State Privacy Laws Have Teeth

In 2008, Illinois passed the Biometric Information Privacy Act to grant consumers privacy protections for collected biometric information. It requires written consent be gotten before information is shared with outside parties. A 2019 Illinois Supreme Court decision held that a simple technical violation of the law imposes statutory penalties. No proof of actual injury or damages is necessary to state a claim for a private cause of action.

In a more recent case, a tanning salon collected a member’s fingerprint for use as a biometric key to give access. It shared the fingerprint with a third-party vendor without first getting written consent. The court held the sharing was a publication and could be considered a personal injury

Why This Is Important... This is the beginning of a wave of state laws affecting privacy. They can create litigation and damages for businesses performing what would normally be thought to be regular business operations. More importantly, you should expect that business owner insurance policies and business general liability policies will exclude liability for these claims until the market adapts. It is important to stay on top of these developments.