This is a tooltip for the edit command button

Daniel A. Cotter, Esq.

Dickinson Wright PLLC

(312) 423-8170

DCotter@dickinson-wright.com

View Profile

Journals - VOL 35 - Summer 2024 Edition

IPAS - MORE BREWING IN ILLINOIS

Share this page

As noted previously, the Chicago area has numerous craft breweries, many of whom make amazing India pale ales, or IPAs. One of those breweries, Lagunitas, recently announced that it was closing its taproom in Chicago to return to its California origins for brewing.[1] But in addition to the changing landscape of breweries, including Goose Island moving after thirty-five years to a new location, the landscape for IPA laws in Illinois appears to be changing some. In the Spring 2024 FORC Journal,[2] we wrote about the Genetic Information Privacy Act[3] and other information privacy acts brewing in Illinois. The Spring 2024 article was a follow up and update to the Spring 2023 FORC Journal,[4] and Spring 2021 FORC Journal,[5] where we provided information on emerging issues related to the 2008 law that the Illinois legislature passed, the Illinois Biometric Information Privacy Act (“BIPA”).[6] BIPA regulates the “collection, use, safeguarding, handling, storage, retention and destruction of biometric identifiers and information.”[7]

The number of suits filed under BIPA continues to grow, although as we write in this article, there have been some positive developments that might lead to the suits being less attractive in the future. Another statute, the Personal Information Privacy Act (“PIPA”),[8] became effective January 1, 2006. The law requires “data collectors” that own or licenses personal information for any Illinois resident to notify the Illinois resident if there has been any breach in the data collectors computer systems. No private cause of action exists under PIPA.

In the legislative session recently concluded, the Illinois legislature passed amendments to BIPA that could have a major impact on the value of these cases moving forward. The courts also have been sorting out insurance coverage issues under BIPA. This article addresses these IPA developments continue brewing.

Download PDF
(Adobe PDF File)

In this issue...

IPAS - MORE BREWING IN ILLINOIS

Posted on 8/28/2024

A Reminder of the Exposure Facing Violators of BIPA

In two cases issued in 2023, the Supreme Court of Illinois weighed in on how BIPA was to be interpreted and applied.

The first case that addressed BIPA liability and magnitude by the Supreme Court of Illinois was Cothron v. White Castle, No. 128004,[9] which was issued on February 17, 2023. In a 4-3 decision, the court held:

“We hold that a separate claim accrues under the Act each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d).”[10]

In dissent, Justice Overstreet, joined by Chief Justice Thies and Justice Holder White, wrote in part:

“This court should answer the certified question by saying that a claim accrues under section 15(b) or 15(d) of the Act (id. § 15(b), (d)) only upon the first scan or transmission.”[11]

As we discuss in the next section, the dissent was influential on the Illinois legislature.[12]

The second case that the Illinois Supreme Court heard and decided in 2023 that had significant impact on the exposure of BIPA suits was Tims v. Black Horse Carriers, heard on September 22, 2022. In Tims, the court decided what statute of limitations applies for various provisions of BIPA. The appellate court held that there is a 1-year statute of limitations for alleged violations of Sections 15(c) and (d) of BIPA, as they involve publication, and a 5 year statute of limitations for alleged violations of Sections (a), (b), and (e) of BIPA.[13]

At the supreme court, the defendant argued that 735 ILCS 5/13-201 that states "actions for slander, libel or for publication" does not require publication for it to apply because BIPA uses the word "for" which he contended means "relates to or concerns" publication. The plaintiff countered they have not alleged publication and the five-year catchall and not the one statute of limitations for publications applies to all claims under BIPA.

On February 2, 2023, the Illinois Supreme Court held that the five-year provision was the appropriate statute of limitations.[14] The court held, “For the following reasons, we find that the five-year limitations period contained in section 13-205 of the Code governs claims under the Act.”[15]

These decisions result in a large exposure for anyone collecting biometric information in Illinois that does not have consent or does not have policies published. Insurers continue to look at how to address BIPA claims in their various coverages.

