Biometric information and the right to its privacy have been a continuing topic in law, the courts and insurance for several years.
"Biometric information" is information used to identify an individual based on "biometric identifiers" - immutable physical characteristics of a person such as fingerprints or scans of body parts. Use of biometric information for identity purposes raises privacy questions,
Illinois first addressed the issue with its Biometric Information Privacy Act (BIPA) in 2008. Beginning in 2015 class action lawsuits were filed under BIPA alleging unlawful collection and use of data. In 2019 the Illinois Supreme Court held in Rosenbach v. Six Flags Entertainment Corp. that a plaintiff did not have to show actual harm to sue.
Texas and Washington have similar biometric data protection laws. So far in 2022 California (which includes biometric data in the CCPA and CPRA), Kentucky, Maryland and New York have proposed their own laws.
Courts have ruled on BIPA's disclosure and consent requirements. There are limitations for pre-emption and need for a relationship with the defendant. There are cases pending on whether each scan is a new violation, and what statute of limitations applies.
Insurance claims involving BIPA so far have had mixed results. Some General Liability claims have been denied under the access or disclosure of personal information exclusion, but more often than not coverage has been found. Recently some Cyber policies have excluded BIPA claims, and at least one Directors and Officers/Employment Practices Liability insurer has done so.
Companies that collect and use biometric information should have policies on its collection, use, consent, retention and disposal in accordance with applicable law.
More information on the BIPA is in the July 2022 Locke Lord Privacy & Cybersecurity Newsletter (online at lockelord.com).