United States: The rising specter of BIPA claims in Illinois

Over the past five years, approximately 1,500 lawsuits have been filed asserting claims under Illinois' Biometric Information Privacy Act ("BIPA"). At its most basic, BIPA sets forth regulations for the collection, use, and handling of biometric identifiers (e.g., retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry) and information by private entities doing business in the State of Illinois, which includes requiring (1) timely destruction of biometric identifiers and keeping public records thereof, (2) consent from individuals, if the entity intends to collect or disclose personal biometric identifiers, and (3) secure storage of biometric identifiers. 740 ILCS 14/15. BIPA provides a private right of action to any individual aggrieved by a violation and, significantly, the Illinois Supreme Court determined that a plaintiff need not show actual harm in order to have standing to bring a suit under BIPA. See Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186.

Several large BIPA class actions have recently been settled for extraordinary numbers (including some for hundreds of millions) and, in October 2022, the first jury trial resulted in a $228 million verdict (however this verdict has recently been vacated and a new trial on damages was ordered since the presiding federal judge pointed out that in Cothron v. White Castle, the Illinois Supreme Court determined damages under BIPA are discretionary). Due to these successes, it is likely that the filing of BIPA lawsuits will continue at a brisk pace.

Also of significance, the Illinois Supreme Court recently handed down two consequential BIPA decisions.

First, in Tims v. Black Horse Carriers, Inc., 2023 IL 127801, the question was whether a 5-year or 1-year statute of limitations applied with respect to violations of BIPA sections 15(c) (prohibiting an entity's ability to sell or profit from a person's biometrics) and 15(d) (prohibiting the disclosure and dissemination of biometric data). The Illinois Supreme Court determined that a 5-year statute of limitation applied as to all violations under BIPA.

Second, in Cothron v. White Castle System, Inc., 2023 IL 128004, the Illinois Supreme Court addressed a question certified to it from the Seventh Circuit – whether BIPA claims arising from sections 15(b) and 15(d) accrued each time biometric identifiers were collected or disseminated instead of only once on first scan and first transmission. After closely examining the pertinent statutory language, the Illinois Supreme Court concluded the plain language of sections 15(b) and 15(d) demonstrated that such violations occur with every scan and transmission.

The combined import of these high-profile decisions will likely make the filing of BIPA claims even more enticing. For instance, in Cothron, it was estimated that the damages levied against White Castle could exceed $17 billion.

In light of these latest developments, insurers should be keeping an eye out for risks that may implicate BIPA claims because the leading coverage case from the Illinois Supreme Court on this issue determined that certain BIPA violations constitute "personal and advertising injury" on the basis that such alleged activities involve "oral or written publication . . . of matter[s] that violate[] a person's right of privacy" – one of the delineated offenses covered under Coverage Part B of most commercial general liability (CGL) policies. See West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978 (2021). In addition, the Illinois Supreme Court in Krishna determined the Violation of Statutes that Govern E-Mails, Fax, Phone Calls or Other Methods of Sending Material or Information Exclusion ("Violation of Statutes Exclusion") in the policy before it did not apply to preclude coverage on the basis that BIPA was dissimilar to the statutes described in the Violation of Statutes Exclusion.

Since the ruling in Krishna, over a dozen decisions have been handed down by Illinois federal courts regarding coverage for BIPA claims under CGL policies. Notably, the decisions have generally focused on the application of the Employment Related Practices Exclusion ("ERP Exclusion"); the Violation of Law Exclusion (which is different from the Violation of Statutes Exclusion); and the Access or Disclosure of Personal Information Exclusion ("Access or Disclosure Exclusion"). The decisions issued on the heels of Krishna in the beginning of 2022 were largely in favor of policyholders but a trend of decisions favorable to insurers did develop. However, the insurer-friendly trend may have been substantially blunted by recent decisions, at least with respect to the Violation of Law Exclusion.

While courts had begun to uphold the application of the Violation of Law Exclusion in the BIPA context, a recent Seventh Circuit decision concluded it did not apply on the ground that it was ambiguous. Citizens Ins. Co. of Am. v. Wynndalco Enters., LLC, 70 F.4th 987 (7th Cir. 2023). At bottom, the Violation of Law Exclusion can no longer be relied upon by insurers in Illinois federal courts.

Up until recently, courts applying Illinois law had been receptive to arguments by insurers that coverage for BIPA claims is precluded by the operation of the Access or Disclosure Exclusion, which precludes coverage for unauthorized access or disclosure of confidential or personal information. In particular, Illinois courts have on several occasions determined that biometric data unambiguously falls within the scope of the exclusion, thereby barring coverage for BIPA claims. See Thermoflex Waukegan, LLC v. Mitsui Sumitomo Ins. USA, Inc., 595 F. Supp. 3d 677 (N.D. Ill. 2022); Cont'l Western Ins. Co. v. Cheese Merchants of Am., LLC, 631 F. Supp. 3d 503 (N.D. Ill. 2022); Am. Family Mut., Ins. Co. v. Carnagio Enters., 2022 WL 952533 (N.D. Ill. Mar. 30, 2022). However, the persuasiveness of these decisions may be in jeopardy since recent decisions, which relied heavily on the Seventh Circuit's reasoning in Wynndalco, concluded the Access or Disclosure Exclusion was inapplicable due to its purported ambiguity. See Citizens Ins. Co. of Am. v. Mullins Food Prods., Inc., 2023 WL 4865006 (N.D. Ill. July 31, 2023); Soc'y Ins. v. Cermak Produce No. 11, Inc., 2023 WL 4817667 (N.D. Ill. July 27, 2023); Cont'l Western Ins. Co. v. Tony's Finer Foods No. 6, Inc., 2023 WL 4351469 (N.D. Ill. July 5, 2023). It remains to be seen whether other courts will adopt the reasoning in these decisions as to the interpretation of the Access or Disclosure Exclusion.

With respect to the ERP Exclusion, it appears that the current weight of available decisions suggests that courts applying Illinois law may determine that the exclusion does not bar coverage for BIPA claims. It should also be noted that the ERP Exclusion would only conceivably apply in circumstances where the BIPA claim is being brought by an employee of the policyholder. Even in that scenario, Illinois courts have generally concluded that violations of BIPA do not constitute conduct normally excluded by the ERP Exclusion.

Comment

The takeaway for insurers is that they should be prepared to address biometric privacy claims in the future, not just in Illinois, but also in other jurisdictions since other states are considering the enactment of legislation similar to the Illinois' Biometric Information Privacy Act. As discussed above, insurers have had mixed success in persuading Illinois courts that certain exclusions contained in CGL policies, in particular the Access or Disclosure Exclusion and the Violation of Law Exclusion, bar coverage for such claims.