On January 1, 2020, the landmark California Consumer Privacy Act (CCPA) will go into effect.  The CCPA introduces new rights for California residents and requires companies that do business in the state of California to implement structural changes to their privacy programs. [1]

California’s regulatory scheme is the latest such regime for companies to navigate, following a landscape that includes the General Data Protection Regulation (GDPR) in Europe, the Illinois Biometric Information Privacy Act (BIPA), and other state regulatory regimes.   The march of privacy legislation will continue as a New York Privacy Act was recently introduced and dueling federal privacy bills have been introduced in Congress.[2]

Illinois was the first U.S. state to introduce such a regime and court decisions regarding the proper interpretation of BIPA, as well as insurance coverage for BIPA damages are now being litigated.

Currently, research has revealed three pending BIPA insurance coverage litigations.  The disputes in these cases, outlined below, may provide guidance to risk managers, brokers, in-house counsel, and other corporate stakeholders and decisionmakers purchasing insurance coverage for commercial policyholders subject to the CCPA.  A fuller discussion of our findings can be found here.

Zurich American Insurance Co. et al. v. Omnicell Inc., et al.

In Omnicell, a hospital required its employees to scan their fingerprints in order to access stored materials (e.g., medications).  The hospital then shared the fingerprint data with health care technology firm Omnicell Inc.  The insurers filed a declaratory judgment action in the Northern District of California for a declaration that it has no obligation under a Commercial General Liability (CGL) policy to defend the technology company against the hospital employees’ class action against the technology company.   The insurer seems to be relying on variations of the Recording and Distribution of Material or Information in Violation of Law exclusion.[3]  The case had been stayed pending the outcome of the underlying BIPA class action but was recently lifted in November.

Axis Insurance Co. v. All Will County Auto Parts and Wreckers, Inc., et al.

In All Will County, an auto parts shop required its customers to scan their fingerprints in order to transact business.  The insurer filed a declaratory judgment action in Illinois state court for a declaration that it has no duty under a CGL policy to defend or indemnify the policyholders against customer claims.  The insurer alleges that the underlying complaint does not allege “personal and advertising injury” and cites to the Recording and Distribution of Material or Information in Violation of Law exclusion.  The Complaint was just filed in September.

Church Mutual Insurance Co. v. Triad Senior Living, Inc., et al.

In Triad Senior Living, a senior living center required its employees to scan their fingerprints for timekeeping purposes.  The insurer filed a declaratory judgment action in the Northern District of Illinois against a senior living center and the plaintiff in the underlying suit against the center for a declaration under a Commercial Multiple Peril (CMP) policy that the insurer was not obligated to defend or indemnify the center or the underlying plaintiff.  The CMP policy contained several coverages, in addition to general liability coverage, such as: Employment Practices Liability (EPL); Directors, Officers and Trustees (DOT), and; Senior Living Facility Professional Liability Coverage.  In seeking to avoid its coverage obligations, the insurer asserted a number of exclusions including the Recording and Distribution of Material or Information in Violation of Law exclusion.

[1] https://fortune.com/2019/09/13/what-is-ccpa-compliance-california-data-privacy-law/

[2] https://www.wired.com/story/new-york-privacy-act-bolder/https://www.govinfosecurity.com/gop-federal-privacy-bill-would-supersede-ccpa-a-13468

[3] Injury – either “bodily injury” and “property damage” or “personal and advertising injury” or both – arising directly or indirectly out of any action or omission that violates or is alleged to violate any federal, state or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act of 2003 or FCRA and their amendments and additions, that addresses, prohibits or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.