What Are Biometrics?
Biometric information is defined as the “measurement and statistical analysis of an individual’s physical and behavioral characteristics.”1 Stated another way, it is any of the measurable attributes and traits that make each of us unique. Physical biometric information may include fingerprints, DNA, faceprints, handprints, retina scans, ear features, and even odor; behavioral examples are gestures, voice patterns, typing rhythm, and walking gait.
Today, there are three main areas that utilize biometrics:
- Identification/Security Access – As opposed to swiping an ID card or using a key, biometric information can be used to access a facility, building, floor or room, and also to open smartphones, computers, and portable storage devices. Fingerprints are typically utilized, but high-security facilities may incorporate retinal or iris scanners, or other more sophisticated means.
- Time Management – For hourly employees, biometric information can be used instead of traditional clocking in and out, reducing the incidents of “buddy punching.”
- Tech/Apps – Biometric information usage is exploding in the technology sector. Examples include social media platforms (e.g., Snapchat, Instagram, Facebook), retail applications (e.g., virtual try‑on technology), and even insurance apps (e.g., using a picture of a face taken on a mobile device to receive a life insurance quote).
Benefits from biometric information usage include improved accuracy and security, fraud reduction, and improved customer experience. However, potential concerns include ever-increasing costs for technology, storage and protection, and growing privacy fears (e.g., identity theft or unauthorized disclosure or use). Unlike a password, if an individual’s biometric information is compromised it cannot be changed, so any potential damage can be more permanent and lasting.
A recent study determined that 40% of Americans use facial biometrics daily, and that number jumps to 75% for Gen Zers and Millenials.2 Overall, over 75% of Americans have had their biometric information collected (many without knowing or realizing it).3 Further, 27% of U.S. businesses utilized biometric authentication technology in 2019, and that number jumped to 79% in 2022.4 Lastly, businesses around the world spent an estimated $11.6 billion on digital verification tools in 2022; that figure is expected to exceed $20 billion by 2027.5
At the end of 2022, 10 states had existing biometric information privacy legislation.6 Generally, the purpose of such laws is to protect the privacy of biometric information by regulating how businesses collect, use, and store such data. Of those 10, three states (Illinois, Texas, and Washington) have specific biometric privacy laws; the others have provisions built into general privacy statutes.7 Further, many additional states had proposed biometric privacy bills pending last year, so there is a lot of activity in this space. Of note, there is presently no federal law/regulation that specifically governs biometric information privacy.
Illinois – Biometric Information Privacy Act
Illinois’ Biometric Information Privacy Act, frequently referred to as “BIPA,” was passed in 2008 and was the first specific biometric privacy law in the United States.8 It regulates the collection/usage of a list of specific “Biometric Identifiers,” which includes “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”9 The requirements apply to all private businesses; there are no minimum size or revenue requirements.10 BIPA’s key provisions require that companies that collect/possess biometric information:
- Notice – Provide written notice to those whose information will be collected.
- Consent – Obtain prior written consent.
- Disclose – Communicate the purpose and duration of data collection, storage, and use.
- Can’t Sell – Refrain from selling or profiting from the data.
- Written Policy – Have a written retention and destruction policy.
- Private Right of Action – Victims can sue to enforce.
- Attorneys’ Fees – Plaintiff attorneys’ fees are specifically recoverable.
