by Craig D. Hasenbalg
On February 3, 2022, the Illinois Supreme Court decided that employees can sue their employers for allegedly violating the Biometric Information Privacy Act (“BIPA”) (740 ILCS 14/1 et seq.)—even despite the Workers’ Compensation Act’s limits on employee claims. As a result, employers should vigilantly ensure compliance with BIPA.
The Illinois legislature recognizes that, unlike other identifiers like a social security number, biometric information is unique to an individual and cannot be changed if compromised. So, the General Assembly found that regulation of the collection and use of biometric information is a strong public concern and subsequently enacted BIPA.
In a nutshell, BIPA requires private entities—like employers—in possession of a biometric identifier (e.g., retina/iris scans, fingerprints, voiceprints, or scans of face or hand geometry) to develop a written policy that establishes how long that biometric information will be kept and eventually destroyed. Additionally, private entities must inform individuals that their biometric information is being collected and tell them why. Significantly, private entities also have to receive written release for collecting the information from the subject.
BIPA also restricts entities from (1) collecting biometric information (2) selling, leasing, trading, or (3) profiting off of the information or otherwise disclosing the information without the consent of the subject. Some exceptions exist if the disclosure is required by law or pursuant to a warrant or subpoena.
In McDonald v. Symphony Bronzeville Park, LLC, plaintiff Marquita McDonald alleged that her employer (Bronzeville) violated BIPA by using a finger-print scanning system to track employees’ time without providing its employees with the opportunity to consent to the system. 2022 IL 126511. McDonald further alleged that she and her fellow employees had never been informed of the purpose or length of time for which the information would be stored. She subsequently filed a class action lawsuit against Bronzeville claiming that it had violated its employees’ rights to privacy under BIPA.
Bronzeville creatively argued that McDonald’s claims were barred by Illinois’ Workers Compensation Act because her alleged injury occurred in the course of her employment and therefore needed to be adjudicated before the Illinois Workers’ Compensation Commission.
The Workers’ Compensation Act represents a compromise between employers and employees. On one hand, it provides a remedy for employees who suffer an accidental injury at work. Specifically, employers are liable for any on-the-job injury—with or without fault—so employees can receive prompt compensation without the expense and time of litigation. On the other hand, damages are awarded based on a pre-determined fee schedule, and employees are prohibited from bringing other lawsuits against the employer. The latter feature is found in Sections 5(a) and 11 of the Compensation Act, which are known as its “exclusivity provisions.”
Importantly, the exclusivity provisions are not absolute. An employee is not barred from suing their employer if they can prove that the injury was not accidental, did not arise from their employment, was not received during the course of employment, or was not compensable under the Compensation Act.
Ultimately, the Illinois Supreme Court decided that the Compensation Act did not preclude McDonald’s BIPA claim for at least two reasons.
First, the purpose of the Compensation Act is to provide financial assistance to injured employees until they can return to work. The injuries that the Act covers, therefore, are those that impact an employee’s capacity to perform their work-related duties. The type of injury is critical; it must be one that diminishes an employee’s earning power. The type of injury to one’s privacy (as recognized under BIPA) is different from the physical or psychological harms that workers’ compensation is designed to remedy. Thus, a BIPA violation is not an injury that is compensable under the Compensation Act. As a result, an employee’s BIPA claim is not precluded by the Compensation Act’s exclusivity provisions.
Second, BIPA was enacted after the Compensation Act and its language evinces the legislature’s intent that it provide a remedy for employees. As a rule, later statutes supersede earlier ones, giving BIPA the final word over the Compensation Act. BIPA defines the “written release” that collectors of biometric information are required to obtain as “written consent or, in the context of employment, a release executed by an employee as a condition of employment.” The legislature was clearly aware that BIPA violations might arise in the context of employment and intended for employees to have a remedy.
Moving forward, employers must be aware that employees can sue them under BIPA notwithstanding the Compensation Act’s exclusivity provisions. Employers should therefore take care to comply with BIPA when they collect and use employees’ biometric identifiers.