Collecting Biometric Data? Liability May Be Greater Than You Think

The Illinois General Assembly enacted the Biometric Information Privacy Act, 740 ILCS 14/1 et seq., in 2008.1 It was the first state law pertaining to biometrics and privacy, and it requires strict compliance. Known as the BIPA, it has more recently emerged as the next battlefront for class-action lawyers. As other states like Texas and Washington have begun to pass statutes patterned on the Illinois BIPA,2 it is important for insurance professionals to be aware of the requirements, key issues, and exclusions so that they can decide the best course of action.


The Illinois BIPA requires in § 15 that private entities in possession of biometric information must develop a written policy for the retention and destruction of that information, and that they also must obtain informed written consent before collecting such information from a person.

  • Section 20 provides a private cause of action for persons “aggrieved by a violation of this Act.” Defendants may be liable for liquidated damages of $1,000 for each negligent violation and $5,000 for each intentional or reckless violation, plus reasonable attorney fees.
Key Issues

The wave of BIPA class action suits is too recent for any declaratory judgment actions to have reached published decisions on whether an insurer owes coverage for BIPA claims. The key issue will likely be whether a BIPA claim alleges covered “personal and advertising injury.”

  • Under standard policy forms, this coverage includes torts such as publication of material that violates a person’s right of privacy.
  • Not every BIPA suit will involve actual “publication,” but based on some facts, a court might conclude that an alleged violation of the BIPA infringes a privacy right.

However, even if a court were to find that an Illinois BIPA claim comes within the policy’s insuring agreement, several exclusions could apply, depending on the facts of the case and the policy terms. Such exclusions may include, but are not limited to:

  • Catch-all language in exclusions for “personal and advertising injury” arising out of statutes like the TCPA that govern the collection and distribution of material or information
  • Exclusions that apply to liability for risks like data breaches, based on access to or disclosure of confidential or personal information
  • Manuscript endorsements specifically excluding claims arising from the collection, possession, storage, use, transmission, disclosure, or destruction of biometric identifiers or biometric information as defined in the Act, or from related practices and policies
  • In cases of intentional or reckless conduct, exclusions for “personal and advertising injury” caused with the knowledge that it would violate the rights of another (in some states, multiple damages may also be uninsurable as a matter of public policy)
  • In the case of class actions brought by employees (based on the use of biometric timeclocks at, e.g., hotels, restaurants, grocery stores, or airlines), exclusions for employment-related practices, policies, acts, or omissions
  • If a policy covers employment-related practices, the insurer may still have an exclusion for statutory claims other than claims for alleged discrimination
Final Thoughts

If an insured desires coverage for collecting biometric data and an insurer is willing to cover it, the broker, insurer and insured should agree on terms of an endorsement, specifically granting BIPA coverage to show that they do not intend for the exclusions mentioned here to apply to such risks.

Pricing will depend on factors such as whether this coverage is subject to a sublimit, applies above a deductible, or is eroded by defense costs. As class actions often present the potential for large exposures, all parties have an interest in making the scope and limits of coverage as clear as possible.