Biometric Privacy Claims Not Barred by Workers' Comp Law, Illinois Supreme Court Holds
Author: Emily Scace, XpertHR Legal Editor
February 4, 2022
The Illinois Supreme Court has ruled that workers' compensation law does not preclude employees from suing their employers under the state's unique biometric privacy law, potentially opening the door to costly litigation and damages for employers that violate the statute.
The case before the state's high court, McDonald v. Symphony Bronzeville Park, LLC, concerned a nursing home employee who alleged that the employer required employees to scan their fingerprints for its timekeeping system without providing required notice or obtaining consent, in violation of the state's Biometric Information Privacy Act (BIPA). On behalf of herself and similarly situated employees, the plaintiff sought injunctive relief, liquidated damages of $1,000 per violation, and attorney fees.
Enacted in 2008, the BIPA requires Illinois employers that collect or maintain "biometric identifiers" such as fingerprints, iris scans or face scans to inform the affected individuals that:
- Their information is being stored;
- The purpose of the collection or use of the information, and
- The length of time for which it will be stored.
An employee also must consent in writing before an employer may collect biometric identifiers.
The employer attempted to have the case dismissed on the grounds that exclusive remedy provisions of workers' compensation law barred the claim. Those provisions provide that, with narrow exceptions, an employee who experiences a work-related injury or illness may not bring a tort lawsuit against the employer, and is limited to workers' compensation remedies, which typically include medical payments, partial wage replacement, and other disability payments.
But the Illinois Supreme Court disagreed, holding that the "injuries" an employee incurs as a result of an employer's violation of the BIPA are not the type of injury to which workers' compensation's exclusive remedy principle applies.
"The personal and societal injuries caused by violating the Privacy Act…are different in nature and scope from the physical and psychological work injuries that are compensable under the Compensation Act," the court concluded. Pointing to the different goals of the two laws, the court noted that while workers' compensation is aimed at "providing financial protection for injured workers until they can return to the workforce," the BIPA aims to safeguard individuals' right to privacy in, and control over, their biometric information.
As a result of the court's decision, the plaintiff can continue to pursue her claim, and other individuals may bring similar privacy lawsuits against their employers. Individuals harmed by violations of the BIPA may be entitled to $1,000 per negligent violation, $5,000 per intentional or reckless violation, or actual damages, whichever is greater, in addition to attorney fees and other relief.