When the California legislature passed the California Consumer Privacy Act of 2018, one of the primary enforcement mechanisms was the private right of action which grants statutory damages to aggrieved consumers under the law. However, California was not the first state to pass privacy legislation with statutory damages built into it.
The Illinois Biometric Information Privacy Act, or BIPA, has provided statutory damages to consumers since 2008 and recent decisions in both the Illinois Supreme Court and United States Supreme Court highlight the growing risk faced by many companies subject to recent privacy regulations.
Biometrics Data and Privacy: A Brief Background
At the core of the BIPA legislation is the ability to regulate the collection, retention, and disclosures of biometric information. The law plainly states, among other things, that a person must give written consent to a private entity to collect biometric data, and the private entity must disclose what’s being collected and why.
Biometric information is anything related to human measurement that can uniquely identify a person. Think fingerprints, the face, the iris and more—all of which are applied to a variety of functions today; for example, gaining access to a phone app or a bank account.
And biometrics data collection is growing. That’s because biometrics technology is gaining traction in a number of sectors, including automotive, healthcare, retail and more.
But how companies collect and use this type of data is now under the microscope, and a growing number of cases are looking at biometrics data and privacy.
Bracing for the Impact of Biometrics Litigation
It was Spring 2014 and 14-year-old Alexander Rosenbach arrived at Six Flags Great America in Gurnee, Illinois, for a class trip. Neither Alexander nor Six Flags knew at the time the impact that this visit would have on both of them.
Alexander’s mother had purchased a season pass for him ahead of time, and his registration would be completed in person when he arrived at the park. On the day of the class trip, Alexander’s fingerprints were scanned as part of the park’s routine procedures. The park required it to quickly verify his identity on subsequent visits.
But there was a problem: Neither Alexander nor his mother was informed about the usage of those fingerprints, nor did they expressly consent to it.
The Rosenbachs filed suit against Six Flags on behalf of a class alleging violations of BIPA. The case eventually made its way to the Illinois Supreme Court.
No Injury? No Problem Under BIPA
The question on the table was this: Is a person considered “aggrieved” and qualified to seek damages pursuant to BIPA if he or she has not alleged actual injury or adverse effect beyond the violation of rights under BIPA?
BIPA states that “any person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party,” and that they may also recover statutory damages for each violation.
The appellate court that reviewed the case before it went to the Illinois Supreme Court found that “a plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person.”
But the Illinois Supreme Court disagreed. After careful analysis, the Illinois Supreme Court said:
Contrary to the appellate court’s view, an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act. The judgment of the appellate court is therefore reversed, and the cause is remanded to the circuit court for further proceedings.
In a separate BIPA case that was heard in a federal court, the Ninth Circuit affirmed that plaintiffs had Article III standing to sue for technical violations of BIPA without alleging actual harm. The United States Supreme Court declined to hear an appeal on the matter, leaving the Ninth Circuit’s decision to stand.
While these rulings are a definite win for consumers, businesses that collect and use biometric data need to brace for the impact of potentially serious class action litigation.
A Roadmap for CCPA Litigation
The impact of these decisions may not be limited to companies subject to BIPA. The California Consumer Privacy Act is another law that requires disclosures and consent around data collection and usage.
Any violation of the act is enforceable—whether intentional or unintentional—and like BIPA, it also awards statutory damages in a private right of action for consumers.
Keep in mind, too, that entities that do business in California but aren’t necessarily in California may be subject to CCPA as well.
So it’s not hard to draw a parallel between what happened in Illinois and what could happen in California as the Illinois litigation establishes a precedent for other similar cases elsewhere.
Good News: Cyber Insurance Can Respond
In a bit of good news for businesses: well-brokered cyber insurance covers liabilities arising out of consumer class actions alleging violations of privacy regulations such as CCPA and BIPA.
Many cyber insurance policies rely on the definition of personally identifiable information (PII) to trigger coverage. Biometric information is considered to be personally identifiable information (PII) as defined under most state, federal, and foreign privacy regulations.
Historically, though, many of these biometrics cases haven’t survived a motion to dismiss from the defendants, as in Rivera v. Google in 2018. In that case, as in others, the courts found that the plaintiffs lacked sufficient concrete or actual damages to establish Article III standing, and refused to certify the class, dismissing the claim.
So despite the fact that cyber insurance will respond to these cases, insurers haven’t been spending a lot of money on them as they have been dismissed relatively early in the proceedings.
However, the recent court decisions around BIPA and statutory damages in privacy regulations appear to be changing this dynamic.
That means companies subject to privacy regulations with a private right of action could face class action cases that move beyond a motion to dismiss, creating the potential for extremely costly litigation.
Faced with these cases moving beyond the motion to dismiss, I predict many companies will now be entering into settlement discussions to avoid a lengthy trial.
The impact of this change in the litigation environment will be felt in the cyber insurance market. Protracted litigation and costly settlements will increase the insurers’ loss ratios, as most cyber insurance policies will cover the defense and settlement of this type of litigation.
And when loss ratios increase, either cyber insurance pricing goes up or coverage gets restricted.
It’s safe to say that biometrics is not going away: forecasts indicate the biometrics market will reach $3.5 billion by 2025. Unfortunately for businesses that use biometrics data, the litigation trend is also not likely to wane.