- Statutory Damages – Specifically mandated statutory damages of $1,000 per negligent violation and $5,000 per each intentional/reckless wrongdoing.11
From its passing in 2008 through 2015, BIPA was largely unutilized. In 2015, class action lawsuits started to be filed, and from 2017 through 2022 nearly 2,000 BIPA lawsuits commenced.12
First BIPA Verdict – Rogers v. BNSF
In October 2022, Rogers v. BNSF became the first BIPA class action case to go to trial.13 Venued in federal court in Chicago, the plaintiff class consisted of 45,600 truck drivers who had to utilize their fingerprints to gain access to BNSF’s facility, and alleged that BNSF violated BIPA by failing to obtain prior written consent, provide written notice, and disclose the purpose and duration of the data usage and storage.14 Notably, no actual breach or tangible harm was alleged. A five-day trial ensued, and after an hour’s deliberation, the jury determined that BNSF was liable for 45,600 reckless/intentional violations.15 The Judge calculated damages under BIPA and awarded the plaintiffs $228 million (45,600 drivers x $5,000 penalty = $228,000,000).16 BNSF has stated its intention to appeal.17
On the settlement front, a number of large settlements have been agreed to date:
- Wendy’s – $5.85 million – employee timekeeping18
- Snapchat – $35 million – faceprints19
- Six Flags – $36 million – customer identification for annual passes20
- McDonald’s – $50 million – employee timekeeping21
- TikTok – $92 million – videos capture biometric information22
- Google – $100 million – faceprints23
- Facebook – $615 million – faceprints24
Some notable rulings from courts interpreting BIPA to date include:
- Rosenbach v. Six Flags (2019) – Held: no actual harm required to recover under BIPA25
- Sosa v. Onfido (2022) – Held: faceprints distinguishable from photographs (excluded under BIPA), and therefore BIPA applicable26
- McDonald v. Symphony Bronzeville Park (2022) – Held: Workers’ Compensation laws do not bar a BIPA recovery27
- Vance v. Amazon and Microsoft (2022) – 2 cases venued in Washington. Held: BIPA not applicable because key activities took place outside of Illinois28
- Barnett v. Apple (2022) – Held: BIPA not applicable because touch and face ID tools were optional and the data was only stored locally on individual phones29
- Tims v. Black Horse Carriers (2023) – Held: five-year (as opposed to one-year) statute of limitations applicable to BIPA claims30
Of particular note, on February 17, 2023, the Illinois Supreme Court ruled in Cothron v. White Castle that each scan/collection of biometric information constitutes a separate violation under BIPA (as opposed to one violation per individual), potentially expanding liability exponentially for BIPA violations.31 Subsequent to the ruling, White Castle declared that its exposure to the 9,000+ employee class may exceed $17,000,000,000.32 Procedural and constitutional challenges, and potential legislative measures, are expected.
Things are still developing on the coverage front, but most of the action to date has been under CGL policies. The seminal case at this point is West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan.33 Therein, tanning salon customers’ fingerprints were used for identification purposes, and the tanning salon hired a third-party vendor to process the biometric information. Again, no actual breach to the public at large was alleged. Interpreting the personal injury definition,34 the Illinois Supreme Court interpreted the word “publication” to include communication to a single party, and determined that the hiring and sharing of the biometric information with the vendor constituted publication under the definition and found a duty to defend.35
There have also been some cases interpreting whether certain exclusions (e.g., Employment-Related Practices, Distribution of Materials in Violation of Statutes, Access or Disclosure) exclude coverage for BIPA claims, and the majority of decisions to date have determined the exclusions to not be applicable. Overall, there is still much to play out on the coverage front, including whether coverage is ultimately sought under other coverage types (e.g., Directors & Officers, EPLI, Cyber).
Biometric Information Privacy Exclusions
On March 2, 2023, ISO filed a Data Privacy exclusion, and a revision to its Access- or Disclosure-related exclusion, which includes specific reference to biometrics.36 The proposed effective date is December 1, 2023.37 Gen Re has analyzed biometric privacy exclusion options, including potential insurance policy exclusion language, and has prepared a sample biometric privacy exclusion. Please contact your Gen Re representative for more information.
With a private right of action, customer and employee actions permitted, no actual harm or breach required, mandatory statutory damages, and attorneys’ fees recoverable, BIPA class actions are very attractive and lucrative to plaintiffs’ class action counsel. And while there is still a lot of development to come nationwide on the legislative, liability and coverage fronts, there are things that businesses and insurers should consider now: