The fingerprints of the federal courts are all over Biometric Information Privacy Act (BIPA) jurisprudence, and Illinois state courts may want to change that. A recent Illinois Appellate Court decision disagreed with a prominent Seventh Circuit decision, potentially altering the future of BIPA litigation in the insurance context.

In July 2023, the Seventh Circuit decided Citizens Insurance Company of America v. Wynndalco Enterprises, apparently settling a split among district courts on how liability insurance contracts should be read in conjunction with BIPA.^[1] Only a few months later, in December 2023, the Illinois Appellate Court decided National Fire Insurance Company of Hartford v. Visual Pak Company, finding in no uncertain terms that Wynndalco was “wrongly decided” by the Seventh Circuit and it was “not… an accurate reflection of Illinois law.”^[2]

Questions abound, awaiting potential resolution by the Illinois Supreme Court. A petition for leave to appeal in Visual Pak was filed in mid-February and is currently pending.

• The core issue in both Wynndalco and Visual Pak deals with the interpretation of “violation-of-statute exclusions” in the context of BIPA. How are future courts going to square Wynndalco and Visual Pak on this issue?
• The rationale in Visual Pak may also provide an answer to another disputed question in BIPA insurance litigation. Do “access and disclosure” exclusions exclude BIPA claims from coverage?

This article discusses the (1) basics of BIPA and (2) its application to insurance and a survey of caselaw on how BIPA may be excluded from insurance coverage by (a) violation-of-statute exclusions and (b) access and disclosure exclusions. In addition to summarizing the caselaw, this article engages with outstanding questions about the future of BIPA insurance litigation.

1. What is BIPA?

The Illinois Biometric Information Privacy Act (BIPA) is a state privacy law restricting the collection, use, and retention of biometric information. Under the act, “biometric identifier” means “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” and “biometric information” means “any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual.” BIPA requires, among other things, that private entities provide notice and obtain consent before they collect biometric data, implement publicly available retention and destruction schedules, and not disclose biometric data except in limited circumstances.

BIPA is on the cutting edge of state biometric regulation, in part because it is the first statute of its type to include a private right of action.^[3]

BIPA entitles “aggrieved” plaintiffs, including class plaintiffs, to statutory damages.^[4] BIPA has a private right of action and provides that those affected by negligent violations of the Act are entitled to $1,000 in damages per violation. In Rosenbach v. Six Flags Entertainment, the Illinois Supreme Court clarified that a “violation [of BIPA] constitutes an invasion, impairment, or denial of the statutory rights” and therefore that a plaintiff need not show any actual injury beyond a violation of the statute to recover statutory damages. The Illinois Supreme Court later held, in Cothron v. White Castle System, Inc., that plaintiffs who use biometric technologies repeatedly can recover statutory damages for each collection or disclosure in violation of the statute.

The statutory damages provision, as interpreted by Rosenbach and Cothron, gives plaintiffs’ lawyers a significant financial incentive to bring suits for BIPA violations. BIPA class actions continue to proliferate in Illinois and nationwide.

2. BIPA and insurance

Since BIPA has the potential to create large judgments (or large class settlements) in class actions, questions abound about when insurers are obligated to indemnify policyholders who are sued under BIPA. Many cases interpret different types of liability policy exclusions as they apply to BIPA.

Under Illinois law, policy terms that carve exclusions of coverage are construed in favor of coverage, but only when the terms are ambiguous or susceptible to more than one reasonable interpretation.^[5] In other words, “[t]o the extent that there is any ambiguity, the tie goes to the insured.”^[6] If a policyholder makes an initial showing of coverage, the insurer must “affirmatively establish” that a policy exclusion applies in a manner “clear and free from doubt.”^[7]

Two common questions in the caselaw are unresolved:

• Two Illinois state court decisions—the West Bend decision from the Illinois Supreme Court and the Visual Pak decision from the Illinois Appellate Court—interpret when a violation-of-statute exclusion excludes BIPA litigation from coverage. Numerous federal court cases exist between the goalposts of West Bend and Visual Pak, often disagreeing about whether BIPA cases are excluded by similar violation-of-statute exclusions. The future of this commonly litigated issue is unclear.
• Federal courts are also split on whether an access and disclosure exclusion excludes BIPA claims. Access and disclosure exclusions typically bar coverage for injuries arising out of the access to or disclosure of a person’s or entity’s “confidential or personal information,” but go on to list, as examples of types of information that are dissimilar to the biometric data protected by BIPA, such as patents, trade secrets, financial data, and so on. Federal courts disagree in their interpretation of this language, and Illinois state courts have not directly considered this issue.

