Illinois’ Biometric Information Privacy Act (“BIPA”) restricts businesses that collect biometric information (e.g., DNA, fingerprints, facial and iris recognition) from disseminating that information. Although BIPA had been in effect for more than a decade, the Illinois Supreme Court’s ruling in Rosenbach v. Six Flags Entertainment Corp., 129 N.E.3d 1197 (Ill. 2019), spawned widespread litigation against companies. In Rosenbach, the court held that a plaintiff may be “aggrieved”, and has standing to sue for statutory damages, without alleging an “actual injury” caused by a BIPA violation. Since then, businesses and insurers have expressed concern about an influx of BIPA claims and how courts would address attendant coverage issues.
On March 20, 2020, an Illinois appellate court issued an opinion regarding CGL coverage for BIPA claims. West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc. et al., — N.E.3d —-, 2020 IL App (1st) 191834 (Ill. App. Ct. 2020). The court held that an insurer must provide a defense in a lawsuit alleging that an insured disclosed a customer’s fingerprints (biometric data) without consent in violation of BIPA.
The insured, a tanning chain franchisee, required customers to scan their fingerprints for identification purposes. The claimant alleged that the insured violated BIPA by disclosing her biometric data to a third-party software vendor. After receiving notice, the insurer agreed to defend under a reservation of rights but simultaneously filed suit seeking a declaration that the policy did not cover the lawsuit.
The court held that the underlying suit alleged a “personal injury”, thus triggering coverage under the policy. “Personal injury” included injury arising out of “oral or written publication of material that violates a person’s right of privacy.” The court observed that the underlying lawsuit alleged that the insured provided the claimant’s biometrics to a third-party vendor. After considering dictionary definitions, the court reasoned that “publication” includes “both the broad sharing of information to multiple recipients . . . and a more limited sharing of information to a single third party.” Moreover, the court reasoned that if the insurer sought to limit the “publication” to mean communication to many people, it should have added language in the policy to that effect.
The court also rejected the insurer’s argument that a “violation of statutes” exclusion applied. The exclusion (titled “Violation of Statutes That Govern E-Mails, Fax, Phone Calls or Other Method of Sending Material or Information”) barred coverage for personal injuries arising out of violations of: (1) the TCPA; (2) the CAN-SPAM Act of 2003; or (3) “[a]ny statute, ordinance or regulation . . . that prohibits or limits the sending, transmitting, communication or distribution of material or information.” Specifically, the insurer argued that because BIPA prohibits the disclosure of biometric data, the underlying lawsuit fit within the exclusion’s catchall provision for “[a]ny statute . . . that prohibits” disclosure of “material or information.”
The court disagreed with the insurer, holding that the catchall must be read in light of the preceding references to the TCPA and CAN-SPAM Act. It reasoned that those “statutes . . . govern certain methods of communication, i.e., e-mails, faxes, and phone calls”, whereas BIPA does not and instead regulates a class of data (namely, biometric data) (emphasis added). Thus, the court held that the insurer had a duty to defend the insured for allegedly violating BIPA.
The appellate court’s decision raises several issues. First, the court interpreted the term “publication” in connection with a privacy-related claim to include disclosure of information to a single person. But publication to a single person generally applies only in the defamation context. The court did not analyze whether the term “publication”, in the context of privacy-related claims, warranted a different interpretation, to require publication to a broader audience as a prerequisite for liability.
Second, the court did not enforce the “violation of statutes” exclusion. BIPA actually says “[n]o private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person’s or a customer’s biometric identifier or biometric information” unless certain conditions are met. As such, BIPA does regulate methods of communications in the sense that no company may “disclose, redisclose, or otherwise disseminate” a person’s biometric data using any method of transmission.