Illinois employers have been waiting for answers on two important questions regarding the Illinois Biometric Information Privacy Act (BIPA):

  1. Whether the Illinois Workers’ Compensation Act (the Compensation Act) preempts BIPA statutory damages, and
  2. Whether BIPA claims accrue each time a person’s biometric information is scanned or transmitted without informed consent–or just the first time.

The Illinois Supreme Court just answered one of those questions. On February 3, 2022, the Illinois Supreme Court ruled 7-0 in McDonald v. Symphony Bronzeville Park LLC  (2022 IL 126511) that the exclusivity provisions of the Compensation Act do not bar claims for statutory damages under BIPA. (See our prior Client Alert here for a refresher on BIPA.)

The Court’s Ruling

In reaching its ruling, the Court focused on the purpose of the Compensation Act, the differences in the types of injuries addressed by the Compensation Act and BIPA, and BIPA’s plain language.

The loss of the ability to maintain privacy rights is not a compensable injury under the Compensation Act

The case rested on the fourth exception to the Compensation Act’s exclusive remedy provision: whether the plaintiff’s and the putative class’s alleged injuries were “compensable” under (i.e. are covered by) the Compensation Act.

The Court said the purpose of the Compensation Act is to establish a balance by imposing no-fault liability upon the employer and statutory limitations upon the amount of an employee’s recovery when an employee is injured arising out of and in the course of employment. The Court emphasized that the Compensation Act is a remedial statute with the main purpose of providing financial protection for injured workers until they can return to the workforce, with a compensation schedule corresponding to death, injuries to specific body parts, and the inability to work-all injuries affecting an employee’s capacity to perform employment-related duties.

The Court found that injuries caused by violations of BIPA are instead personal and societal in nature, and drew a line between the loss of an individual’s ability to maintain privacy rights from the physical and psychological work injuries compensable under the Compensation Act, stressing that BIPA’s prophylactic measures prevent the compromise of an individual’s biometrics.

BIPA came later, recognized employment, and provided a private right of action

The Court also looked to the fact that BIPA postdates the Compensation Act, and in the text of BIPA itself, mentions its application in the employment context-but does not differentiate how non-employee and employee claims are treated, with one exception: permissible methods of obtaining consent before the collection of biometric data. BIPA defines the required precollection “written release” as “informed written consent” for non-employees, but in the employment context, “a release executed by an employee as a condition of employment.” (See 740 ILCS 14/10.) The Court found the legislature’s contemplation of the employment context and decision to grant to all BIPA plaintiffs-including employees-a private right of action to be further evidence that the legislature did not intend BIPA claims to go before the Workers’ Compensation Commission.

This is what the legislature intended

The defendant (and amici in support) highlighted several issues for the Court:

  • The Court’s construction means that Illinois employers will have greater protection against significant employee workplace injuries (whether physical, emotional, or mental), but no protection from workplace injuries stemming from technical BIPA violations
  • When workplace injuries can be cleverly characterized to evade the broad sweep of the Compensation Act’s exclusivity provisions, the protections provided to Illinois employers will quickly erode, and Illinois employers will face a flood of litigation
  • The Court’s decision will lead to financially ruinous class actions, and a patchwork landscape of varying results given rapidly evolving BIPA case law

The Court’s response: the legislature intended substantial consequences as a result of BIPA violations, and whether a different balance should be struck is for the legislature to decide.

The Next Big BIPA Question

Employers are still waiting on an answer of whether BIPA claims accrue each time a person’s biometric information is scanned or transmitted without informed consent, or just the first time. This question is teed up to be reviewed by the Illinois Supreme Court in Cothron v. White Castle System, Inc. On December 20, 2021, the Seventh Circuit certified the question to the Illinois Supreme Court to determine the issue of whether claims asserted under Sections 15(b) (collection of biometric data) and 15(d) (disclosure of biometric data) of BIPA accrue only once–when biometric data is initially collected or disclosed–or each time biometric data is collected or disclosed. Employers should watch for the Illinois Supreme Court’s decision in Cothron because the result could heavily impact a statute of limitations defense, as well as damages calculations under BIPA.

What Should Employers Do Now?

Courts across Illinois paused a plethora of BIPA lawsuits, waiting for the Illinois Supreme Court to weigh in on the question of whether BIPA damages were preempted by the Compensation Act. Those lawsuits will now move forward, and employers can expect employees with allegations of BIPA violations to be emboldened by the more lucrative damages under BIPA which will now definitively rule the day.

Illinois employers and businesses that collect or use biometric identifiers or biometric information should be sure to update and maintain policies and procedures to ensure unequivocal compliance with BIPA, including:

  • Drafting and communicating a clear written policy that describes the purpose and terms of the collection and storage of biometric information;
  • Notifying employees (and consumers) in writing before any biometric information is collected;
  • Obtaining written consent from the data subject; and
  • Making publicly available a written “retention schedule and guidelines” the company uses for permanently destroying biometric identifiers and biometric information within a certain time period.

(See our earlier posts on BIPA here, here, here and here.) For assistance preparing compliant policies, forms and practices, and to reduce your company’s risk of being subject to a BIPA action, contact your Baker McKenzie attorney.