The landscape of biometric privacy litigation already has changed dramatically in 2023. Last month, the Illinois Supreme Court ruled in Tims v. Black Horse Carriers, Inc., 2023 IL 127801, that claims for violations of the Illinois Biometric Information Privacy Act (BIPA) (which allows individuals to sue companies directly for the wrongful collection or disclosure of their biometric data) are subject to a five-year statute of limitations. Later that month, in Cothron v. White Castle System, Inc., 2023 IL 128004, the court ruled that a BIPA violation accrues each time an individual’s data is improperly collected or shared, not merely the first time. Taken together, these rulings significantly broaden the scope of claims facing companies that have violated BIPA and the damages flowing from such violations.
In recognition of the dystopian risks presented by the rampant, unlawful sharing of biometric data, several more states are jumping on Illinois’ bandwagon, attempting to pass BIPA-like laws. According to Bloomberg, legislation proposed in nine other states also would grant a private right of action to individuals whose biometric data was wrongly collected or shared.
Despite the growing threat of civil litigation related to the mishandling of biometric data, there is a silver lining for corporate policyholders: the opportunity to obtain insurance coverage for biometric privacy liability has never been greater.