(September 2019) - A three-judge panel of the Ninth Circuit U.S. Court of Appeals recently held that Illinois Facebook users may bring claims for privacy violations under state law for the use and storage of biometric information on the company's platforms and servers. Patel v. Facebook, 18-15982, (9th Cir. Aug. 8, 2019). Three Illinois residents allege that "face templates" of them were created and used by Facebook without sufficient notice, agreement, and protection under the Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14/15.

The court affirmed a class of "Facebook users located in Illinois for whom Facebook created and stored a face template after June 7, 2011." Patel, at *10; Fed.R.Civ.P. 23(f); 28 U.S.C. § 1292. The size of this class is not currently clear, but it is expected to number in the millions. The costs of a class action defense of this magnitude will be substantial, while the potential indemnity exposure is in the billions of dollars. The ruling may give rise to coverage issues.

Illinois courts have addressed coverage for similar class actions involving alleged violations of privacy under the Telephone Consumer Protection Act (TCPA) and other similar statutory regimes. See Valley Forge Ins. Co. v. Swiderski, 223 Ill.2d 352 (2006). In some fact patterns, there may be a potential for property damage, but the coverage most likely to be implicated is for personal and/or advertising injury claims or offenses. Given how the Illinois Supreme Court handled coverage questions for TCPA claims, BIPA claims are likely to fall within the coverage grants for personal and/or advertising injury. Ultimately, coverage questions will likely turn on the industry's exclusions for certain statutory claims.

BIPA

BIPA was enacted in Illinois in 2008 to regulate the collection and storage of biometric information by private entities. The law provides that no private entity may collect, store, or use biometric information without notice to and written release or consent from the subject. 740 ILCS 14/15. More particularly, BIPA provides that:

(a) A private entity in possession of [biometric information] must develop a written policy...establishing a retention schedule and guidelines for permanently destroying biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the private entity, whichever occurs first....

(b) No private entity may collect, capture, purchase, receive through trade, or otherwise obtain [biometric information], unless it first:

(1) informs the subject...the information is being collected or stored;

(2) informs the subject...in writing of the specific purpose and length of term...and

(3) receives a written release....

(c) No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit [from biometric information].

(d) No private entity in possession of a biometric information may disclose, redisclose, or otherwise disseminate [it] unless:

(1) the subject of the biometric information...consents to the disclosure or redisclosure;

(2) the disclosure or redisclosure completes a financial transaction requested or authorized...;

(3) the disclosure or redisclosure is required by State or federal law or municipal ordinance; ....

740 ILCS 14/15. The Act also provides that a private entity must "store, transmit, and protect" biometric information using "the reasonable standard of care" in the industry. Id., 14/15(e).

In Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, the court held that plaintiffs have a claim for damages if their right to consent and secure biometric information has been violated. The court reasoned that the legislature determined that violations constituted an invasion of privacy, and that "real and significant" damage occurs with the taking and retention of such data. Id.  at ¶34. Other than a right of private action, there is no other enforcement mechanism and "to require individuals to wait until they have sustained some compensable injury" beyond violation of the statutory rights would be "antithetical to the Act's preventative and deterrent purposes." Id. at ¶37. It is not necessary to allege consequential damage.

BIPA statutory damages are $1,000 for each negligent violation, $5,000 for each reckless or intentional violation, or actual damages plus attorneys' fees. 740 ILCS 14/20(1). On January 25, 2019, the Illinois Supreme Court held that individuals do not need to allege they were actually harmed by a violation of BIPA to seek liquidated damages and injunctive relief under the Act. Rosenbach, supra.

As in Rosenbach, the Patel decision supports the conclusion that BIPA is inherently a statutory scheme to protect privacy. The plaintiffs alleged BIPA violations occurred when biometric material was collected, stored, and used without prior written release or agreement after Facebook launched its "Tag Suggestions" feature in 2010. The Ninth Circuit reviewed common law privacy interests and constitutionally protected "zones of privacy" in finding that "an invasion of an individual's biometric privacy rights has a 'close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts'" in order to find a concrete and particularized injury for Article III standing. Id., at *16, citing Spokeo, Inc. v. Robins, 136 S.Ct. 1540 (2015)(rights under Fair Credit Report Act, 15 U.S.C. §1681). The court reasoned that the statutory provisions were established to protect "concrete interests" as opposed to procedural rights, and that the alleged violations at least threatened harm to those concrete interests. While the court viewed a photograph alone as inoffensive, it concluded that it could be used to generate "biometric material" when scanned to generate facial geometry identifiers. Id. at * 8, fn.4.

