Illinois’ leading statutory framework regulating the collection, use, and storage of biometric identifiers—the Illinois Biometric Information Privacy Act (BIPA)—continues to shape the risk landscape for employers and businesses with ties to Illinois.
Even after BIPA’s 2024 amendments aimed at reducing the damages available under BIPA, BIPA exposures persist. Companies facing BIPA exposure in the form of lawsuits or demands often turn to their liability insurers for help. A recent spate of BIPA insurance coverage lawsuits offers timely guidance for policyholders navigating these evolving risks.
Insurance Coverage for BIPA Exposures
Enacted in 2008, BIPA sets out requirements for the collection, use, and storage of biometric identifiers such as fingerprints, hand scans, and facial geometry. Policyholders have traditionally looked to commercial general liability (CGL) policies for coverage when sued under BIPA, but insurers have increasingly denied claims based on policy exclusions.
Although the availability and scope of coverage varies between different insurers, forms, and endorsements, CGL insurers have largely relied on three exclusions to deny coverage:
- Access/Disclosure Exclusion: Bars coverage for losses involving access to or disclosure of confidential or personal
- Statutory Exclusion: Bars coverage for losses arising from statutes that restrict the collection of material or
- Employment-Related Practices Exclusion: Bars coverage for losses arising from certain employment-related
Historically, Illinois state and federal courts have split on how to interpret these exclusions. Outcomes have turned on, among other things, the policy language, the forum, and the governing law.
Developments in BIPA Insurance Coverage Caselaw
Illinois federal courts have recently clarified the landscape with four decisions favoring insurers.
In Sentinel Insurance Company v. Majestic Auto Glass, 2026 WL 663820 (N.D. Ill. Mar. 10, 2026), the Northern District of Illinois, citing recent Seventh Circuit precedent, held that an access/disclosure exclusion applied to a BIPA claim and unequivocally barred coverage.
A few months earlier, the Northern District of Illinois in JJM Group Limited v. West Bend Mutual Insurance Company, 2025 WL 3267286 (N.D. Ill. Nov. 21, 2025), likewise found the exclusion unambiguous as applied to a BIPA claim about the collection of fingerprints and the use of those fingerprints for commercial purposes. The court also held that related “non-BIPA claims” were not covered because they either fell outside the policy’s definitions of bodily injury, property damage, or professional liability, or arose from the same conduct excluded by the access/disclosure exclusion, resulting in no duty to defend.
Similarly, in Harleysville Lake States Insurance Company v. Thermoflex Waukegan, 2025 WL 2778458 (N.D. Ill. Sept. 30, 2025), the court—recognizing the rapidly developing law surrounding BIPA claims—enforced the access/disclosure exclusion in a 2017 policy as applied to a policyholder’s BIPA claims about an employer’s practice of requiring temporary workers to use their handprints to clock in and out of work. Yet because the exclusion was not present in the 2015 and 2016 policies, Harleysville was required to defend the policyholder in those policy years.
Finally, the Southern District of Illinois in Phoenix Insurance Company v. Ackercamps.com, 805 F. Supp. 3d 901 (S.D. Ill. 2025) found it “free from doubt” that the access/disclosure exclusion barred coverage for BIPA claims, holding the exclusion unambiguous and applicable to the alleged collection and storage of biometric information through facial recognition software.
Although most recent decisions have favored insurers, a notable exception is Thornley v. Citizens Insurance Company of America, 2026 WL 851407 (N.D. Ill. Mar. 28, 2026), where the Northern District of Illinois denied the insurer’s motion for judgment on the pleadings in a coverage dispute over a $20 million BIPA class action settlement. While the court agreed that the access/disclosure exclusion applied to the underlying claims, it found that judgment on the pleadings was improper because there were genuine disputes of material fact about whether the insurer was barred from relying on that exclusion under the mend-the-hold and waiver doctrines.
The court found a triable mend-the-hold issue because the insurer first denied coverage on one ground and only invoked the access/disclosure exclusion after its initial defense failed, despite knowing about the exclusion earlier. That prior knowledge and inaction created factual questions about unfair surprise and prejudice. The court also found a triable issue on waiver, since the insurer’s long delay in raising the exclusion and use of only a general reservation of rights could amount to relinquishing its ability to rely on that defense. As a result, both doctrines precluded judgment for the insurer at the pleadings stage.
Practice Pointers for Policyholders
These recent decisions underscore the importance of a proactive approach to insurance and risk management for organizations facing BIPA exposure. With Illinois federal courts generally favoring insurers on exclusion issues, policyholders should consider the following practical steps to protect their interests:
- Review Policies for Specific Exclusionary Language: Not every CGL policy contains an access/disclosure exclusion. Even among those that do, wording can vary. Carefully check all policy years and
- Assess All Insurance Lines, Not Just CGL: While most BIPA coverage litigation to date has focused on CGL policies, policyholders should avoid the trap of looking only to CGL policies for Biometric privacy risks may also trigger coverage under D&O, cyber, technology E&O, or other specialty policies, so it’s essential to review all available insurance lines holistically to identify potential coverage and address any gaps.
- Consider Choice of Law: BIPA is an Illinois statute, but Illinois law doesn’t automatically govern the interpretation of every insurance policy. If another state’s law applies, existing Illinois precedent may not control the outcome.
- Consider Related Non-BIPA Claims: Derivative privacy or consumer protection claims may implicate broad exclusions, but every lawsuit is different. Evaluate whether any claims fall outside the exclusion or trigger other policy obligations—such as negligence or improper disclosure claims not tied to BIPA. The presence of non-BIPA claims is critical because, under Illinois law, insurers can only avoid their duty to defend if it is “clear and free from doubt” that an exclusion applies to every claim in the lawsuit—otherwise, the insurer must provide a 4220 Kildare v. Regent Ins., 171 N.E.3d 957, 966 (Ill. App. Ct. 2020).
- Consider Process-Related Defenses to Preserve Coverage: While insurers may rely on a variety of exclusions to limit or eliminate coverage for BIPA claims, they face a high burden to enforce exclusions. As shown in the Thornley case above, the process employed by an insurer in investigating and handling the submitted claim can lead to arguments like waiver, estoppel, or mend-the-hold to prevent insurers from relying on late-raised exclusions or defenses. The application of these doctrines turns on state law and the specific facts of each When faced with a lengthy reservation of rights or denial letter, policyholders should consult experienced coverage counsel to assess their options and preserve available arguments for coverage.
As Illinois courts continue to enforce BIPA exclusions, policyholders face a shifting and often challenging coverage landscape. Staying ahead requires not only careful policy review, but also a proactive and coordinated approach to risk management. By working closely with experienced brokers and knowledgeable coverage counsel, organizations can better identify coverage opportunities, address potential gaps, and adapt their strategies to the evolving realities of biometric privacy law. In this environment, thoughtful preparation and collaboration are key to protecting against emerging biometric risks.
Reprinted with permission from the May 7, 2026 issue of Legaltech News. 2026 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.
