FB pixel

New state biometric privacy laws highlight the role of insurance

New state biometric privacy laws highlight the role of insurance

By Peter Halprin and Tae Andrews, attorneys with Pasich LLP

While July 1st will be the beginning of summer vacation for some, it will mark the beginning of an era of heightened scrutiny of biometric data privacy practices for others.  The latter is due to the fact that new statutes governing biometric data will go into effect on that date in Connecticut and Colorado.

As readers of Biometric Update know, these new laws join a growing number of states which have enacted similar legislation to combat the theft of biometric data.  In putting forth its legislation, the Colorado legislature explained that the compromise of such data “can have devastating impacts ranging from financial fraud, identity theft, and unnecessary costs in personal time and finances to destruction of property, harassment, reputational damage, emotional distress, and physical harm.”

In parallel to these developments, recent insurance coverage rulings in relation to Illinois’s Biometric Information Privacy Act (BIPA) have reinforced the fact that insurance can play a critical role in minimizing the financial impact of biometric privacy related liability.


The Connecticut Data Privacy Act (the “Connecticut Law”) becomes effective on July 1, 2023.  The Connecticut Act provides several rights, including the right to: (1) confirm whether consumer personal data is being processed or accessed; (2) correct inaccuracies in personal data; (3) delete personal data; (4) obtain copies of processed personal data; and (5) opt out.

With regard to biometrics, the Connecticut Law prohibits companies from processing biometric data without first obtaining consumer consent.  The Connecticut Law also requires companies to create a way for consumers to easily revoke their consent, and upon revocation of such consent, to stop processing their biometric data.

Finally, the Connecticut Law gives the attorney general sole authority to enforce violations.  Unlike BIPA, the Connecticut Law does not create a private right of action for violations.


The Colorado Privacy Act  (the “Colorado Law”), which is part of the Colorado Consumer Protection Act, also becomes effective on July 1, 2023.  The Colorado legislature passed the Law to “empower consumers to protect their privacy and require companies to be responsible custodians of data as they continue to innovate[.]”

The Colorado Law: (a) creates a consumer right to access, correct, and delete their personal data and the right to opt out; (b) implements transparency requirements stating that companies must provide clear and understandable information to consumers about how their personal data is used and requires companies to safeguard personal data; and (c) authorizes the attorney general and district attorneys to impose liability for past violations and enjoin future violations.

With regard to biometrics, the Colorado Law also prohibits the processing of consumers’ biometric data without first obtaining their consent.  The Law also prohibits the processing of biometric data without first conducting and documenting a data protection assessment, because the compromise of biometric data presents a “heightened risk of harm” to consumers.

Unlike BIPA, the Colorado Law does not authorize a private right of action for violations.


As a starting point, many different kinds of insurance can cover biometric-data claims, including cyber, Directors & Officers (D&O), Errors & Omissions (E&O), Employment Practices Liability (EPL), General Liability (GL), and Technology E&O.

While the Connecticut and Colorado Laws do not provide a private cause of action, that does not mean that companies are free from potential liability.  In one high-profile enforcement action brought under a similar statute, Texas’s attorney general filed suit against Google, alleging violations of Texas’s Capture or Use of Biometric Identifier (CUBI) law in the capturing and possessing of Texans’ biometric identifiers each time a photo or video was taken on Android devices, uploaded to Google Photos, and then processed by Google’s face-grouping technology.  As the Texas lawsuit shows, similar enforcement actions under the Colorado and Connecticut Laws will likely be similarly newsworthy, brought on behalf of large numbers of consumers, and could involve significant liability.

As such, privacy professionals should work with their in-house lawyers and risk managers, as well as their brokers and insurers, to obtain insurance coverage that broadly covers both public and private actions.

Going forward

This is just the tip of the iceberg.  For companies that utilize biometric data, having the proper insurance coverage in place will become more important than ever, as a growing number of states continue to pass similar laws.  Utah’s Privacy Act, which goes into effect at the end of the year, is next.

About the author

Peter A. Halprin is a Partner in Pasich LLP’s New York office.  Peter represents commercial policyholders in complex insurance coverage matters with a focus on recovery strategies in relation to cyber breaches and cyber crime, COVID-19 and natural disasters, professional services, regulatory investigations and class actions, and technology disputes. He can be contacted at PHalprin@PasichLLP.com.

Tae Andrews is a Senior Managing Associate in Pasich LLP’s New York office. Tae has recovered hundreds of millions of dollars for corporate policyholders in coverage disputes with their insurance companies. He can be contacted at TAndrews@PasichLLP.com.

Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.

Article Topics

 |   |   |   |   | 

Latest Biometrics News


Smile ID surges past 150M identity verifications completed

Selfie biometrics provider Smile ID (formally Smile Identity) has achieved the completion of 150 million identity verifications – five months…


Incode age assurance gets stamp of approval from ACCS

Incode Technologies has announced that their Incode Identity Platform product has received certification under the Age Check Certification Scheme (ACCS)….


Arana launches police biometrics app for HID scanner

Arana Security has launched a new mobile app for mobile biometric fingerprint readers from HID used by law enforcement. The…


Fraud hammers online services, drives AI ambivalence

Fraud rates are spiking just like temperatures in many parts of the world. Global identity verification companies Sumsub, AuthenticID and…


Contractor distances self from biometric device failures in South Africa elections

A Johannesburg-based company, Ren-Form, which supplied biometric hardware to the Electoral Commission of South Africa (IEC) says it is not…


Online age verification requirements in US legislation raise thorny problems

More than a dozen bills have been introduced in the current U.S. Congress that, if enacted, would increase protections for…


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events