The Swiderski Analysis as to the TCPA.

Like BIPA, the TCPA is a statute that is designed to protect individuals from unwanted invasions of privacy. In Swiderski that invasion came in the minimal form of an unwanted fax. The insureds and claimants (who were often represented by their own coverage counsel) argued that the claims were of personal and advertising injury. Such coverage is typically offense based. One of the covered offenses is typically an offense of electronic, oral, written or other publication of material that violates a person's right of privacy.

The Illinois Supreme Court held that receipt of an unwanted fax was a claim that material was published to the recipient, and that the receipt was an invasion of a privacy interest in seclusion. Valley Forge Ins. Co. v. Swiderski, 223 Ill.2d 352 (2006). The case involved a private business conducting blast-fax advertising. The policy at issue extended coverage for an "[o]ral or written publication, in any manner, of material that violates a person's right to privacy." Id. at 354. The Swiderski court reasoned that the essence of a TCPA claim was a potentially covered invasion of privacy. Id. at 365.

In the TCPA context, a blast fax would appear to be a clear "publication." The BIPA paradigm may be different. The term "publication" is not defined in the ISO policy form. Litigation of coverage as to TCPA claims may be instructive in determining what constitutes a "publication". In Swiderski, the court held that the required element of "publication" for coverage to attach was met by the transmission over telephone lines and faxing of advertisements, and "[t]he offering or distribution of copies of a work to the public" or to another. Id. at 367, quoting, Black's Law Dictionary 1264 (8th ed. 2004). There is an argument that the term "publication" may mean nothing more than communication of the information to a customer of the defendant or a vendor to the defendant rather than a publication to consumers, other facebook users, or the like. Integrated Genomics, Inc. v. Gerngross, 636 F.3d 853, 862 (7th Cir. 2010).

After Swiderski, the Illinois Supreme Court held that the TCPA statutory scheme is remedial and an award of damages is not punitive nor does it require showing recklessness or malice. As such, the remedy constitutes "damages" under a GL policy. Standard Mut. Ins. Co. v. Lay, 2013 IL 114617. The court held that the assessment of damages was remedial for the invasion of privacy and not a penal award. The damages were intended to incentivize a change in conduct—to comply with the law and serve more than a purely punitive or deterrent goals. The court concluded that "the manifest purpose of the TCPA is remedial not penal." Id. at ¶30.

Underwriting in Light of the TCPA.

Following the growth and costs of defending class action TCPA lawsuits, insurers nationally moved to drafting exclusions for certain statutory claims. As an example, in Zurich Am. Ins. Co. v. Ocwen Fin. Corp., 357 F.Supp.3d 659 (N.D. Ill. 2018), the policy excluded coverage for claims directly or indirectly arising out of or based upon any action or omission that violates or is alleged to violate:

(1) The [TCPA], including any amendment or addition to such law;

(2) The CAN-SPAM Act of 2003, including any amendment of or addition to such law;

(3) The [FCRA], and any amendment of or addition to such law, including the Fair and Accurate Credit Transaction Act (FACTA); or

(4) Any federal, state or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act or 2003 or FCRA and their amendments and additions, or any other legal liability, at common law or otherwise, that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, use of, sending, transmitting, communicating or distribution of material or information.

The court found the above exclusion to be clear and unambiguous as to claims under the TCPA. See also G.M. Sign, Inc. v. State Farm Fire & Casualty Co., 2014 IL App (2d) 130593 (court denied coverage for the claims based on TCPA and related claims exclusion despite effort to include non-TCPA claims based on same facts); Regents Ins. Co. v. Integrated Pain Mgt., 2016 U.S. Dist. Lexis 148855 (E.D. Mo. 2016)(applying Illinois law).

In Ocwen, the court upheld a violation of law exclusion against TCPA and Fair Debt Collection Act violations, defamation and invasion of privacy claims. Other courts have also enforced the TCPA exclusions. Emcasco Ins. Co. v. CE Design, Inc., 784 F.3d 1371 (10th Cir. 2015)(Oklahoma and Illinois law); Travelers Indem. Co. v. Margulis, 2016 U.S. Dist. Lexis 173420 (E.D. Mo. 2016)(Missouri).

Will the TCPA Exclusions Bar Coverage for BIPA?

Insurers may be expected to assert that BIPA is a "state or local statute ... that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, use of, sending, transmitting, communicating or distribution of material or information," and that, as a result, BIPA claims are already being excluded from many policies. The results under cases involving the TCPA strongly suggest that policies with such exclusions may well have no duty as to BIPA class actions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.