By Charles Insler on February 13, 2024
The Takeaway
Illinois’ First District Appellate Court affirmed a Circuit Court’s decision that an insurer has no duty to
defend its insured in an underlying BIPA lawsuit.
Introduction
The Biometric Information Privacy Act (BIPA or Act) has launched hundreds, if not thousands, of
lawsuits across the state and federal courts of Illinois. Some BIPA lawsuits have even made their way
to other states,[1] with some settling for enormous sums.[2] With so many BIPA lawsuits, insureds and
insurers have been asking an important question: does an insurance policy provide coverage for these
BIPA lawsuits?
What Is BIPA?
BIPA establishes safeguards and procedures relating to the retention, collection, disclosure, and
destruction of biometric data.[3] Passed in October 2008, BIPA is intended to protect a person’s unique
biological traits: the data encompassed in someone’s fingerprint, voice print, retinal scan, or facial
geometry. Given the sensitivity of this information[4] – unlike a stolen credit card, there is no replacing
or reissuing your fingerprint – BIPA provides a private right of action for “[a]ny person aggrieved by a
violation of this Act . . . .”[5]
The Exclusion Game
BIPA establishes that “individuals possess a right to privacy in and control over their biometric
identifiers and biometric information.”[6] A lawsuit asserting a violation of this right to privacy therefore
falls within the “personal and advertising injury” provision of an insurance policy, triggering coverage.[7]
That much is clear. Indeed, it is all but uncontested that the underlying BIPA lawsuits at issue “allege
‘personal and advertising injury.’”[8] Instead, the issue is whether a policy exception unambiguously
applies to preclude coverage.[9]
As of December 2023, there was no clear answer to this question as the federal district courts have
reached conflicting decisions on this important issue,[10] even as to the same named insured.[11] This
all changed with Value Pak.
BIPA coverage litigation has centered around three specific policy exclusions:
- Statutory Violation Exclusion
- Employment-Related Practices Exclusion
- Access or Disclosure Exclusion
Remarkably, the federal courts had failed to reach uniformity with respect to any of these exclusions.
Each separate exclusion found cases in support and against coverage. Value Pak has now resolved this.
The Statutory Violation Exclusion
Certain statutes are well-known for spawning litigation. To that end, insurers have noted their
unwillingness to insure against such claims. In a typical policy, the Statutory Violation exclusion would
mean the insurance did not apply to any injury arising out of a violation of:
p. Recording And Distribution Of Material Or Information In Violation Of Law
Personal and advertising injury arising directly or indirectly out of any action or omission that
violates or is alleged to violate:
(1) The Telephone Consumer Protection Act (TCPA), including any amendment of or addition to such
law;
(2) The CAN-SPAM Act of 2003, including any amendment of or addition to such law;
(3) The Fair Credit Reporting Act (FCRA), and any amendment of or addition to such law, including the
Fair and Accurate Credit Transactions Act (FACTA); or
(4) Any federal, state or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act of
2003 or FCRA and their amendments and additions, that addresses, prohibits, or limits the printing,
dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of
material or information.[12]
In Krishna, the Illinois Supreme Court reviewed a “very similar” exclusion and found the BIPA statute
was not “a statute of the same kind as the TCPA and the CAN-SPAM Act,” since the Act does not
regulate methods of communication.[13]
For those courts finding the Statutory Violation exclusion does not apply, BIPA is simply not the same
kind of statute as the TCPA, the CAN-SPAM Act, or the FCRA.[14] These statutes regulate methods of
communication (the TCPA and CAN-SPAM) and the use of materials (the FCRA).[15] BIPA, by contrast,
“regulates the collection, use, storage, and retention of biometric identifiers and information.”[16] At
best, it is unclear whether BIPA is sufficiently similar to the listed statutes; at worst, it is different in
kind.[17] For those courts finding the Statutory Violation exclusion does apply, BIPA “is of the same
kind, character and nature as the enumerated statutes” because all the statutes “protect and govern
privacy interests in personal information.”[18]
In Visual Pak, the First District Court of Appeals found the exclusion language before it was broader
than that found in the Krishna case.[19] The Visual Pak court also noted that it was “simply impossible
to deny that it [the statutory exclusion violation] describes BIPA.”[20] On this issue, the Illinois Court of
Appeals disagreed with the Seventh Circuit’s decision in Wynndalco, finding the federal court had given
“too little credit to the reasonable person purchasing this business liability policy.”[21] All of the
statutes listed in the exclusion dealt with issues of personal privacy, which meant “an underlying
lawsuit alleging a violation of BIPA would fall under the catchall phrase of the violation-of-law
exclusion” found in paragraph 4.[22]
Exclusions for Employment-Related Practices and Access or
Disclosure
In light of this ruling, the Visual Pak court declined to address either the Employment-Related Practices
Exclusion or the Access or Disclosure Exclusion. Thus, the Appellate Court affirmed the Circuit Court’s
decision finding the insurer had no duty to defend its insured in the underlying BIPA lawsuit.[23]
An Appealing Resolution
Visual Pak offers some needed clarity within the insurance coverage realm, particularly with so many
conflicting decisions on each exclusion. The Illinois Supreme Court has granted several Petitions for
Leave to Appeal surrounding the BIPA statute. The Visual Pak case may also find its way to Illinois’s
highest court.
[1] See, e.g., Vance v. Microsoft Corp., 534 F. Supp. 3d 1301 (W.D. Wash. 2021).
[2] See Zellmer v. Facebook, Inc., No. 3:18-CV-01880-JD, 2022 WL 976981, at *1 (N.D. Cal. Mar. 31, 2022)
(noting the $650 million settlement in favor of Illinois Facebook users).
[3] 740 ILCS 14/15.
[4] 740 ILCS 14/5(c).
[5] 740 ILCS 14/20.
[6] Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186, ¶33.
[7] Citizens Ins. Co. of Am. v. Thermoflex Waukegan, LLC, No. 20-CV-05980 JFK, 2022 WL 602534, at *4 (N.
D. Ill. Mar. 1, 2022).
[8] Nat’l Fire Ins. Co. of Hartford & Cont’l Ins. Co. v. Visual Pak Co., Inc., 2023 IL App (1st) 221160, ¶40;
Thermoflex Waukegan, LLC v. Mitsui Sumitomo Ins. USA, Inc., No. 21-CV-788 JZL, 2022 WL 954603, at *3
(N.D. Ill. Mar. 30, 2022).