Six Flags and Standing
In 2019, the Illinois Supreme Court handed down its decision in Rosenbach v. Six Flags Entm’t Corp., which held that “a person need not have sustained actual damage beyond violation of his or her rights under the Act in order to bring an action under it.” The court noted, “[t]hrough the Act, our General Assembly has codified that individuals possess a right to privacy in and control over their biometric identifiers and biometric information” and that the “violation, in itself, is sufficient to support the individual’s or customer’s statutory cause of action.”
In August 2015, plaintiffs filed a putative class action in the United State District Court for the Northern District of California. The complaint “alleges that Facebook subjected them to facial-recognition technology without complying with an Illinois statute intended to safeguard their privacy.” Facebook had created a new feature called “Tag Suggestions” that permits Facebook “to analyze whether the user’s Facebook friends are in photos uploaded by that user.” The class consisted of “Facebook users living in Illinois” who alleged violations of BIPA. After analyzing BIPA, the Court noted “BIPA also provides for actual and liquidated damages for violations of the Act’s requirements.”
Article III standing requires that a plaintiff “’have suffered an ‘injury in fact’” that is “concrete” but “need not be tangible.” The Patel panel discussed the Robins v. Spokeo, Inc. Supreme Court decision to address statutory provisions and actual harm suffered by those seeking damages. It then considered the establishment of right to privacy actions. After doing so, the court concluded “that an invasion of an individual’s biometric privacy rights ‘has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts.’” The Court held: “Therefore, we conclude that ‘the statutory provisions at issue’ in BIPA were established to protect an individual’s ‘concrete interests’ in privacy, not merely procedural rights.” Citing Rosenbach, the court that “the plaintiffs have alleged a concrete injury-in-fact sufficient to confer Article III standing.” Finally, with respect to the certification of the class, the court rejected Facebook’s arguments about extraterritoriality, finding that “it is reasonable to infer that the General Assembly contemplated BIPA’s application to individuals who are located in Illinois, even if some relevant activities occur outside the state.”
The 9th Circuit refused a petition for rehearing en banc, and the Supreme Court rejected the petition for certiorari.
The 7th Circuit, which includes Illinois, has reviewed standing issues as well. In Christine Bryant v. Compass Group U.S.A., Inc., the court held that the Complaint had satisfied the injury-in-fact requirement of Article III with respect to Plaintiff’s claims under Section 15(b) but did not satisfy the hurdle for Section 15(a).
Workers Compensation Insurance Coverage
A recent Illinois appellate court decision investigated the issue of whether Workers’ Compensation was the sole remedy for an employee who alleged violations of the Illinois BIPA. In McDonald v Symphony Bronzeville Park LLC, the court held that the exclusive remedy of Workers’ Compensation does not prohibit employees from bringing an action against an employer for allegedly violating the Illinois BIPA. While acknowledging that the Illinois Supreme Court “’has indicated that the [Compensation Act] generally provides the exclusive means by which an employee can recover against an employer for a work-related injury,’” the court found that the exception for “not compensable” under the Workers’ Compensation Act provided the out for the plaintiff in this case, holding:
“In light of the above discussion, we fail to see how a claim by an employee against an employer for liquidated damages under the Privacy Act—available without any further compensable actual damages being alleged or sustained and designed in part to have a preventative and deterrent effect—represents the type of injury that categorically fits within the purview of the Compensation Act, which is a remedial statute designed to provide financial protection for workers that have sustained an actual injury. As such, we conclude that the exclusivity provisions of the Compensation Act do not bar a claim for statutory, liquidated damages, where an employer is alleged to have violated an employee’s statutory privacy rights under the Privacy Act, as such a claim is simply not compensable under the Compensation Act.”
General Liability and Other Liability Policies
In West Bend Mutual Ins. Co. v. Krishna Schaumburg Tan. Inc., an Illinois appellate court in a case of first impression, the Krishna court affirmed the grant of summary judgment in favor of the insured and held that underlying complaint sufficiently alleged "publication" to trigger the duty to defend a BIPA claim and the exclusion for statutory violations that mentioned the TCPA and the Can-Spam Act, but not BIPA, did not apply. The appellate court also found:
“In short, the violation of statutes exclusion applies to bar coverage to violations of statutes that regulate methods of communication. The Act says nothing about methods of communication. It instead regulates ‘the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.’ 740 ILCS 14/5(g).”
The Illinois Supreme Court granted petition for leave to appeal and will hear oral arguments on the case some time in the coming months.
The arguments over whether liability policies cover BIPA center around whether any “personal injury” has occurred and given the nature of the damages as being statutory in nature, arguments continue about potential coverage.
In a recently filed case in Cook County, American Guarantee & Liability Insurance Co. v. Toms King, LLC, No. 2020-CH-04472 (Cir. Ct. Cook County June 5, 2020), the insurer argued that two arguing two exclusions allow it to provide no defense or coverage: employment-related practices and disclosure of confidential information.
Other Insurance Coverages
Many of the class action defendants are employers who have required their employees to use biometric information for signing in and out of their workday. Many EPL policies contain exclusions for violations of statutes, but also might include invasion of privacy or failure to provide adequate corporate policies in the definition of “employment practices wrongful act,” which may trigger coverage under the EPL policies.
Another potential avenue of insurance coverage likely to be pursued is in the cyber arena. Today’s entities are facing an evolving, wide-ranging specter of cyber and privacy risks that extend far beyond traditional notions of cyber security. As privacy laws and regulations continue to proliferate, the ways entities collect, use, store, share, and dispose of information can lead to legal and regulatory exposures, even in the absence of a data breach. Cyber insurance applicability will necessarily include a detailed analysis of how the policy defines covered information; and intentional conduct and statutory penalties might not be covered.
The insurance coverage determinations will vary by insurance type. Policy language and type of policy will be important. As the Illinois courts see more insurance coverage disputes related to BIPA, the landscape should become more apparent.
With the Six Flags decision and other developments, plaintiffs likely will continue to aggressively seek relief from large defendants such as Facebook. For example, in November, a federal court in Illinois rejected efforts by defendant Apple to dismiss a class action complaint filed against it. The search for insurance coverage and money to pay for the continued substantial exposures defendants face continues. The availability of coverage under any policy will depend on the claim specific facts, the type of harms alleged, and policy terms and court applications of same and applicable law.