Biometric Data Privacy Laws: Traps for the Unwary
Over the past decade, a handful of states have enacted legislation that addresses the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers, which include fingerprints, retina and iris scans, voiceprint, and facial and hand scans. The purpose of the legislation is to protect individuals from the unconsented use or disclosure of their personal biometric information, such as fingerprints, which are routinely used by employers to track an employee's working time. The protections afforded by this type of legislation have come either by way of specific statutes, such as the Illinois Biometric Information Privacy Act (BIPA) or as adjunct provisions to existing laws, such as the California Consumer Privacy Act (CCPA), where the biometric provisions went into effect this year. These statutes may well lead to expanded litigation, as has occurred with BIPA.
Illinois was the first state to enact such legislation. Unlike similar statutes enacted since then, BIPA provides for a private right of action. While there can be actual damage in the misuse of biometric data – for example, when a fingerprint data base is hacked, breached, or exposed, such that there is a risk or occurrence of identity theft or unauthorized tracking – no actual damage is required under BIPA to prove its violation. A mere technical violation of BIPA is sufficient to state a claim, such that businesses can have significant exposure if legal restrictions as to biometric identifiers are not properly handled. Illinois’ private right of action has led to the filing of countless lawsuits, typically class action suits, as BIPA provides statutory remedies of $1,000 (for negligent) and $5,000 (for reckless) violations, per violation, plus recovery of attorney’s fees and costs. As such, BIPA litigation in Illinois is thriving – generating numerous cases for the plaintiffs’ bar.
The extent to which other states or Congress will follow suit is uncertain. Texas and Washington, whose statutes are modeled after BIPA, both lack BIPA’s private right of action. Florida is considering enacting the Florida Biometric Information Privacy Act (FBIPA), which would provide a private right of action for technical violations, where Floridians would not need to suffer actual damages to recover for violations of the FBIPA. Last year, a Bill was introduced in Congress, known as “The Commercial Facial Recognition Act of 2019,” which is intended by its express language to “prohibit certain entities from using facial recognition technology to identify or track an end user without obtaining the affirmative consent of the end user, and for other purposes.” While this Bill does not contemplate a private right of action, the continued attention of the legislature to statutes or amendments to laws that address the recording, collection and use of biometric identifiers, only increases the risk that continued exposure may well be created by this “biometric movement.”
Best Biometric Practices
Businesses who utilize biometric data in their operations, whether to track employee working time or performance should, regardless of applicable law, follow several "best practices," as gathered from existing and proposed legislation, and lawsuits:
- Determine whether biometric identifiers, or the collection, recording or use thereof, is necessary for your business. While a fundamental question, there are many alternatives to using biometric identifiers in place of long-standing practices, particularly in the employment context, which is the hot bed of informed consent litigation under biometric laws, including as discussed above.
- If the determination is to use technology tied to biometric identifiers, or to continue such practices, then ensure advance notice to all affected persons and obtain their written and informed consent. In so doing, ensure your business understands the lay-of-land as to the use of biometric identifiers in your state and otherwise work with your biometric vendor to ensure full and informed consent.
- Ensure that any policy and consent is in writing and consistent with not only the use of biometric identifiers in your state, but best practices based on worst case scenarios, such as the BIPA requirements and limitations.
- Ensure that your business’ policies tie out to the foregoing best practices, but avoid policy statements that could be used by insurers to invalidate coverage – an issue discussed below.
- Ensure that any policy, and any biometric form releases, consents, or other documents comport with the global law on the subject.
- Obtain properly informed consent from any individual, including those who may be subject to any law dealing with biometric identifiers and provide an opportunity for the individual to opt out – not to mention a real alternative to such use.
- Consult with your counsel on the use of, policies regarding, and implementation of any practice or program, that involves the use of biometric identifiers.
Is my Business Covered by Insurance for Alleged Biometric Legal Violations?
Many companies who have been sued for BIPA or other biometric statutory violations take comfort in the fact that their insurance company will defend, and possibly indemnify, them from such suits. Insurance policies are liberally construed by courts in favor of the insured and coverage: an insurer may not justifiably refuse to defend an action against its insured unless it is clear from the face of the underlying complaint that the allegations fail to state facts which bring the case within, or potentially within, coverage provisions. Further, an insurer's duty to defend is much broader than its duty to indemnify. Oftentimes, an insurer will defend a case, under a “reservation of rights,” but still resolve the case, if the price is right.
