Illinois Supreme Court: Insurer Must Defend Tanning Salon from Biometric Privacy Lawsuit
An insurer must defend a tanning salon from a class-action lawsuit that accuses it of violating Illinois’ unique biometric privacy law by sharing copies of its customers’ fingerprints with a vendor, the Illinois Supreme Court ruled Thursday.
In a 6-1 decision, the high court rejected West Bend Mutual Insurance Co.’s argument that any damages caused by the alleged violation of statute were excluded by the policy it issued to Krishna Schaumburg Tan, or that the salon’s actions were not covered.
The carrier argued there was no coverage because the policy protected the insured only for injuries caused by a “publication.” The Supreme Court’s majority opinion says that the term has more than one meaning and any ambiguity has to be construed in favor of the policyholder.
“A publication occurs when information is shared with a single party,” the court said.
Similarly, the high court found that the policy exclusions were unclear.
The Illinois legislature passed the Biometric Information Privacy Act in 2008, making the state the first in the nation to regulate collection of biometric identifiers such as fingerprints, retinas, facial contours or voice imprints. Washington and Texas passed similar laws, but Illinois is the only state that allows private individuals to file a lawsuit for damages caused by a violation.
Individuals can collect their actual damages or up to $1,000 for each violation, or up to $5,000 for reckless violations, according to an analysis by the Skadden, Arps, Slate, Meagher & Flom law firm. In 2019, the Illinois supreme Court ruled that individuals may sue even if they suffered no harm other than the loss of control of their biometric data.
Violations of biometric privacy have brought several high-profile settlements. TikTok, the video-sharing app, in February proposed $92 million settlement in a class action litigation filed in multiple jurisdictions, according to an article in the National Law Review. Also in February, Shutterfly announced that it had agreed in principle to settle litigation, for an undisclosed amount, that was spawned by allegations that its facial-recognition software had loaded photos of people’s faces regardless of whether they were registered users.
Klaudia Sekura filed a lawsuit against Krishna Schaumburg Tan alleging that the L.A. Tan franchisee had violated the biometric privacy law by sharing her fingerprints with Sun Lync, a third-party vendor. The Buffalo, N.Y.-based company markets a “kiosk” software that allows customers to check themselves into a tanning booth without interacting with a staff member. The lawsuit seeks to add as plaintiffs all other customers whose fingerprints were shared with others without a written release.
West Bend filed a declamatory action seeking a judgment that there was no claim because Sekura did not allege that she was harmed by a “publication.” Krishna’s policy included coverage for “personal injury” including “advertising injury, but it defined that to mean
“publication of material that violates a person’s right of privacy.”
There can be no publication, the insurer argued, unless information was disseminated to the public.
What’s more, West Bend argued that the policy excluded coverage for any injury “arising out of the willful violation of a penal statute or ordinance committed by or with the consent of the insured. An endorsement to the policy also specifically excluded from coverage injury caused by violations of the the Telephone Consumer Protection Act, the Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 or any other law that prohibits the distribution of material or information.
The trial court didn’t buy those arguments and neither did the Court of Appeals. West Bend took its case to the final stop, but the Supreme Court ruled that the policy exclusions were ambiguous.
The majority agreed with the Court of Appeals that the violation-of-statutes exclusion was intended to bar coverage for injuries caused by certain kinds of communication, such as e-mails, faxes and phone calls. The two laws mentioned in the endorsement both govern those specific forms of communication. The state’s biometric privacy act, on the other hand, doesn’t regulate methods of communication but regulates the collection, use, storage and safeguarding of biometric identifiers.
The majority opinion cites a legal principle that holds when specific words are used, they indicate the meaning of more general terms.
“Accordingly, we hold that West Bend has a duty to defend Krishna against Sekura’s lawsuit,” the opinion says.