Biometric Data Privacy Laws: Traps for the Unwary

Print PDF


Over the past decade, a handful of states have enacted legislation that addresses the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers, which include fingerprints, retina and iris scans, voiceprint, and facial and hand scans. The purpose of the legislation is to protect individuals from the unconsented use or disclosure of their personal biometric information, such as fingerprints, which are routinely used by employers to track an employee's working time. The protections afforded by this type of legislation have come either by way of specific statutes, such as the Illinois Biometric Information Privacy Act (BIPA)  or as adjunct provisions to existing laws, such as the California Consumer Privacy Act (CCPA), where the biometric provisions went into effect this year. These statutes may well lead to expanded litigation, as has occurred with BIPA.

Illinois was the first state to enact such legislation. Unlike similar statutes enacted since then, BIPA provides for a private right of action. While there can be actual damage in the misuse of biometric data – for example, when a fingerprint data base is hacked, breached, or exposed, such that there is a risk or occurrence of identity theft or unauthorized tracking – no actual damage is required under BIPA to prove its violation. A mere technical violation of BIPA is sufficient to state a claim, such that businesses can have significant exposure if legal restrictions as to biometric identifiers are not properly handled. Illinois’ private right of action has led to the filing of countless lawsuits, typically class action suits, as BIPA provides statutory remedies of $1,000 (for negligent) and $5,000 (for reckless) violations, per violation, plus recovery of attorney’s fees and costs. As such, BIPA litigation in Illinois is thriving – generating numerous cases for the plaintiffs’ bar.

The extent to which other states or Congress will follow suit is uncertain. Texas and Washington, whose statutes are modeled after BIPA, both lack BIPA’s private right of action. Florida is considering enacting the Florida Biometric Information Privacy Act (FBIPA), which would provide a private right of action for technical violations, where Floridians would not need to suffer actual damages to recover for violations of the FBIPA. Last year, a Bill was introduced in Congress, known as “The Commercial Facial Recognition Act of 2019,” which is intended by its express language to “prohibit certain entities from using facial recognition technology to identify or track an end user without obtaining the affirmative consent of the end user, and for other purposes.” While this Bill does not contemplate a private right of action, the continued attention of the legislature to statutes or amendments to laws that address the recording, collection and use of biometric identifiers, only increases the risk that continued exposure may well be created by this “biometric movement.”

Best Biometric Practices

Businesses who utilize biometric data in their operations, whether to track employee working time or performance should, regardless of applicable law, follow several "best practices," as gathered from existing and proposed legislation, and lawsuits:

Is my Business Covered by Insurance for Alleged Biometric Legal Violations?

Many companies who have been sued for BIPA or other biometric statutory violations take comfort in the fact that their insurance company will defend, and possibly indemnify, them from such suits. Insurance policies are liberally construed by courts in favor of the insured and coverage: an insurer may not justifiably refuse to defend an action against its insured unless it is clear from the face of the underlying complaint that the allegations fail to state facts which bring the case within, or potentially within, coverage provisions. Further, an insurer's duty to defend is much broader than its duty to indemnify. Oftentimes, an insurer will defend a case, under a “reservation of rights,” but still resolve the case, if the price is right.

More particularly, insureds should investigate coverage, typically through their broker or counsel, and “tender” the claim – present it to your insurers, to be on the safe side. If your claim is covered, that is good news; if denied, then it makes sense to have experienced coverage counsel review the denial. Most policies that cover BIPA and similar claims are general commercial liability policies, typically under a property damage theory, as a personal or advertising injury, or as a privacy invasion under "EPLI" (employment practices liability insurance). Insurance coverage may also exist under Cybercrime or Media Liability policies or provisions, as they too often cover claims of privacy invasions – the nature of the damages of a biometric statutory violation, but importantly not necessarily the source of the claim (i.e., an informed consent violation). One key to cyber liability coverage lies in the definition of confidential information, as it may cover personal identification information, like biometric identifiers.

If your business happens to end up with coverage for a BIPA or biometric claim, especially class action claims, it is important to determine if you have rights to select your own counsel – either under the policy itself or under the law where a conflict might exist that would trigger an insured’s right to independent counsel at the expense of the carrier. Whether insurance coverage exists will be determined in large part, if not exclusively, based on the factual allegations in the underlying complaint. However, insurers have become wise to biometric claims, especially those under BIPA, and thus potentially create significant defense costs and/or liability exposure.

As such, insureds should know that many insurance companies are turning to insurance policy exclusions to deny any obligation to defend or indemnify biometric claims. Several lawsuits are currently pending to fight out this coverage war. Typically, when an insurance company has not specifically excluded a type of claim, there is almost a legal presumption that it is covered and not blocked by the exclusion. Courts do not like exclusions in insurance policies, so the law is stacked in favor of the insured. Exclusions are interpreted liberally in favor of the insured and construed narrowly in favor of coverage, any exclusion must be clear and free from doubt, and any ambiguity in exclusionary provisions are construed most strongly against the insurer. Nonetheless, several exclusions exist in general liability insurance policies, under which insurers are seeking refuge from biometric claim coverage obligations:

Ultimately, there is no exclusion that we have seen specifically for a claim based on the improper treatment of the use of biometric identifiers, yet employers should understand the risks of such claims, and seek either to obtain coverage for such suits or know that there is not an insignificant risk that BIPA (or similar) claims may not be covered by their insurance policies. Regardless, best practices should be followed in handling biometric identifiers.

330 North Wabash Avenue, Suite 2100
Chicago, Illinois 60611-3607
T: 312.840.7000
F: 312.840.7900