The Legislature Acts

In the most recent legislative session, the Illinois legislature passed major amendments to BIPA and the Cothron each instance analysis. For those not familiar with Illinois and its government, it is a very blue state. The governor and attorney general are democrats. In the Illinois House, the democrats hold a 78-40 supermajority, and in the Illinois Senate, it is a supermajority of 40-19. With those makeups, some were surprised when SB2979 passed as easily as it did. But SB2979[16] passed. Like Overstreet’s dissent, the bill makes the following changes to occurrences under BIPA:

(b) For purposes of subsection (b) of Section 15, a private entity that, in more than one instance, collects, captures, purchases, receives through trade, or otherwise obtains the same biometric identifier or biometric information from the same person using the same method of collection in violation of subsection (b) of Section 15 has committed a single violation of subsection (b) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section.

(c) For purposes of subsection (d) of Section 15, a private entity that, in more than one instance, discloses, rediscloses, or otherwise disseminates the same biometric identifier or biometric information from the same person to the same recipient using the same method of collection in violation of subsection (d) of Section 15 has committed a single violation of subsection (d) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section regardless of the number of times the private entity disclosed, redisclosed, or otherwise disseminated the same biometric identifier or biometric information of the same person to the same recipient.[17]

In addition to these major changes, the amendments make clear that consent can be obtained via electronic signature.

The bill is on Governor J.B. Pritzker’s desk for signature, and he is expected to sign the bill into law. The next challenge will be if this can be applied retroactively, and some plaintiffs might challenge the narrowing of remedies afforded. We will update with any major developments.

Insurance Developments

In addition to the major developments in the area of exposure to alleged violators under BIPA, in recent months, the federal and Illinois state courts have been addressing issues of insurance coverage for BIPA-related claims.

The issue is not a new one for Illinois. As we addressed in previous FORC articles, in West Bend Mutual Ins. Co. v. Krishna Schaumburg Tan. Inc.,[18] an Illinois appellate court in a case of first impression affirmed the grant of summary judgment in favor of the insured and held that the underlying complaint sufficiently alleged “publication” to trigger the duty to defend a BIPA claim, and that the exclusion for statutory violations that mentioned the TCPA, and the Can-Spam Act (but not BIPA) did not apply. The appellate court also found: “In short, the violation of statutes exclusion applies to bar coverage to violations of statutes that regulate methods of communication. The Act says nothing about methods of communication. It instead regulates ‘the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.’ 740 ILCS 14/5(g).”[19]

The Illinois Supreme Court affirmed the appellate court.[20] The court held that allegations of BIPA were a covered “publication” under the policy because the term was ambiguous and construed it against the insurer: “We find, based on our review of dictionaries, treatises, and the Restatement, that the term ‘publication’ has at least two definitions and means both the communication of information to a single party and the communication of information to the public at large.”[21]

The court also found “that [underlying plaintiff’s] assertion that [underlying defendant] shared her biometric identifiers and information with [a third-party vendor] alleges a potential violation of [underlying plaintiff’s] right to privacy within the purview of West Bend’s policies.”[22]

The court also looked at the “Violation of Statutes Exclusion” and found that based on the specific language, it did not bar coverage.[23] The court found:

Applying the doctrine of ejusdem generis, we construe the ‘other than’ language to mean other statutes of the same general kind that regulate methods of communication like the TCPA and the CAN-SPAM Act. Therefore, since the Act is not a statute of the same kind as the TCPA and the CAN-SPAM Act and since the Act does not regulate methods of communication, the violation of statutes exclusion does not apply to the Act.[24]

In light of this decision, insurers reviewed their violation of statutes exclusions and other language of their policies in light of this Illinois Supreme Court decision.

In a decision that was surprising in its magnitude, a jury in the federal court found BIPA coverage against BNSF Railway Co. On October 12, 2022, the jury returned a verdict in Rogers v. BNSF Railway Co.[25] After one hour of deliberating, the jury rejected various arguments proffered by BNSF and found BNSF liable for approximately 45,600 reckless or intentional violations of BIPA and awarded the class $228 million in statutory damages.[26] The case recently settled for $75 million.[27]

Cases such as BNSF have caused some insurers “to exclude BIPA claims from coverage — in their cyber, employment practices liability or commercial general liability policies.”[28]

Recently, courts have weighed in on the exclusions.

In Citizens Ins. Co. of America v. Wynndalco,[29] the 7th U.S. Circuit Court of Appeals held that a specific statutes exclusion with a catchall clause in a commercial general liability policy was ambiguous because it stripped away coverage for violation of all manner of statutes. The underlying case involved facial recognition software sold to the Chicago Police Department. The court held there was a duty to defend the underlying lawsuit.

In December, the Illinois Appellate Court, 1st District, in National Fire Insurance Company of Hartford v. Visual Pak Company,[30] held the 7th Circuit predicted wrong on the issue. The court wrote:

“The underlying lawsuit here concerns BIPA. Liability for a BIPA violation is unambiguously excluded from coverage. We thus respectfully disagree with the Seventh Circuit’s decision in Wynndalco and hold that the CNA plaintiffs owed no duty to defend the underlying BIPA lawsuit.”[31]

The court also stated: “We cannot agree with the Seventh Circuit’s analysis. We do not find it to be an accurate reflection of Illinois law.”[32]

Unfortunately, the Illinois Supreme Court rejected the petition for leave to appeal, so we don’t know how that court ultimately will come out on the issue.

In January, the 7th Circuit heard another case, Thermoflex Waukegan, LLC v. Mitsui Sumitomo Insurance USA,[33] involving the same issue it addressed in Wynndalco. In the district court, ambiguity was found, leading to a finding in favor of coverage. In its decision issued in June 2024, the 7^th Circuit differentiated its decision in Wynndalco and the decision of the Illinois Appellate Court in Visual Pak, based upon disparate policy language, holding that there was no coverage under a primary or excess policy, but held that there was coverage under an umbrella policy, following the Illinois Supreme Court precedent of Krishna, subject to exhaustion of another underlying policy.

Specifically, the court found that a person’s biometric identifiers, such as handprints, are considered “nonpublic information” within the meaning of the exclusion and thus held that the Access or Disclosure exclusion bars coverage and vitiates an insurer’s duty to defend.

Recently, before the 7^th Circuit decided Thermoflex, U.S. District Judge Jorge L. Alonso of the Northern District of Illinois issued an opinion and order in Citizens Ins. Co. of America v. Mullins Food Products.[34] Alonso noted:

“At the time Wynndalco was decided, neither the Illinois Appellate Court nor Illinois Supreme Court had addressed a violation-of-law exclusion with language identical to the Distribution of Material in Violation of Statutes Exclusion or the Recording and Distribution Exclusion and whether they apply to BIPA. On December 19, 2023, the Illinois Appellate Court considered the Recording and Distribution Exclusion in Visual Pak and distinguished it from the Distribution of Material in Violation of Statutes Exclusion, disagreeing with Wynndalco’s application of Illinois law.”[35]

He then held:

“The Court finds that the Recording and Distribution Exclusion at issue here is materially distinguishable from the exclusion at issue in Wynndalco and that Visual Pak best represents how the Illinois Supreme Court would decide whether the Recording and Distribution Exclusion includes violations of BIPA. The Court does not base its conclusion on any disagreements raised by the Visual Pak court with Wynndalco’s application of Illinois law. Rather, the Court’s interpretation of the Recording and Distribution Exclusion that is at issue here is consistent with the reasoning and holding of the Wynndalco opinion.”[36]

With respect to the second exclusion, Alonso held, “Even if the Recording and Distribution Exclusion does not apply, the Court reconsiders its prior ruling on the Access Or Disclosure Of Confidential Or Personal Information Exclusion and finds that it applies to preclude coverage for the Galan Lawsuit.”

The 7th Circuit likely will see this case. In addition, while the Illinois Supreme Court has not granted any petition for leave to appeal in this area, we would expect it to take a case in the near future, given the importance of the issue and to definitively weigh in on how these exclusions apply to BIPA claims. Time will tell if the Illinois Supreme Court will hold similar to the appellate decision in Visual Pack. Litigation around this area is likely to continue.

One thing that has taken place is that there have been amendments to the ISO language on statutory exclusions. Specifically, item 4 was amended and modified to specifically recite federal, state and local laws and regulations:

(4) Any federal, state, or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act of 2003 or FCRA and their amendments and additions, that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating, or distribution of material or information.

The intent was to capture laws such as BIPA within its reach.

Conclusion

The legislative changes awaiting the governor’s signature are likely to impact the future of putative class actions involving BIPA, but the question is a developing one. As important, the ways in which the courts interpreting BIPA are coming out on BIPA insurance coverage or lack thereof looks to have some potential promise for the industry. However, given the Illinois Supreme Court has not weighed in on the recent developments, the question has not been finally addressed. Insurers should continue to monitor developments and consider implementing language and processes to better their ability to exclude BIPA claims from coverage under various insurance policies. For some time, the IPA known as BIPA will continue to brew.

References

4867-6835-0923 v1 [99998-4344]

[1] See Selvam, Ashok, Eater Chicago, “Lagunitas Closes Chicago Taproom to Move Brewing Operations Back to California,” May 23, 2024, available at https://chicago.eater.com/2024/5/23/24163451/lagunitas-brewing-chicago-closing.

[2] FORC Journal - Vol. 35 Edition 1 - Spring 2024, available at https://www.forc.org/Public/Journals/2024/VOL_35_Spring_2024_Edition.aspx.

[3] The Genetic Information Privacy Act, 410 ILCS 513/1 et seq. (1998).

[4] FORC Journal - Vol. 34 Edition 1 - Spring 2023, available at https://forc.org/Public/Journals/2023/Articles/Spring/Vol34Ed1Article1.aspx.

[5] FORC Journal - Vol. 32 Edition 1 - Spring 2021, available at https://www.forc.org/Public/Journals/2021/VOL_32_Spring_2021_Edition.aspx

[6] The Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (2008).

[7] 740 ILCS 14/5 (g).

[8] The Person Information Privacy Act, 815 ILCS 530/1 et seq. (2006).

[9] Cothron v. White Castle System, Inc., 2023 IL 128004.

[10] Id at ¶ 1.

[11] Id at ¶ 48.

[12] One often sees debates about justices of highest courts, whether of the United States or a state’s highest courts, dissenting and to whom they speak. Sometimes that is more obvious than others, but occasionally, the branch of government that can make changes, the legislature, takes note.

[13] Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563.

[14] Tims v. Black Horse Carriers, Inc., 2023 IL 127801.

[15] Id at ¶ 5

[16] SB2979, at https://www.ilga.gov/legislation/BillStatus.asp?DocNum=2979&GAID=17&DocTypeID=SB&LegId=152094&SessionID=112&GA=103.

[17] Id.

[18] West Bend Mutual Ins. Co. v. Krishna Schaumburg Tan. Inc., 2020 IL App (1st) 191834.

[19] Id.

[20] West Bend Mutual Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978.

[21] Id.

[22] Id.

[23] Id.

[24] Id at ¶ 59.

[25] Rogers v. BNSF Railway Co., ECF 225, No. 1:19-cv-03083 (N.D. Ill. October 12, 2022).

[26] See Rogers v. BNSF Railway Co., ECF 225, No 1:19-cv-03083 (N.D. Ill. Oct. 12, 2022).

[27] See Rogers v. BNSF Railway Company Settlement Website at https://bnsfbipaclassaction.com/.

[28] Judy Griswold, Business Insurance, “Biometric privacy award sparks reactions in insurance market,” November 1, 2022, available at https://www.businessinsurance.com/article/20221101/NEWS06/912353435/Biometric-privacy-award-sparks-reactions-in-insurance-market (quoting Cotter: “’We’re going to see more and more policies be very specific’ insofar as exclusions for biometric-related privacy information are concerned”).

[29] Citizens Insurance Company of America v. Wynndalco Enterprises, LLC, No. 22-2313 (7th Cir. 2023).

[30] National Fire Insurance v. Visual Pak Company, 2023 Il App (1^st) 221160.

[31] Id.

[32] Id.

[33] Thermoflex Waukegan, LLC v. Mitsui Sumitomo Insurance USA, Nos. 23-1521 & 23-1578 (7^th Cir. 2024).

[34] Citizens Ins. Co. of America v. Mullins Food Products, No. 22-cv-1334 (N.D.Ill. February 27, 2024).

[35] Id.

[36] Id.