 for each intentional or reckless violation. Because many BIPA claims allege repeated collection, use or transmission of biometric data for large numbers of individuals over extended periods of time, potential BIPA damages can add up in a hurry. As just one example, White Castle estimated that if the 9,500 current and former employees in Cothron prevailed, the class-wide damages in that case could exceed $17 billion.

In an earlier decision (Rosenbach v. Six Flags Entertainment Corp.),2 the same court also held that BIPA plaintiffs need not allege actual injury to have standing to sue under the act, compounding potential liability for businesses facing BIPA claims.

Claims and Coverage for BIPA Damages

While Cothron stands as a sobering reminder of potential damages for BIPA violations, recent insurance coverage disputes largely confirm that many standard business insurance policies will cover these liabilities. Starting with the landmark case of West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan Inc.,3 the Illinois Supreme Court held that general liability coverage for “personal and advertising injury” required the insurer to defend the insured tanning salon against a BIPA lawsuit alleging that the salon improperly collected and transmitted a customer’s fingerprint data to a third-party vendor.

The court further held that a violation of statutes exclusion (which is often included in general liability policies) did not bar coverage for the customer’s BIPA claim, reasoning that the listed examples of excluded statutes only regulated methods of communications, whereas BIPA regulates the collection, use and disclosure of biometric data. Because the regulation of biometric information is different from the regulation of methods of communication, the court held that the violation of statutes exclusion did not apply.

With Krishna having established that general liability policies cover BIPA claims, the debate shifts to whether certain other exclusions, as insurers contend that exclusions for employment-related practices and the access or disclosure of confidential or personal information bar coverage. Although this remains an evolving legal space, courts have held that these exclusions also do not apply.

Privacy claims can also be covered under other types of policies covering risks such as cyber, D&O, E&O, employment practices Llability and Tech E&O, among others.

Conclusion

Unfortunately, the story does not end with Cothron or in Illinois. Maryland also adopted a privacy regime with a private right of action and there are others. In light of Cothron, insurance brokers and claims professionals can expect to be receive a significantly greater volume of privacy claims and with larger alleged damages. Given the increase in potential exposure, risk management professionals, both inside and outside of organizations, should work to ensure that corporate insureds have coverage in place, with sufficient limits, to protect against the effect of privacy liability

1 Cothron v. White Castle Sys., Inc., No. 128004, 2023 WL 2052410 (Ill. Feb. 17, 2023).

2 Rosenbach v. Six Flags Ent. Corp., 129 N.E.3d 1197 (Ill. 2019).

3 W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 183 N.E.3d 47 (Ill. 2021).