Many federal courts have engaged with BIPA insurance coverage questions, often disagreeing with each other. Visual Pak, the recent Illinois Appellate Court decision, will be a persuasive authority as federal courts address these issues in the future.

A. When is BIPA excluded from coverage by a violation-of-statute exclusion?

The Illinois Supreme Court considered whether a BIPA case fell under a violation-of-statute exclusion in West Bend Mutual Insurance Company v. Krishna Schaumburg Tan, Inc.^[8] In that case, customers at a tanning salon had their fingerprints taken and later shared with a third-party. The policy at issue excluded coverage when the insured violated the Telephone Consumer Protection Act (TCPA), the CAN-SPAM Act of 2003, or any law “that prohibits or limits the sending, transmitting, communication or distribution of material or information.” The insurers argued that BIPA should be excluded under this provision. However, the court reasoned that the TCPA and CAN-SPAM Act were limitations on the methods by which information is conveyed, and the catch-all provision was meant to capture similar limitations. BIPA, by contrast, constrains the usage and dissemination of a particular type of information for privacy reasons.

Numerous subsequent federal cases dealing with similar policy language apply the holding of West Bend.^[9]

But how far does West Bend go? Interpretive trouble arises when cases consider violation-of-statute exclusions that cite more statutes than just TCPA and the CAN-SPAM Act. In Citizens Insurance v. Wynndalco, the Seventh Circuit considered if a BIPA claim fell under a violation-of-statute exclusion that cited the TCPA, CAN-SPAM Act, the Fair Credit Reporting Act (FCRA), and the Fair and Accurate Credit Transactions Act (FACTA). The violation-of-statutes clause at issue also excluded from coverage violations of “[a]ny other laws… that address, prohibit or limit the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.”

Before reaching the Seventh Circuit, this formulation of a violation-of-statutes exclusion had divided federal district courts. For example, in Thermoflex Waukegan, LLC v. Mitsui Sumitomo Ins. USA, Inc., a district court found for the policyholder that BIPA case was covered by policy.^[10] The other hand, in State Auto Property and Casualty Insurance Company v. Fruit Fusion, Inc., another district court found for the insurer that BIPA case was excluded from policy coverage, reading the same policy language.^[11]

In Wynndalco, the Seventh Circuit temporarily settled this confusion. The court found this exclusion to be ambiguous in its application to BIPA, leaving the insurer on the hook for coverage. The Seventh Circuit first emphasized the broadness of the plain text—specifically the phrase “any other laws” that address the use of information, finding that, for example, intellectual property laws appear to be captured by this definition. Since the policy elsewhere appeared to be inconsistent with this language, it gave rise to ambiguity. Next, the court turned to methods of statutory construction that use context to interpret a generic phrase. While the court acknowledged that West Bend contained “comparable exclusionary policy language,” it discussed numerous distinctions between the cases. One key distinction is how the policy in Wynndalco points to FCRA and FACTA, two statutes that do not deal with “methods of communication” like TCPA and CAN-SPAM. The collection of these statutes with different purposes makes ambiguous what should be properly included in the catch-all provision. The insurers argued that this distinction, making the exclusion broader than that in West Bend, should mean that BIPA claims are excluded from coverage. However, the court disagreed, finding that the broadness of the exclusion rendered it ambiguous, and therefore must be construed in favor of coverage.

The Wynndalco decision from the Seventh Circuit was swiftly met with disagreement from the Illinois Appellate Court. Five months later, in National Fire Insurance Company of Hartford v. Visual Pak Company, Inc., the Illinois Appellate Court was “obviously not bound by a federal court's interpretation of Illinois law,” and found that near-identical policy language excluded BIPA from coverage. The court emphasized a plain-text reading of the policy, noting that “if we merely isolated this catchall language, it is simply impossible to deny that it describes BIPA.” Turning next to the interpretive methods that involved reading the catch-all provision in context, the court reasoned that such methods serve to guide courts and are not an “inexorable command that must always result in limiting the general terms by virtue of the specific ones that precede it.” In addition, the court reasoned that the four relevant statutes: TCPA, CAN-SPAM, FCRA and FACTA, all dealt with protecting personal privacy, which was a “reasonable limiting construction.” Therefore, even when applying these interpretive methods, BIPA was still properly part of the exclusion.

