United States: Analysis: Will Personal And Advertising Injury Extend To Claims Under Illinois' Biometric Information Privacy Act?

(September 2019) - A three-judge panel of the Ninth Circuit U.S. Court of Appeals recently held that Illinois Facebook users may bring claims for privacy violations under state law for the use and storage of biometric information on the company's platforms and servers. Patel v. Facebook, 18-15982, (9th Cir. Aug. 8, 2019). Three Illinois residents allege that "face templates" of them were created and used by Facebook without sufficient notice, agreement, and protection under the Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14/15.

The court affirmed a class of "Facebook users located in Illinois for whom Facebook created and stored a face template after June 7, 2011." Patel, at *10; Fed.R.Civ.P. 23(f); 28 U.S.C. § 1292. The size of this class is not currently clear, but it is expected to number in the millions. The costs of a class action defense of this magnitude will be substantial, while the potential indemnity exposure is in the billions of dollars. The ruling may give rise to coverage issues.

Illinois courts have addressed coverage for similar class actions involving alleged violations of privacy under the Telephone Consumer Protection Act (TCPA) and other similar statutory regimes. See Valley Forge Ins. Co. v. Swiderski, 223 Ill.2d 352 (2006). In some fact patterns, there may be a potential for property damage, but the coverage most likely to be implicated is for personal and/or advertising injury claims or offenses. Given how the Illinois Supreme Court handled coverage questions for TCPA claims, BIPA claims are likely to fall within the coverage grants for personal and/or advertising injury. Ultimately, coverage questions will likely turn on the industry's exclusions for certain statutory claims.

BIPA

BIPA was enacted in Illinois in 2008 to regulate the collection and storage of biometric information by private entities. The law provides that no private entity may collect, store, or use biometric information without notice to and written release or consent from the subject. 740 ILCS 14/15. More particularly, BIPA provides that:

(a) A private entity in possession of [biometric information] must develop a written policy...establishing a retention schedule and guidelines for permanently destroying biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the private entity, whichever occurs first....

(b) No private entity may collect, capture, purchase, receive through trade, or otherwise obtain [biometric information], unless it first:

(1) informs the subject...the information is being collected or stored;

(2) informs the subject...in writing of the specific purpose and length of term...and

(3) receives a written release....

(c) No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit [from biometric information].

(d) No private entity in possession of a biometric information may disclose, redisclose, or otherwise disseminate [it] unless:

(1) the subject of the biometric information...consents to the disclosure or redisclosure;

(2) the disclosure or redisclosure completes a financial transaction requested or authorized...;

(3) the disclosure or redisclosure is required by State or federal law or municipal ordinance; ....

740 ILCS 14/15. The Act also provides that a private entity must "store, transmit, and protect" biometric information using "the reasonable standard of care" in the industry. Id., 14/15(e).

In Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, the court held that plaintiffs have a claim for damages if their right to consent and secure biometric information has been violated. The court reasoned that the legislature determined that violations constituted an invasion of privacy, and that "real and significant" damage occurs with the taking and retention of such data. Id.  at ¶34. Other than a right of private action, there is no other enforcement mechanism and "to require individuals to wait until they have sustained some compensable injury" beyond violation of the statutory rights would be "antithetical to the Act's preventative and deterrent purposes." Id. at ¶37. It is not necessary to allege consequential damage.

BIPA statutory damages are $1,000 for each negligent violation, $5,000 for each reckless or intentional violation, or actual damages plus attorneys' fees. 740 ILCS 14/20(1). On January 25, 2019, the Illinois Supreme Court held that individuals do not need to allege they were actually harmed by a violation of BIPA to seek liquidated damages and injunctive relief under the Act. Rosenbach, supra.

As in Rosenbach, the Patel decision supports the conclusion that BIPA is inherently a statutory scheme to protect privacy. The plaintiffs alleged BIPA violations occurred when biometric material was collected, stored, and used without prior written release or agreement after Facebook launched its "Tag Suggestions" feature in 2010. The Ninth Circuit reviewed common law privacy interests and constitutionally protected "zones of privacy" in finding that "an invasion of an individual's biometric privacy rights has a 'close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts'" in order to find a concrete and particularized injury for Article III standing. Id., at *16, citing Spokeo, Inc. v. Robins, 136 S.Ct. 1540 (2015)(rights under Fair Credit Report Act, 15 U.S.C. §1681). The court reasoned that the statutory provisions were established to protect "concrete interests" as opposed to procedural rights, and that the alleged violations at least threatened harm to those concrete interests. While the court viewed a photograph alone as inoffensive, it concluded that it could be used to generate "biometric material" when scanned to generate facial geometry identifiers. Id. at * 8, fn.4.

