How can businesses manage risks by carefully considering the privacy of biometric data?

An increase in class action lawsuits focusing on biometric data is sweeping across the United States, with privacy violations at the core of the claims. These lawsuits center on allegations that companies improperly collected, used, or stored an individual's biometric information, such as fingerprints, facial recognition data, and voiceprints, without their consent.

In 2022, the Texas Attorney General filed a superseding lawsuit against Meta, alleging violations of Texas' Capture or Use of Biometric Identifier Act of 2009 (CUBI). The case culminated in a $1.4 billion settlement in July 2024, marking the largest biometric data settlement to date.

According to Clyde & Co partners, Rosehana Amin and Meghan Dalton, this landmark agreement has significant implications for the insurance industry and its clients, particularly in terms of privacy claims and effective risk management.

Historically, Illinois has been a hotbed of biometric data litigation, mainly due to the Biometric Information Privacy Act of 2008 (BIPA) and the Genetic Information Privacy Act of 1998 (GIPA). However, this practice has started to spread to other states, which has a major impact on various industries, including insurance.

The case for Meta data privacy and its implications

The lawsuit against Meta began in February 2022, when the Texas Attorney General alleged that Meta violated CUBI by illegally collecting biometric data from Facebook users. The focus of the claim was Meta's facial recognition tool, introduced in 2010, which allowed users to automatically tag friends in photos and videos. The tool is also integrated with Facebook's “Moments” app, which is designed to help users organize and share photos.

Meta discontinued the facial recognition feature in November 2021, following a federal court's approval of a $650 million settlement related to a similar privacy breach in California. Despite this, the Texas Attorney General pursued the case, eventually obtaining a record-breaking $1.4 billion settlement.

Amin and Dalton note that this result is important not only because of its scale but also because it indicates a shift toward stronger use of biometric data laws outside of Illinois.

To date, Meta has paid more than $2 billion to settle various biometric privacy claims, highlighting the growing financial risks companies face in this area.

The Texas settlement is part of a broader trend of growing lawsuits related to biometric data. For example, a class-action lawsuit was filed in Illinois against Ready Player Me on July 16, 2024. The platform, which allows users to create personalized digital avatars by scanning facial geometry, is accused of violating BIPA by collecting and using biometric data to obtain consent. information required for users.

The lawsuit could involve up to 20,000 class members, underscoring the potential size of these actions. Interestingly, the lawsuit was filed just weeks before Illinois amended BIPA on August 2, 2024, a move that would limit future damages by capping the amount of statutory damages available to individuals.

However, our partners pointed out that this change in the law is unlikely to apply retroactively, meaning that the current case against Ready Player Me could still result in significant financial penalties.

Another notable lawsuit is a class action against Google, which was filed in Illinois in April 2020. The lawsuit alleges that Google violated state and federal privacy laws by collecting biometric data from students through its “G Suite for Education” platform, which is preloaded on Chromebooks. distributed to schools throughout the country.

Despite Google's efforts to dismiss the case, the court dismissed the request in April 2022, leading to an arbitration proceeding that led to a settlement in July 2024. The details of this agreement have not been disclosed.

Managing data privacy risks

The growing number of biometric data cases brings new challenges to insurers, especially those that provide general public liability. Policies, including Bermuda Form policies, often include privacy-related liability provisions, meaning that insurers may face an increasing number of claims as cases develop in this area.

Amin and Dalton advise insurers and other businesses to closely monitor developments in the biometric data space and review policy wording regularly to ensure they are adequately protected against the changing landscape of privacy-related claims. As the legal landscape surrounding biometric data continues to evolve, insurers must remain vigilant to protect against potential liabilities.

As these cases show, the intersection of technology, privacy, and insurance is becoming increasingly complex, requiring careful consideration by all stakeholders involved.

What are your thoughts on this matter? Please feel free to share your comments below.