The Illinois Biometric Information Protection Act (BIPA) has been in effect since 2008, but enforcement was relatively rare until 2015. Since then, a variety of enforcement actions have taken place, with the most recent being this $4 million settlement of a class action lawsuit filed against Lemonade, a New York City-based insurance company that offered insurance to Illinois residents.
In May 2022, Lemonade Insurance Company reached a $4 million settlement to end a lawsuit that claimed the company collected, stored, analyzed and used the biometric data of thousands of its customers without authorization or consent. The plaintiffs in the case were policyholders with the company, which offers renters’, homeowners’, car, pet, and term life insurance to clients. Lemonade is a tech-based disruptor in the insurance industry, and as a registered public benefit corporation, its mission is to “transform insurance from a necessary evil into a social good.”
Biometric data, which documents unique personal characteristics, such as fingerprints, voiceprints, retinal images, or facial geometry, can be used to validate an individual’s identity. Lemonade tweeted about how it used biometric data, in this case facial recognition technology, to detect potential fraud. However, the company’s data privacy statement stated that it would not collect, require, sell, or share users’ biometric data.
The class action suit covered Lemonade policyholders who unwittingly provided their biometric data in the course of submitting video explanations of their insurance claims as required by the company between 2019 and 2021. Lemonade did not obtain written consent or make required disclosures relating to their use of biometric information derived from the videos.
Multiple lawsuits fall into this class action settlement. In addition to BIPA violations in Illinois, plaintiffs claimed Lemonade violated New York, California, and other state laws governing biometric data.
Of the $4 million settlement, $3 million is earmarked for approximately 5,000 Illinois residents whose facial data was collected without written consent. The remaining $1 million would go to approximately 110,000 policyholders in other states. Lemonade also agreed to delete all previously collected biometric information and/or biometric identifiers from all members of the class action suit, and that if it starts collecting biometric information again in the future, it will comply with BIPA and all other applicable laws.
BIPA and other laws regulating specific subsets of personal information highlight why it is critical for businesses to include data privacy early on when reviewing vendors or new processes. Relying on biometric data and technology can be a great step towards efficiency and accuracy for businesses but can result in the exact opposite is not properly vetted. Further, and frustrating for companies facing BIPA lawsuits, is that the requirements surrounding consent, reasonable security controls, retention, and a process to delete the applicable data are not cumbersome to implement. Operating from a data retention and classification schedule will ensure biometric data is accounted for and any applicable laws are complied with prior to going live.
State Laws
Biometric information is just one type of data that organizations must account for in their data retention policies. Learn about BIPA, which governs biometric data, as well as other data retention regulations in the Exterro whitepaper, Navigating Regulatory Requirements with Effective Data Retention.
Download the PDF version of this Data Privacy Alert here.