Over the past few months, you have probably heard about big dollar settlements in cases brought under the Illinois Biometric Information Privacy Act (“BIPA”). From the social media world, Facebook and TikTok both had significant settlements, agreeing to pay $650 million and $92 million, respectively. A variety of other companies are now or soon will be facing similar BIPA class actions.
BIPA is an Illinois statute regulating the collection and use of biometric data, including fingerprints, retina and iris scans, voiceprints, and scans of hand and face geometry. (740 Ill. Comp. Stat. 14/1 et seq. (2008)). It prohibits private entities from disclosing a person’s biometric information without that person’s consent. While a few other states have similar laws, only BIPA provides a private right of action. Accordingly, the plaintiffs’ bar has sought to capitalize.
Under BIPA, plaintiffs can recover $1,000 for each negligent BIPA violation and $5,000 for each intentional or reckless violation, plus attorneys’ fees. The Illinois Supreme Court has held that when a private entity violates BIPA, any person whose biometric information was wrongfully shared can recover, even in the absence of actual injury. Thus, BIPA class actions expose companies to tremendous potential liability. As the recent Facebook and TikTok settlements confirm, potential damages can add up quickly.
The new cottage industry of BIPA class actions has led to a predictable result: defendant companies litigating with their insurers over whether there is coverage for the underlying BIPA case. One case, in particular, stands out.
West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc.
In West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc. (“West Bend”), the court was tasked with deciding whether the insurer was obligated to provide a defense for a tanning salon in a BIPA class action brought by a salon customer. The customer alleged that the tanning salon violated BIPA by obtaining customer fingerprints and sharing them with a third-party vendor without first obtaining the required written release. The tanning salon, which was covered by two business owners’ liability policies, sought coverage from its insurer. In response, the insurer filed a declaratory judgment action seeking a declaration that the policy provided no such coverage. Both parties both moved for summary judgment.
The policies provided coverage for a “personal injury” that arises out of an “oral or written publication of material that violates a person’s right of privacy,” but also contained an exclusion for “distribution in violation of statutes.” The parties disputed whether the salon owner’s sharing of customer biometric information with its vendor was a “publication” that violated the customer’s right to privacy and whether the policy’s exclusion applied to BIPA liabilities.
The trial court ruled for the tanning salon, finding the insurer was obligated to provide a defense in the class action. The Illinois Supreme Court affirmed.
“Publication” and “Right of Privacy”
The insurance policies at issued stated, in pertinent part, as follows:
- Business Liability
- We will pay those sums that the insured becomes legally obligated to pay as damages because of ‘bodily injury’, ‘property damage’, ‘personal injury’ or ‘advertising injury’ to which this insurance applies. We will have the right and duty to defend the insured against any ‘suit’ seeking those damages. However, we will have no duty to defend the insured against any ‘suit’ seeking damages for ‘bodily injury’, ‘property damage’, ‘personal injury’, or ‘advertising injury’ to which this insurance does not apply.
* * *
- This insurance applies:
- To ‘bodily injury’ and ‘property damage’ only if:
- (a) The ‘bodily injury’ or ‘property damage’ is caused by an ‘occurrence’ that takes place in the ‘coverage territory’; and
- (b) The ‘bodily injury’ or ‘property damage’ occurs during the policy period.
- (2) To:
- (a) ‘Personal injury’ caused by an offense arising out of your business, excluding advertising, publishing, broadcasting or telecasting done by or for you;
- (b) ‘Advertising injury’ caused by an offense committed in the course of advertising your goods, products or services[.]”
The policies contain the following pertinent definitions:
“F. Liability And Medical Expenses Definitions
- ‘Advertising injury’ means injury arising out of one or more of the following offenses:
* * *
b. Oral or written publication of material that violates a person’s right of privacy;
* * *
- ‘Bodily injury’ means bodily injury, sickness or disease sustained by a person, including death resulting from any of these at any time.
* * *
- ‘Personal injury’ means injury, other than ‘bodily injury’, arising out of one or more of the following offenses:
* * *
e. Oral or written publication of material that violates a person’s right of privacy.”
The insurer argued that the customer’s BIPA complaint did not trigger the policies’ coverage for “personal injury” or “advertising injury” because the complaint did not allege a “publication” of material that violates a person’s “right of privacy.” The insurer first contended that “publication,” as used in business liability policies, means “communication to the public at large,” and because the tanning salon disclosed the biometric information at issue to only a single entity, there was no “publication.” The Illinois Supreme Court rejected the insurer’s position, relying on publication’s dictionary definition: “the term means both communication to a single party and communication to the public at large.” Accordingly, the tanning salon’s decision to share the biometric information with its vendor was a “publication.”
