As Illinois' Biometric Information Privacy Act (BIPA) and similar legislation begin to loop through headlines, the insurance market is taking notice.

Illinois enacted BIPA in 2008, requiring entities that use and store biometric identifiers to comply with certain requirements and providing a private right of action for recovering damages. However, BIPA didn't have a significant impact until 2019, when the Illinois Supreme Court ruled in Rosenbach v. Six Flags Entertainment Corp. that a plaintiff can be considered an aggrieved person for purposes of BIPA even when an “actual injury" isn't alleged.

From there, the BIPA roller coaster picked up speed. In another recent development, in February, the Illinois Supreme Court ruled in Cothron v. White Castle System Inc. that a separate claim accrues each time a business unlawfully scans or transmits an individual's biometric identifier—a ruling that has a significant impact on commercial insureds.

“In Illinois, the purpose of BIPA was to protect individuals from having their biometric data collected without their consent," says Jamie Sanders, Chicago-based partner at Clyde & Co., a global law firm. “But the end result has been a proliferation in class action litigation that largely benefit the attorneys that bring them and disproportionately punishes businesses for innocent and non-malicious violations of BIPA that did not actually harm anyone."

“The Illinois Supreme Court's recent White Castle decision, in which it held that each collection of biometric information is a separate violation of the statute, exposes many businesses to potential financial ruin," Sanders adds.

Several other states and municipalities have enacted biometric or consumer privacy laws, including Texas, which last year sued Google over claims that the search engine is illegally capturing biometric data of users without their consent. And the plaintiffs' class action bar is taking notice, according to Duane Morris LLP's “Class Action Review 2023" report.

“With a certification conversion success rate of nearly 77% for the plaintiff's bar and a tsunami of privacy claims coming down the track for 2023, companies need to redouble their compliance and risk mitigation efforts to address class action litigation risks and take the necessary planning, preparation and decision-making steps to position themselves to withstand and defend class action exposures," said Gerald L. Maatman Jr., Duane Morris partner. “Last year saw significant state legislative activity regarding data privacy, with five states preparing for new privacy laws to take effect in 2023, including California, Colorado, Connecticut, Utah and Virginia. Companies can expect an exponential increase in these types of class actions in 2023."

As laws and lawsuits alike continue to roll down the tracks, “the most significant concern for businesses that collect biometric data is that they will have unmanageable class action exposure across the country," Sanders says. “The types of businesses impacted are really any business that uses fingerprint scans or facial recognition software, particularly those that use it for entry to or from a building or area. This could be any type of business, ranging from theme parks to hospitals or nursing facilities."

“The types of insurance coverages most likely to be impacted are commercial general liability, employers liability and cyber," Sanders adds.

In response, insurers have begun applying greater underwriting scrutiny or even adding BIPA exclusions to policies, according to Bloomberg Law. These exclusions may eventually lead to a decline in related class actions, said Joshua Mooney, head of U.S. cyber and data privacy at Kennedys Law LLP. In a previous legal trend with the Telephone Consumer Protection Act in 1991, class actions dropped “because carriers are not insuring TCPA liability," Mooney explained. “The plaintiff's bar will always look to insurance as a source of recovery."

AnneMarie McPherson Spears is IA news editor.