On February 3, the Illinois Supreme Court unanimously ruled in McDonald v. Symphony Bronzeville Park, LLC, 2022 IL 126511, that the exclusivity provisions of the Illinois Workers’ Compensation Act (WCA) do not preempt employees’ claims for statutory damages under the Illinois Biometric Information Privacy Act (BIPA).  The decision provides clarity for a number of similar lawsuits stayed in anticipation of the ruling from Illinois’ highest court and eliminates a key defense of defendant-employers hoping to stem the tide of BIPA litigation.

BIPA imposes restrictions on how private entities collect, retain, use, disclose, and destroy biometric identifiers (i.e., fingerprints, retinal or iris scans, voiceprints, or scans of hand or face geometry) or information based on such biometric identifiers used to identify an individual.  Among other obligations, before collecting such biometric data, covered entities must first notify the individual in writing and receive informed written consent via a “written release” of such collection or disclosure.

BIPA suits are often brought against employers who collect biometric data in the form of fingerprint scans, facial recognition software, and voiceprints in connection with timekeeping or security measures without obtaining the necessary consent.  However, in Illinois, the workers’ compensation process generally provides the exclusive means by which an employee can recover against an employer for a work-related injury.  This “exclusivity” requirement means that such injury claims are adjudicated before the Illinois Workers’ Compensation Commission rather than through a court.  Illinois courts have recognized several exceptions to the exclusivity provisions, including where the alleged injury is “not compensable” under the WCA.

In the case at hand, the plaintiff Marquita McDonald alleged that her employer Symphony Bronzeville Park LLC and several related entities violated BIPA by collecting employees’ fingerprints as part of their authentication and timekeeping systems without obtaining informed consent, as well as other BIPA requirements.  The defendants argued that because the plaintiff’s BIPA claims involve an injury that arose out of and in the course of her employment, the claims were barred by the WCA’s exclusivity provisions, and the issue ultimately made its way to the Illinois Supreme Court.

The Supreme Court sided with the plaintiff, holding that the WCA’s compensation scheme was created to address injuries that affect an employee’s capacity to perform employment-related duties and to provide financial protection for injured workers until they can return to the workforce.  The Court went on to explain that the “personal and societal injuries” allegedly sustained due to a BIPA violation are different in nature and scope from the physical and psychological work injuries that are compensable under the WCA.  Thus, because the plaintiff’s loss of the ability to maintain her privacy rights is not compensable under the WCA, her BIPA claims for statutory damages are not preempted by the WCA.

Although the Court recognized the “substantial potential liability” of class action BIPA lawsuits, it was not swayed by the argument that ruling in the plaintiff’s favor would “expose employers to potentially devastating class actions that can result in financial ruin” and deferred instead to the state legislature to determine “whether a different balance should be struck” under BIPA.

Attention now turns to other cases pending before the state’s highest court that will have further significant implications that could expose employers to potentially devastating class actions that could result in financial ruin, especially Cothron v. White Castle System, Inc.  In Cothron, the Seventh Circuit recently certified to the Illinois Supreme Court the question of whether BIPA claims accrue each separate time a defendant collects biometric information in violation of the statute or only at the first instance of collection.  With statutory damages ranging from $1,000 to $5,000 per violation, the ruling will have enormous impacts on employers who have been using biometric data technology with employees, especially if the practices have been occurring for years.

Given the potentially staggering amount of damages resulting from BIPA violations, companies should take care to both reevaluate the biometric data policies and procedures they currently have in place, as well as perform thorough company audits to determine whether any such collection is taking place that has not been fully considered.