Client Alert: Biometric Information Privacy Act
- Be proactive and assess compliance risks
- Review our General Checklist For Compliance to prepare
- Check your insurance coverage
What Is BIPA?
The Illinois Biometric Information Privacy Act (“BIPA”)1 was enacted in 2008 to regulate private entities’ collection, storage, use, and transmission of biometric identifiers and biometric information.2 Biometric information includes, for example, fingerprints or retina, voice, or face scans. BIPA requires anyone who collects, captures, purchases, obtains, shares, or discloses biometric information – including employers – to first inform the person, disclose the purpose and duration of the storage, and obtain informed written consent.
BIPA violations can result in a $1,000 penalty for each negligent violation, a $5,000 penalty for each willful or reckless violation, and the payment of an opponent’s attorneys’ fees and litigation costs. While two other states have implemented similar laws, Illinois is currently the only state to provide a private right of action. The area is quickly evolving, however, and other states may follow suit.
Recent Illinois Supreme Court Decision — Actual Harm Not Required
On January 25, 2019, in Rosenbach v. Six Flags Entertainment Corporation, the Illinois Supreme Court held that a violation of BIPA’s notice, consent, disclosure, or other requirements is enough for a person to be “aggrieved” under the statute. Consequently, plaintiffs need not suffer actual harm, such as improper disclosure of their biometric information, to bring a BIPA claim.3 It is unclear what effect the Rosenbach case will have on cases pending in federal court.
The Illinois Supreme Court decision appears to have already led to an increase in BIPA lawsuits, and the number will likely continue to rise. Employers that require employees to use fingerprints for timekeeping or security measures have become a common class action target. Increasingly, consumers have also sued companies in a wide range of industries for alleged BIPA violations.
With the recent flood of BIPA claims, disputes over BIPA-related insurance coverage are also on the rise and are growing in complexity and scope. In early January 2019, for example, an insurer filed suit in Illinois state court arguing that it has no duty under a commercial general liability policy to defend or indemnify its policyholder – a grocery chain – in an underlying biometric privacy suit.4
What Can You Do?
Be Proactive & Assess Compliance Risks
- Ask whether your company collects or uses any of the following, either internally or in client services or products:
- retina or iris scans
- scans of hand or face geometry
- If your business collects or uses any of the above, BIPA’s notice, consent, and data retention requirements may apply to you. (See Compliance Checklist.)
- Note: Despite BIPA’s exclusion of photographs, a number of putative class actions have been filed based on the collection and storage of photographs.
Check Your Insurance Coverage
- In addition to evaluating BIPA compliance, your company should also review its insurance policies to make sure BIPA suits are covered.
- Companies should consider:
- Cyber Liability: Cyber liability insures your company against data breaches, hacks, and other intrusions. In this context, it is important to know how your policy defines “confidential information.” Your policy’s definition may not clearly include biometric data or may exclude coverage for unauthorized activity.
- Commercial General Liability: Among other things, CGL policies insure against damages stemming from “personal and advertising injury.” Particularly if issued within the last few years, CGL policies often have a wide range of exclusions that could apply to biometric data and misuse of such data.
- Employment Practices Liability: EPLI policies are not standard, but most are drafted to cover workplace “wrongful acts,” including invasions of privacy under certain definitions. It is important to ensure that your EPLI policy is broad enough to cover BIPA claims and to read the exclusions carefully to ensure that the policy is not carving out BIPA liability.
- Media Liability: Certain media companies may have a media liability policy, which covers specific categories of wrongful acts, such as invasion of privacy. The policy’s standard definition of invasion of privacy may not be broad enough to cover claims brought under BIPA.
- Additionally, at the first sign of a BIPA violation or lawsuit, companies should alert their insurance providers to ensure that if coverage is available, the insurer is on notice.
We Can Help You
If you are concerned that BIPA’s reach could impact your business and you would like assistance in reviewing your Company’s BIPA exposure, implementing a compliance plan, or determining your insurance coverage, or if you would like help notifying and dealing with your insurer about a possible BIPA issue, please contact us.
1 Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq.
2 While biometric identifiers and biometric information are defined separately under BIPA, for simplicity, we refer to both collectively as “biometric information.”
3 Rosenbach v. Six Flags Entm't Corp., 2019 IL 123186.
4 Westfield Insurance Co. v. Caputo's New Farm Produce Inc., 2019-CH-00232 (Cook County).