[Page 19]
Cort Malone and Abigail Damsky *
Abstract: States and cities, including New York City, are following Illinois' lead in enacting biometric privacy laws intended to protect employees' and consumers' biometric information. Courts, particularly in Illinois, have cleared up early uncertainty by ruling consistently in favor of policyholders where insurance coverage for violations of the Illinois Biometric Information Privacy Act (BIPA) is at issue. In response, insurance companies are implementing new measures to try to avoid paying for these liabilities. Another emerging area sure to lead to litigation involving privacy and data collection laws is artificial intelligence. As litigation involving privacy laws and artificial intelligence continues to proliferate, will businesses have the same success obtaining insurance coverage for these claims in courts throughout the country as policyholders have in BIPA-related insurance disputes in Illinois? While only time will tell, companies and policyholders should be examining their use of biometrics and artificial intelligence in the present, as well as their current and renewal insurance policies, to ensure adequate protection in the future.
Introduction to Biometrics
Biometric identifiable information (BII) is an individual's physiological, biological, or behavioral characteristic, including DNA, that can be used to establish individual identity. Biometric information includes imagery of the iris, retina, fingerprint, and face, from which an identifier template, such as a faceprint or voiceprint,
[Page 20]
can be extracted. Biometrics are used as a more secure, and convenient, way to confirm identification—as opposed to easily hacked passwords. But there is a risk to using biometric data because such information cannot be replaced or changed if stolen. The frequent use of BII has led states to propose and pass biometric privacy laws to protect consumers and employees. Understanding biometric data and the laws designed to protect it is critical because the use of biometrics will only continue to increase.
Existing and Pending Biometric Privacy Laws
The seminal biometric privacy law in the United States is Illinois' Biometric Information Privacy Act (BIPA), which the Illinois legislature unanimously passed in 2008. BIPA allows individuals to control their own biometric data and prohibits private companies from collecting such data without following certain procedures, such as obtaining written consent. Critically, BIPA creates a private right of action for individuals subject to the law's provisions. It provides statutory damages of up to $1,000 for each negligent violation and up to $5,000 for each intentional or reckless violation. In 2019, the Illinois Supreme Court strengthened BIPA's reach when it held that actual harm is not required to establish standing to sue under BIPA. 1 This means that when an organization violates a procedural or technical aspect of BIPA, even when there is no specific injury or adverse effect, the individual whose biometric data was collected has standing to sue under the law.
At least six other states have followed Illinois' lead and passed biometric privacy laws designed to protect individuals from the collection, use, and sale of their personal biometric data. Eighteen states have pending legislation, some of which is similar to BIPA in that it would include a private right of action.
In 2021, the New York City Council amended New York City's administrative code to implement biometric privacy protections. It required businesses to notify customers of the use of biometric identifier technology and prohibited the sale of biometric identifier information. The city's Biometric Identifier Information Law (BII Law) addresses the collection and use of biometric identifier information by commercial establishments to track consumer activity. The BII Law also provides a private right of action that allows
[Page 21]
for judgments of $500 for negligently sharing biometric information or failing to post signage that the commercial establishment is collecting biometric identifier information and $5,000 for the intentional or reckless sale of biometric information. While New York City passed the BII Law, New York State's biometric privacy law is still pending. Even though the City's BII Law is less rigorous than BIPA, the law ultimately may result in extensive litigation seeking massive damages.
When the BII Law was first passed, its impact was unclear because it provides a cure period for certain violations and allows for the collection of biometric data without written consent. In March 2023, however, a lawsuit was brought in federal court in New York against Amazon under the BII Law. The complaint in Rodriguez Perez v....
