The Biometric Information Privacy Act
Biometric measure a person’s physical characteristics, such as a retina/iris scan, fingerprint, voiceprint or scan of hand or face, to verify their identity. The Biometric Information Privacy Act (BIPA), which was passed in Illinois in 2008, requires biometric measures to be collected, retained, disclosed and destroyed in a particular fashion. Disclosure1
This act has become more relevant following a $650 million settlement in Illinois. According to Fox Business News, Disclosure2 the settlement arose from a class action lawsuit against Facebook alleging violations of the Illinois BIPA laws. The basis of the suit was Facebook’s use of automatic photo recognition technology without user consent from 2015 to September of 2019 when they updated their policies.
In 2019, an Illinois Supreme Court ruling in Rosenbach v. Six Flags Disclosure3 found there need not be any physical damages suffered, just a violation of the act in order for a plaintiff to be eligible to collect damages. The act allows a claim of $5,000 for each violation of unlawful collection, storage, and disposal of data (meaning, each biometric captured per person).
With changes in technology and operating procedures, and the ongoing pandemic, could temperature checks be considered a part of this act? Since temperature check data is not collected or shared, it seems to fall outside of the area of concern at this time. However, for more information on the subject of temperature checks and how it may fall under BIPA, The Best Practices portion of a JD Supra article titled “The Growing Number of Biometric Privacy Laws and the Post-COVID Consumer Class Action Risks for Business” Disclosure4 provides helpful suggestions in navigating these waters.
Though this act was unique to Illinois, Texas and Washington, many states have implemented similar acts. California and Oregon added one on January 1, 2020, and New York added a version called the SHIELD Act in March 2020. Other states have proposed legislation that has failed to advance; however, there is activity pending in several states, and more is expected following the Facebook case. We anticipate plaintiff attorneys to continue to look for violations in an effort to seek settlements.
A majority of carriers have resisted coverage for violations of the BIPA Act, citing no physical damages to trigger the policy. The lack of coverage may leave clients exposed.
McGriff Risk Solutions was approached to assist a client with a new suit arising from an alleged violation of BIPA. Upon researching coverage, the following facts were noted:
Keep in mind that while coverage may be available from some carriers, it is important to ensure that the biometrics exclusion is removed and coverage for indemnity and defense coverage is provided.
An awareness of these risks is especially important for clients doing business in states that have biometric laws in place. We recommend all clients that collect biometric data to be aware of the potential exposure. In addition, ask your HR and legal teams about the potential of adding an addendum or inclusion in the employee handbook specifically addressing collection of data and how it is used and/or shared. The handbook should reference that the following conditions of employment exist and require a signed acknowledgment and agreement by the employee to include requirements of BIPA, stating:
Proper documentation could provide a viable defense or mitigate exposure to allegations of a BIPA violation against your company if legislation is passed in the states in which you operate. Documentation is key. In the case of Miracle-Pond v. Shutterfly, Shutterfly was able to prove they had proper documentation and had unilaterally modified their terms of use with proper notice to users. This led to a successful defense and dismissal when they were sued for a violation of the BIPA law in 2019.
As more states adapt regulation around the Biometric Information Privacy Act, it’s important to be aware of how those changes could affect your business. Legal questions should be addressed by your legal counsel. For questions on insurance coverage and the BIPA Act, reach out to your McGriff team to make sure you're protected.