The parties also disputed what “right of privacy” means under the policy. Looking again to the dictionary definition, the court found that the right to privacy includes two primary privacy interests: seclusion and secrecy. As a result, the court defined the right to secrecy as the right to keep certain information confidential. Applying this definition, the court found that BIPA protects a secrecy interest—the right of an individual to keep his or her personal identifying information, like fingerprints, secret. Thus, the court found that the customer’s allegation that the tanning salon shared the customer’s biometric information with a third-party sufficiently alleged a potential violation of the customer’s “right to privacy” within the purview of the insurance policies.
Violation of Statutes Exclusion
The policies contained the following pertinent exclusions:
- Applicable To Business Liability Coverage
This insurance does not apply to:
* * *
p. Personal Or Advertising Injury
‘Personal injury’ or ‘advertising injury’:
* * *
(2) Arising out of oral or written publication of material whose first publication took place before the beginning of the policy period;
(3) Arising out of the willful violation of a penal statute or ordinance committed by or with the consent of the insured.
Additionally, an endorsement to the policies added the following exclusion:
This insurance does not apply to:
DISTRIBUTION OF MATERIAL IN VIOLATION OF STATUTES
‘Bodily injury’, ‘property damage’, ‘personal injury’ or ‘advertising injury’ arising directly or indirectly out of any action or omission that violates or is alleged to violate:
(1) The Telephone Consumer Protection Act (TCPA) [(47 U.S.C. § 227 (2018))], including any amendment of or addition to such law; or
(2) The CAN-SPAM Act of 2003 [(15 U.S.C. § 7701 (Supp. III 2004))], including any amendment of or addition to such law; or
(3) Any statute, ordinance or regulation, other than the TCPA or CAN-SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating or distribution of material or information.”
The insurer argued that that the policies’ exclusions expressly ruled out claims stemming from BIPA violations. According to the insurer, the policies barred coverage for violations of statutes that “prohibit the communicating of information,” which, according to the insurers, BIPA does. In response, the tanning salon emphasized the title of the exclusion and argued that the “other than” language in the exclusion bars coverage only for violations of statutes that regulate methods of communication like telephone calls, faxes, and e-mails. The court agreed with the tanning salon.
The court began its analysis by pointing out that the exclusion is titled “Violation of Statutes that Govern E-Mails, Fax, Phone Calls or Other Methods of Sending Material or Information.” The court noted that all the items listed in the title are methods of communication. Next, the court referenced how the exclusion explicitly lists two statutes that regulate methods of communication: the TCPA (telephone calls and faxes) and the CAN-SPAM Act (e-mails). Accordingly, the court construed the words “other than” in the exclusion to mean other statutes of the same general kind that regulate methods of communication like the TCPA and the CAN-SPAM Act. Because BIPA does not regulate methods of communication, the court held that the statutory violation exclusion does not apply. Furthermore, to the extent that the “other than” language in the policies could be viewed as ambiguous, the court noted that it must be construed against the insurer.
Different Allegations, Different Policies
In West Bend, the Illinois Supreme Court focused on the specific allegations in the underling class action complaint and its holding relied heavily on the policy language.Different facts underlying an alleged BIPA violation could lead to a different result on issues such as “publication” or “right to privacy.” And of course, not all general liability policies contain definitions and exclusions that are identical to the policy provisions considered by the court. Careful review of the underlying BIPA allegations as well as all pertinent policy language is essential to determine the scope of possible coverage for claims under BIPA.
The case was part of a growing trend of similar actions brought by insurers seeking to avoid coverage in the context of Illinois BIPA class actions. Even beyond the Illinois statute, companies need to recognize the increasing concern regarding privacy and protecting biometric information. Insurers will continue to challenge coverage in this area, and some may even seek to introduce changes to policy language to limit coverage. Policyholders need to scrutinize past, present, and future policies and carefully evaluate whether they are covered for possible BIPA violations. And companies without existing general business liability coverage for such claims may need to pursue other insurance options if faced with a potentially damaging class action.
Ross Weiner is the Legal Director at Risk Settlements, a team of highly experienced legal, insurance and risk specialists. He helps companies assess legal and financial risk and create optimal settlement designs and risk transfer options. Prior to joining Risk Settlements, he was a litigator at Kirkland & Ellis LLP and focused on class actions among other matters.