Courts must now square Wynndalco and Visual Pak. One case, Citizens Insurance Company of America v. Mullins Food Products, Inc. engaged with the same violation-of-statute exclusion’s application to BIPA in the wake of the Wynndalco and Visual Pak decisions.^[12] The Mullins Food litigation answered this same question twice. Before the Visual Pak decision came down, the court ruled that Wynndalco “directly controls, and is dispositive of, the parties’ dispute,” finding that the insurer was liable due to ambiguity in the terms.^[13] After Visual Pak, the insurer moved for reconsideration. In its reconsideration opinion, the court noted that a district court is bound by rulings of a state’s highest court on matters of state law, and that if the highest court has no rulings on the issue “the decisions of a state's intermediate appellate courts are considered the best indicia of state law.” With that in mind, the court reversed its previous opinion, finding that the insurer owed no duty to indemnify or defend the policyholder in the pending BIPA case. The court’s rationale was precisely in line with Visual Pak.

The Mullins Food court pointed to one key distinguishing factor between Wynndalco and Visual Pak. In Wynndalco, the violation-of-statute provision appeared in a section of the policy entitled “Distribution of Material in Violation of Statutes” while in Visual Pak, the provision appeared in a section entitled “Recording And Distribution Of Material Or Information In Violation Of Law.” The Visual Pak court also noted this difference, and discussed how it was potentially material.

It stands to reason that future federal court cases will mirror Mullins Food, giving more credence to the interpretation in Visual Pak than that in Wynndalco.

Will federal courts be willing to distinguish Visual Pak in cases with different facts? The distinction between Wynndalco and Visual Pak that Mullins Food points to—the difference in titles of the sections in which the violation-of-statutes exclusion appears—could potentially come into play in future disputes. If a federal court were to encounter a case with facts precisely identical to Wynndalco, it may follow the Wynndalco holding, noting this distinction. But, of course, the strong language that Visual Pak uses as it disagrees with most of the rationale in Wynndalco cannot be overlooked, and district courts may give less weight to the distinction in an attempt to adhere to the law from the Illinois Appellate Court.

It doesn’t end with section titles: as future cases arise, the courts will no doubt consider other policies that differ—at least in small ways—from the one in Visual Pak. But again, it is hard to know how willing federal courts will be to distinguish Visual Pak when rendering their decisions.

B. When is BIPA excluded from coverage in access and disclosure exclusions?

It is also unsettled whether BIPA claims fit within liability policy exclusions relating to the access and disclosure of information. Numerous district court cases consider whether the same policy language excludes BIPA from coverage, and the cases are split on their conclusion. A typical access and disclosure exclusion might exclude:

“Personal and advertising injury” arising out of any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.”^[14]

Some cases find that biometric data is “confidential or personal information” under this provision, and therefore excluded from coverage. In Continental Western Insurance Company v. Cheese Merchants of America, LLC, the court considered if the listed examples had the effect of excluding coverage for a BIPA case relating to fingerprint data. The court was clear that the presence of those examples “does not limit the scope of the preceding text. ‘Including’ does not mean ‘including only.’ The list is illustrative, not exhaustive.”^[15] In American Family Mutual, Insurance Company, S.I. v. Carnagio Enterprises, Inc. the court found that the list of examples had no “readily identifiable common thread” and that fingerprint data could easily be construed as part of the provision.^[16]

Other cases read this language, and specifically its list of examples, and find that fingerprints are not clearly “confidential or personal information,” making the insurer liable. Citizens Insurance Company of America v. Thermoflex Waukegan, LLC finds fingerprints are not clearly part of the exception’s language.^[17] It notes that BIPA distinguishes biometric identifiers like fingerprints from “confidential and sensitive information” in its own text and emphasizes that ambiguity in interpretation should be resolved in the favor of coverage. American Family Mutual Insurance Company v. Caremel, Inc. notes that the list of examples contains mostly “intellectual property” and “financial information,” and the only arguable category under which fingerprints fall—"health information”—is not a good fit.^[18] Again, noting that ambiguities are resolved in favor of coverage, the court finds that fingerprints are not captured by the language of the exclusion.

Recently, the Wynndalco and Visual Pak decisions have impacted how courts interpret this question. Shortly after Wynndalco, courts applied its rationale to this context. In Society Insurance v. Cermak Produce No. 11, Inc., the court found that the access and disclosure provision at issue was “intractably ambiguous,” like the violation-of-statutes exclusion was in Wynndalco.^[19] The Mullins Food court also used Wynndalco to guide its analysis on this issue, first looking to the plain meaning of the text and finding that it would include fingerprints before turning to interpretive methods that read the text in context. After considering the list of examples, the court found that the language was too broad to be given effect. The court noted that ambiguity should be interpreted in favor of coverage and found for the policyholder.

However, after Visual Pak, courts may reconsider this line of thinking. Visual Pak deals only with a violation-of-statute exclusion, but its interpretive methods may also be applied when construing this access and disclosure exclusion.

