Companies that have settled lawsuits for millions of dollars under the Illinois Biometric Privacy Act are now having to battle their insurance providers to get their costs reimbursed.

Facebook agreed to pay $650 million in 2021 to settle a class action lawsuit alleging that the app violated the state’s biometric privacy law by using facial recognition technology until November 2021. In similar cases, Google agreed to pay $100 million, TikTok $92 million and Snapchat $35 million.

The law has become a magnet for lawsuits because it allows a private right of action and has a five-year statute of limitations. What’s more, courts have found violations of BIPA occur with every collection or scan of biometric data that people haven’t consented to without plaintiffs having to show harm.

The way the law is structured makes BIPA one of the most aggressive privacy statutes in the country and “there are huge amounts of money at issue,” Michael J. O’Malley, a partner in the Chicago office of Wilson Elser, said.

That’s especially worrisome for companies that use biometric data, such as employee fingerprints and hand scans, to track employees’ time and attendance in the workplace.

Since Illinois enacted BIPA in 2008, a number of other states have started looking at passing their own laws.

BIPA coverage disputes

The situation has become more fraught for companies because of court decisions that have created a confusing and contradictory body of case law applying to insurance coverage for BIPA claims.

State and federal courts have staked out different positions on whether insurance companies should provide coverage for lawsuits alleging BIPA violations.

The U.S. Court of Appeals for the 7th Circuit, for example, issued an opinion finding that a standard insurance exclusion covering violation of statutes did not bar coverage. As a result, the court said, insurance companies must provide a defense to insureds facing BIPA violation claims. However, shortly after that ruling, an Illinois appellate court issued a decision recognizing the 7th Circuit’s opinion but held the opposite – that the exclusion barred coverage for BIPA lawsuits. Experts expect the insurance coverage dispute to be taken up by the Illinois high court.

The legal decisions have led to uncertainty over who will pay for the millions of dollars at stake in resolving the lawsuits.

Policy exclusions

Companies usually make claims under the personal and advertising injury subpart of their commercial general liability policies. CGL insurance is intended to provide coverage to businesses for bodily injury, personal injury and property damage caused by the business’s operations or products, or injuries that occur on the business’s premises. It’s a fundamental protection for companies against the financial costs of lawsuits and claims arising from their daily activities, insurance specialists say.

Advertising injury coverage is a component of the policies. Advertising injury protection typically includes protection against legal liabilities and claims related to violations of privacy, among other things.

A lot of privacy law violations fall under the “advertising injury” part of CGL policies because it has a subpart that relates to privacy violations, said Cort Malone, a shareholder in the New York office of Anderson Kill. Malone represents policyholders.

“But insurance companies have cited a number of exclusions, including violation of statutes, with mixed success. More often than not, insurers haven’t succeeded,” Malone said.

“The fact that multiple courts have reached different conclusions when considering the same policy exclusions shows the insurance terms are ambiguous and should be read in favor of coverage,” legal experts say.

“The basic rule of insurance policy construction is that if an insurer is trying to rely on policy language to get out of coverage, any language ambiguity should be resolved in favor of the insured, particularly when the ambiguity is within an exclusion,” Malone said.

Compliance best practices

“To better protect themselves from a lengthy battle with their insurer, companies should learn BIPA and make compliance a priority. It’s not hard to comply,” lawyers say.

The Illinois law requires companies that collect biometric data to obtain written consent from employees and customers and develop a written policy about its collection, retention, and destruction. The statute calls for $1,000 per violation for each negligent violation and $5,000 for each reckless or intentional violation. In-house counsel should make sure that consent is obtained before the collection of the data and that disclosures are in place.

However, with a five-year statute of limitations, a company can be in compliance for several years and still face liability for violations that happened years ago.

Lawyers recommend companies pay close attention to coverage language and exclusions when policies come up for renewal or when seeking a new policy.

Because of the mixed results in courts, insurers have started adding exclusionary language to their policies to exempt privacy-based claims based on individual information, or they specify statutes that won’t be covered, according to Malone.

For that reason, when insurance policies come up for renewal or when companies are shopping for a new policy, in-house counsel should pay attention to exclusions.

“Companies that have abandoned the use of biometrics and gone back to timecards could probably live with privacy-related exclusions,” Malone said.

Companies that continue to use biometrics can still get coverage but they can expect to pay higher costs upfront. “You can get almost anything insured if you are willing to pay a high enough premium,” Malone said.

He likened it to asbestos. Several years ago, when asbestos exclusions started to become prevalent in insurance policies, companies could still buy coverage, but it was expensive and harder to find. 

Malone recommended in-house counsel seek out brokers to determine who’s offering coverage. But don’t let a broker get away with saying that they’ve obtained a policy renewal that has a “few exclusions” – this could lead to a company holding the bag if lawsuits occur, he said. 

“Nor is it the end of the discussion if a company gets an initial denial or is told an exclusion precludes coverage,” Malone said. 

There have been cases where a simple letter response from lawyers has gotten the insurance company to reverse its position and “put real money on the table to help pay for these liabilities,” he said.

More rulings to come

Meanwhile, more rulings could further scramble the picture. A panel of federal appellate judges on January 17 heard arguments in a BIPA case where the insurance company argued that its policies exempted coverage for BIPA violations. 

Attorneys are hoping that the Illinois high court will weigh in. It is considering taking a case decided late last year in which the appeals court found that insurers did not have a duty to defend their policyholder for a BIPA claim based upon the violation of law exclusion in the general liability policy.

Given the big penalties companies are facing, Illinois lawmakers are considering legislation to clarify aspects of the law and limit recovery for BIPA violations, in part by changing the definition of what constitutes a single violation. The bill wouldn’t completely clarify the picture but it could curb some of the amounts involved.