The Biometric Information Privacy Act

What is BIPA?

Biometric measure a person’s physical characteristics, such as a retina/iris scan, fingerprint, voiceprint or scan of hand or face, to verify their identity. The Biometric Information Privacy Act (BIPA), which was passed in Illinois in 2008, requires biometric measures to be collected, retained, disclosed and destroyed in a particular fashion. Disclosure1

This act has become more relevant following a $650 million settlement in Illinois. According to Fox Business News, Disclosure2 the settlement arose from a class action lawsuit against Facebook alleging violations of the Illinois BIPA laws. The basis of the suit was Facebook’s use of automatic photo recognition technology without user consent from 2015 to September of 2019 when they updated their policies.

In 2019, an Illinois Supreme Court ruling in Rosenbach v. Six Flags Disclosure found there need not be any physical damages suffered, just a violation of the act in order for a plaintiff to be eligible to collect damages. The act allows a claim of $5,000 for each violation of unlawful collection, storage, and disposal of data (meaning, each biometric captured per person).

With changes in technology and operating procedures, and the ongoing pandemic, could temperature checks be considered a part of this act? Since temperature check data is not collected or shared, it seems to fall outside of the area of concern at this time. However, for more information on the subject of temperature checks and how it may fall under BIPA, The Best Practices portion of a JD Supra article titled “The Growing Number of Biometric Privacy Laws and the Post-COVID Consumer Class Action Risks for Business Disclosure4 provides helpful suggestions in navigating these waters.

Why is BIPA important for McGriff clients?

Though this act was unique to Illinois, Texas and Washington, many states have implemented similar acts. California and Oregon added one on January 1, 2020, and New York added a version called the SHIELD Act in March 2020. Other states have proposed legislation that has failed to advance; however, there is activity pending in several states, and more is expected following the Facebook case. We anticipate plaintiff attorneys to continue to look for violations in an effort to seek settlements.

Is there an insurance policy that would cover a violation to BIPA or a similar act?

A majority of carriers have resisted coverage for violations of the BIPA Act, citing no physical damages to trigger the policy. The lack of coverage may leave clients exposed.

McGriff Risk Solutions was approached to assist a client with a new suit arising from an alleged violation of BIPA. Upon researching coverage, the following facts were noted:

  • The Directors & Officers and General Liability policies contained specific exclusions related to biometric collection.
  • The Cyber policy had specific exclusions; however, there were endorsements providing coverage for defense only as an excess layer.
  • The Employment Practices Liability policy was the most liberal, providing coverage as primary but also limited it to defense only.

Keep in mind that while coverage may be available from some carriers, it is important to ensure that the biometrics exclusion is removed and coverage for indemnity and defense coverage is provided.

What should you do?

An awareness of these risks is especially important for clients doing business in states that have biometric laws in place. We recommend all clients that collect biometric data to be aware of the potential exposure. In addition, ask your HR and legal teams about the potential of adding an addendum or inclusion in the employee handbook specifically addressing collection of data and how it is used and/or shared. The handbook should reference that the following conditions of employment exist and require a signed acknowledgment and agreement by the employee to include requirements of BIPA, stating:

  • Biometric data is being collected.
  • The purpose/reason for the collection of data.
  • The method by which the data is being stored and/or shared.
  • The length of time data is stored and/or shared.
  • The method of data disposal.

Proper documentation could provide a viable defense or mitigate exposure to allegations of a BIPA violation against your company if legislation is passed in the states in which you operate. Documentation is key. In the case of Miracle-Pond v. Shutterfly, Shutterfly was able to prove they had proper documentation and had unilaterally modified their terms of use with proper notice to users. This led to a successful defense and dismissal when they were sued for a violation of the BIPA law in 2019.

As more states adapt regulation around the Biometric Information Privacy Act, it’s important to be aware of how those changes could affect your business. Legal questions should be addressed by your legal counsel. For questions on insurance coverage and the BIPA Act, reach out to your McGriff team to make sure you're protected.