The Mullins Food court reconsidered its analysis on the access and disclosure exclusion in its reconsideration opinion after the Visual Pak decision was rendered. The court noted that the Visual Pak court was clear that, just because an exclusion has a “broad sweep,” it does not mean that it is unenforceable. An exclusion is only overbroad to the point of ambiguity if it “eviscerates all, or even nearly all” of the liabilities the policy was meant to cover. With this in mind the court found that, even though the exclusion is broad, it does not reach the level of breadth that creates ambiguity, therefore the court found that the BIPA claim was excluded from coverage. The federal court was so deferential to the Illinois Appellate Court’s opinion in Visual Pak that it applied its reasoning to a different exclusion.

The Mullins Food reconsideration opinion shows the potentially far-reaching implications of Visual Pak. Other district courts may follow the Mullins Food court, finding that the interpretive methods of Visual Pak should be applied to questions of all sorts in BIPA litigation, including this access and disclosure question.

3. Takeaways

We expect policy language to continue to evolve and for more policies to incorporate specific biometric information exclusions as litigation proliferates. Given the challenges in obtaining insurance that will reliably provide coverage for mishandling biometric data, companies that use biometric data need to be ever-vigilant about tracking and complying with the ever-increasing number of state laws.

Additionally, Visual Pak must be taken seriously when looking to the future of BIPA insurance litigation, both for violation-of-statutes exclusions but also for other potentially applicable exclusions. Most BIPA insurance cases dealing with policy exclusions follow the same interpretive steps. They all take policy language, read its facial meaning, then read its contextual meaning to see if a BIPA claim properly falls under it. The decision in Visual Pak finds that policy language excluding privacy claims from coverage broadly may be construed to exclude BIPA claims from coverage specifically. As seen in Mullins Food, this interpretive move has implications beyond the violations-of-statutes exclusion, and policyholders should be sensitive to other policy provisions that could unexpectedly limit coverage if read broadly.

Footnotes

[1] Citizens Ins. Co. of Am. v. Wynndalco Enterprises, LLC, 70 F.4th 987 (7th Cir. 2023).

[2] Nat'l Fire Ins. Co. of Hartford & Cont'l Ins. Co. v. Visual Pak Co., Inc., 2023 IL App (1st) 221160.

[3] See Philip N. Yannella, Cyber Litigation: Data Breach, Data Privacy & Digital Rights, § 16:1 (2024).

[4] See Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186, 129 N.E.3d 1197.

[5] Hobbs v. Hartford Ins. Co. of the Midwest, 214 Ill. 2d 11, 823 N.E.2d 561 (2005).

[6] State Auto. Mut. Ins. Co. v. Tony's Finer Foods Enterprises, Inc., 589 F. Supp. 3d 919 (N.D. Ill. 2022).

[7] 4220 Kildare, LLC v. Regent Ins. Co., 2020 IL App (1st) 181840, 171 N.E.3d 957.

[8] 2020 IL App (1st) 191834, 166 N.E.3d 818, aff'd, 2021 IL 125978, 183 N.E.3d 47.

[9] See Am. Fam. Mut., Ins. Co., S.I. v. Carnagio Enterprises, Inc., No. 20 C 3665, 2022 WL 952533, at *6–7 (N.D. Ill. Mar. 30, 2022) (a violation-of-statute exclusion citing TCPA and CAN-SPAM was “nearly identical” to West Bend and the court followed West Bend’s holding with similar analysis); Am. Fam. Mut. Ins. Co. v. Caremel, Inc., No. 20 C 637, 2022 WL 79868 at *4 (N.D. Ill. Jan. 7, 2022) (the court followed West Bend on a violation-of-statute exclusion which was “virtually identical” to that in West Bend).

[10] No. 21 C 788, 2023 WL 319235 (N.D. Ill. Jan. 19, 2023).

[11] 631 F. Supp. 3d 638 (S.D. Ill. 2022).

[12] No. 22-CV-1334, 2024 WL 809111 (N.D. Ill. Feb. 27, 2024).

[13] No. 22-CV-1334, 2023 WL 4865006 (N.D. Ill. July 31, 2023).

[14] See e.g. Citizens Ins. Co. of Am. v. Mullins Food Prod., Inc., No. 22-CV-1334, 2023 WL 4865006 (N.D. Ill. July 31, 2023).

[15] 631 F. Supp. 3d 503 (N.D. Ill. 2022).

[16] No. 20 C 3665, 2022 WL 952533 (N.D. Ill. Mar. 30, 2022).

[17] 588 F. Supp. 3d 845 (N.D. Ill. 2022).

[18] No. 20 C 637, 2022 WL 79868 at *3 (N.D. Ill. Jan. 7, 2022).

[19] No. 21 CV 1510, 2023 WL 4817667 (N.D. Ill. July 27, 2023).

[View source.]