How can businesses manage risks with heightening scrutiny around biometric data privacy?
Author: Kenneth Araullo
Original article here.
A surge in class action lawsuits focused on biometric data is sweeping across the United States, with privacy violations at the core of the claims. These lawsuits primarily revolve around allegations that companies have improperly collected, used, or stored individuals’ biometric information, such as fingerprints, facial recognition data, and voiceprints, without their consent.
In 2022, the Texas Attorney General initiated a high-profile case against Meta, alleging violations of Texas' Capture or Use of Biometric Identifier Act 2009 (CUBI). The case culminated in a $1.4 billion settlement in July 2024, marking the largest biometric data settlement to date.
According to Clyde & Co partners Rosehana Amin and Meghan Dalton, this landmark settlement has critical implications for the insurance sector and its clients, particularly concerning coverage for privacy-related claims and effective risk management.
Historically, Illinois has been the epicentre of biometric data litigation, largely due to its Biometric Information Privacy Act 2008 (BIPA) and the Genetic Information Privacy Act 1998 (GIPA). However, this trend has started to spread to other states, with significant implications for various industries, including insurance.
The Meta data privacy lawsuit and its implications
The lawsuit against Meta began in February 2022, with the Texas Attorney General alleging that Meta had breached CUBI by unlawfully collecting biometric data from Facebook users. The focus of the claim was Meta’s facial recognition tool, introduced in 2010, which allowed users to tag friends in photos and videos automatically. This tool was also integrated into the Facebook app "Moments," designed to help users organize and share photos.
Meta discontinued the facial recognition feature in November 2021, following a federal court’s approval of a $650 million settlement related to similar privacy violations in California. Despite this, the Texas Attorney General pursued the case, eventually securing a record-breaking $1.4 billion settlement.
Amin and Dalton note that this outcome is significant not only because of its scale but also because it signals a shift towards more aggressive enforcement of biometric data laws outside Illinois.
As of now, Meta has paid out over $2 billion in total to resolve various biometric privacy claims, highlighting the growing financial risks companies face in this area.
The Texas settlement is part of a broader trend of increasing litigation related to biometric data. For example, a putative class action was filed in Illinois against Ready Player Me on July 16, 2024. This platform, which enables users to create personalised digital avatars by scanning their facial geometry, is accused of violating BIPA by collecting and using biometric data without obtaining the required informed consent from users.
This lawsuit could involve up to 20,000 potential class members, underscoring the potential scale of these actions. Interestingly, the case was filed just weeks before Illinois amended BIPA on 2 August 2024, a move that could limit future damages by capping the amount of statutory damages available per person.
However, the partners pointed out that this legislative change is unlikely to apply retroactively, meaning the current suit against Ready Player Me could still result in significant financial penalties.
Another notable case is the class action against Google, filed in Illinois in April 2020. The lawsuit alleges that Google violated both state and federal privacy laws by collecting biometric data from students through its "G Suite for Education" platform, preloaded on Chromebooks distributed to schools across the country.
Despite Google’s attempts to dismiss the case, the court denied the motion in April 2022, leading to a mediation process that resulted in a settlement in July 2024. The details of this settlement have not yet been disclosed.
Managing risks for data privacy
The rising number of biometric data lawsuits presents new challenges for insurers, particularly those offering general public liability coverage. Policies, including Bermuda Form policies, often include provisions for privacy-related liabilities, which means that insurers may face an increasing number of claims as litigation in this area grows.
Amin and Dalton advise insurers and other businesses to closely monitor developments in the biometric data space and regularly review policy wordings to ensure they are adequately protected against the evolving landscape of privacy-related claims. With the legal landscape around biometric data continuing to evolve, insurers must remain vigilant to safeguard against potential liabilities.
As these cases demonstrate, the intersection of technology, privacy, and insurance is becoming increasingly complex, requiring careful consideration from all stakeholders involved.