The Swiderski Analysis as to the TCPA.

Like BIPA, the TCPA is a statute that is designed to protect individuals from unwanted invasions of privacy. In Swiderski that invasion came in the minimal form of an unwanted fax. The insureds and claimants (who were often represented by their own coverage counsel) argued that the claims were of personal and advertising injury. Such coverage is typically offense based. One of the covered offenses is typically an offense of electronic, oral, written or other publication of material that violates a person's right of privacy.

The Illinois Supreme Court held that receipt of an unwanted fax was a claim that material was published to the recipient, and that the receipt was an invasion of a privacy interest in seclusion. Valley Forge Ins. Co. v. Swiderski, 223 Ill.2d 352 (2006). The case involved a private business conducting blast-fax advertising. The policy at issue extended coverage for an "[o]ral or written publication, in any manner, of material that violates a person's right to privacy." Id. at 354. The Swiderski court reasoned that the essence of a TCPA claim was a potentially covered invasion of privacy. Id. at 365.

In the TCPA context, a blast fax would appear to be a clear "publication." The BIPA paradigm may be different. The term "publication" is not defined in the ISO policy form. Litigation of coverage as to TCPA claims may be instructive in determining what constitutes a "publication". In Swiderski, the court held that the required element of "publication" for coverage to attach was met by the transmission over telephone lines and faxing of advertisements, and "[t]he offering or distribution of copies of a work to the public" or to another. Id. at 367, quoting, Black's Law Dictionary 1264 (8th ed. 2004). There is an argument that the term "publication" may mean nothing more than communication of the information to a customer of the defendant or a vendor to the defendant rather than a publication to consumers, other facebook users, or the like. Integrated Genomics, Inc. v. Gerngross, 636 F.3d 853, 862 (7th Cir. 2010).

After Swiderski, the Illinois Supreme Court held that the TCPA statutory scheme is remedial and an award of damages is not punitive nor does it require showing recklessness or malice. As such, the remedy constitutes "damages" under a GL policy. Standard Mut. Ins. Co. v. Lay, 2013 IL 114617. The court held that the assessment of damages was remedial for the invasion of privacy and not a penal award. The damages were intended to incentivize a change in conduct—to comply with the law and serve more than a purely punitive or deterrent goals. The court concluded that "the manifest purpose of the TCPA is remedial not penal." Id. at ¶30.

Underwriting in Light of the TCPA.

Following the growth and costs of defending class action TCPA lawsuits, insurers nationally moved to drafting exclusions for certain statutory claims. As an example, in Zurich Am. Ins. Co. v. Ocwen Fin. Corp., 357 F.Supp.3d 659 (N.D. Ill. 2018), the policy excluded coverage for claims directly or indirectly arising out of or based upon any action or omission that violates or is alleged to violate:

(1) The [TCPA], including any amendment or addition to such law;

(2) The CAN-SPAM Act of 2003, including any amendment of or addition to such law;

(3) The [FCRA], and any amendment of or addition to such law, including the Fair and Accurate Credit Transaction Act (FACTA); or

(4) Any federal, state or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act or 2003 or FCRA and their amendments and additions, or any other legal liability, at common law or otherwise, that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, use of, sending, transmitting, communicating or distribution of material or information.

The court found the above exclusion to be clear and unambiguous as to claims under the TCPA. See also G.M. Sign, Inc. v. State Farm Fire & Casualty Co., 2014 IL App (2d) 130593 (court denied coverage for the claims based on TCPA and related claims exclusion despite effort to include non-TCPA claims based on same facts); Regents Ins. Co. v. Integrated Pain Mgt., 2016 U.S. Dist. Lexis 148855 (E.D. Mo. 2016)(applying Illinois law).

In Ocwen, the court upheld a violation of law exclusion against TCPA and Fair Debt Collection Act violations, defamation and invasion of privacy claims. Other courts have also enforced the TCPA exclusions. Emcasco Ins. Co. v. CE Design, Inc., 784 F.3d 1371 (10th Cir. 2015)(Oklahoma and Illinois law); Travelers Indem. Co. v. Margulis, 2016 U.S. Dist. Lexis 173420 (E.D. Mo. 2016)(Missouri).

Will the TCPA Exclusions Bar Coverage for BIPA?

Insurers may be expected to assert that BIPA is a "state or local statute ... that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, use of, sending, transmitting, communicating or distribution of material or information," and that, as a result, BIPA claims are already being excluded from many policies. The results under cases involving the TCPA strongly suggest that policies with such exclusions may well have no duty as to BIPA class actions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions