New state biometric privacy laws highlight the role of insurance
By Peter Halprin and Tae Andrews, attorneys with Pasich LLP
While July 1st will be the beginning of summer vacation for some, it will mark the beginning of an era of heightened scrutiny of biometric data privacy practices for others. The latter is due to the fact that new statutes governing biometric data will go into effect on that date in Connecticut and Colorado.
As readers of Biometric Update know, these new laws join a growing number of states which have enacted similar legislation to combat the theft of biometric data. In putting forth its legislation, the Colorado legislature explained that the compromise of such data “can have devastating impacts ranging from financial fraud, identity theft, and unnecessary costs in personal time and finances to destruction of property, harassment, reputational damage, emotional distress, and physical harm.”
In parallel to these developments, recent insurance coverage rulings in relation to Illinois’s Biometric Information Privacy Act (BIPA) have reinforced the fact that insurance can play a critical role in minimizing the financial impact of biometric privacy related liability.
The Connecticut Data Privacy Act (the “Connecticut Law”) becomes effective on July 1, 2023. The Connecticut Act provides several rights, including the right to: (1) confirm whether consumer personal data is being processed or accessed; (2) correct inaccuracies in personal data; (3) delete personal data; (4) obtain copies of processed personal data; and (5) opt out.
With regard to biometrics, the Connecticut Law prohibits companies from processing biometric data without first obtaining consumer consent. The Connecticut Law also requires companies to create a way for consumers to easily revoke their consent, and upon revocation of such consent, to stop processing their biometric data.
Finally, the Connecticut Law gives the attorney general sole authority to enforce violations. Unlike BIPA, the Connecticut Law does not create a private right of action for violations.
The Colorado Privacy Act (the “Colorado Law”), which is part of the Colorado Consumer Protection Act, also becomes effective on July 1, 2023. The Colorado legislature passed the Law to “empower consumers to protect their privacy and require companies to be responsible custodians of data as they continue to innovate[.]”
The Colorado Law: (a) creates a consumer right to access, correct, and delete their personal data and the right to opt out; (b) implements transparency requirements stating that companies must provide clear and understandable information to consumers about how their personal data is used and requires companies to safeguard personal data; and (c) authorizes the attorney general and district attorneys to impose liability for past violations and enjoin future violations.
With regard to biometrics, the Colorado Law also prohibits the processing of consumers’ biometric data without first obtaining their consent. The Law also prohibits the processing of biometric data without first conducting and documenting a data protection assessment, because the compromise of biometric data presents a “heightened risk of harm” to consumers.
Unlike BIPA, the Colorado Law does not authorize a private right of action for violations.
As a starting point, many different kinds of insurance can cover biometric-data claims, including cyber, Directors & Officers (D&O), Errors & Omissions (E&O), Employment Practices Liability (EPL), General Liability (GL), and Technology E&O.
While the Connecticut and Colorado Laws do not provide a private cause of action, that does not mean that companies are free from potential liability. In one high-profile enforcement action brought under a similar statute, Texas’s attorney general filed suit against Google, alleging violations of Texas’s Capture or Use of Biometric Identifier (CUBI) law in the capturing and possessing of Texans’ biometric identifiers each time a photo or video was taken on Android devices, uploaded to Google Photos, and then processed by Google’s face-grouping technology. As the Texas lawsuit shows, similar enforcement actions under the Colorado and Connecticut Laws will likely be similarly newsworthy, brought on behalf of large numbers of consumers, and could involve significant liability.
As such, privacy professionals should work with their in-house lawyers and risk managers, as well as their brokers and insurers, to obtain insurance coverage that broadly covers both public and private actions.
This is just the tip of the iceberg. For companies that utilize biometric data, having the proper insurance coverage in place will become more important than ever, as a growing number of states continue to pass similar laws. Utah’s Privacy Act, which goes into effect at the end of the year, is next.
About the author
Peter A. Halprin is a Partner in Pasich LLP’s New York office. Peter represents commercial policyholders in complex insurance coverage matters with a focus on recovery strategies in relation to cyber breaches and cyber crime, COVID-19 and natural disasters, professional services, regulatory investigations and class actions, and technology disputes. He can be contacted at PHalprin@PasichLLP.com.
Tae Andrews is a Senior Managing Associate in Pasich LLP’s New York office. Tae has recovered hundreds of millions of dollars for corporate policyholders in coverage disputes with their insurance companies. He can be contacted at TAndrews@PasichLLP.com.
Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.