Over the past several years, commercial use of biometric data has become increasingly prevalent. In response, several states have adopted biometric data privacy legislation. Consequently, companies that rely on biometric data face new regulatory risks, in addition to increased legal exposure to individual and class action lawsuits. In fact, the Ninth Circuit Court of Appeals recently affirmed certification of a class action alleging Facebook’s face-scanning practices violate Illinois’ biometric privacy law, finding that the class alleged sufficiently concrete injuries based on Facebook’s alleged use of facial recognition technology without users’ consent to establish standing. Insurance policies currently available on the market, including cyber insurance policies, may not adequately cover these risks. Therefore, companies collecting, utilizing, maintaining, distributing, and/or destroying biometric data should review their policies carefully to determine changes could be made to address potential coverage gaps.