More particularly, insureds should investigate coverage, typically through their broker or counsel, and “tender” the claim – present it to your insurers, to be on the safe side. If your claim is covered, that is good news; if denied, then it makes sense to have experienced coverage counsel review the denial. Most policies that cover BIPA and similar claims are general commercial liability policies, typically under a property damage theory, as a personal or advertising injury, or as a privacy invasion under "EPLI" (employment practices liability insurance). Insurance coverage may also exist under Cybercrime or Media Liability policies or provisions, as they too often cover claims of privacy invasions – the nature of the damages of a biometric statutory violation, but importantly not necessarily the source of the claim (i.e., an informed consent violation). One key to cyber liability coverage lies in the definition of confidential information, as it may cover personal identification information, like biometric identifiers.
If your business happens to end up with coverage for a BIPA or biometric claim, especially class action claims, it is important to determine if you have rights to select your own counsel – either under the policy itself or under the law where a conflict might exist that would trigger an insured’s right to independent counsel at the expense of the carrier. Whether insurance coverage exists will be determined in large part, if not exclusively, based on the factual allegations in the underlying complaint. However, insurers have become wise to biometric claims, especially those under BIPA, and thus potentially create significant defense costs and/or liability exposure.
As such, insureds should know that many insurance companies are turning to insurance policy exclusions to deny any obligation to defend or indemnify biometric claims. Several lawsuits are currently pending to fight out this coverage war. Typically, when an insurance company has not specifically excluded a type of claim, there is almost a legal presumption that it is covered and not blocked by the exclusion. Courts do not like exclusions in insurance policies, so the law is stacked in favor of the insured. Exclusions are interpreted liberally in favor of the insured and construed narrowly in favor of coverage, any exclusion must be clear and free from doubt, and any ambiguity in exclusionary provisions are construed most strongly against the insurer. Nonetheless, several exclusions exist in general liability insurance policies, under which insurers are seeking refuge from biometric claim coverage obligations:
- The Recording and Distribution of Material in Violation of Law exclusion: which is designed to avoid specific statutory claims, such as claims under the Telephone Consumer Protection Act. BIPA is not one of the enumerated statutes.
- The Access or Disclosure of Confidential or Personal Information and Data-Related Liability – With Limited Bodily Injury Exception exclusion: while seeking to avoid claims of injury arising out of any access to or disclosure of any person's or organization's confidential or personal information, the nature of a BIPA injury (failure to inform or obtain consent) does not arise out of the access or disclosure of confidential information.
- The Employment-related Practices exclusion (for insureds without EPLI coverage): this exclusion is typically for the refusal to employ or an employment termination; but has a catch-all that references the employment kitchen sink. Under legal rules of contract construction, and insurance exclusions, this exclusion should not be effective for insurance companies to deny coverage.
- The Privacy Law Violations exclusion: this exclusion is for injury “arising directly or indirectly out of any action or omission that violates or alleges to violate any ordinances, statute or law pertaining to a person’s right of privacy (except common law violation of a person’s right to privacy).” While at first read this exclusion could be problematic, BIPA is not a law governing privacy rights (unlike, for example, the CCPA), but an informed consent statute, such that giving credence to this exclusion swallows the entirety of the affirmative coverage provisions in general liability policies, which is (as argued) not what was intended by the insurer (or the insured), leading to an ambiguous and absurd construct. A majority view is that this exclusion may not garner much attention from the courts.
- The Knowing Violation of Rights of Another exclusion: this exclusion is based on “personal and advertising injury caused by or at the direction of the insured with the knowledge that the act would violate the rights of another and would inflict personal and advertising injury.” This exclusion is not regularly cited, as it is intended to address intentional acts, and many BIPA violations, as noted, can be found to be negligent.
Ultimately, there is no exclusion that we have seen specifically for a claim based on the improper treatment of the use of biometric identifiers, yet employers should understand the risks of such claims, and seek either to obtain coverage for such suits or know that there is not an insignificant risk that BIPA (or similar) claims may not be covered by their insurance policies. Regardless, best practices should be followed in handling biometric identifiers.