Latimer LeVay Fyock, LLCLatimer LeVay Fyock, LLC

Employers Can Be Liable For BIPA Claims By Employees, Illinois Supreme Court Says

Employers in Illinois and elsewhere are largely shielded from civil lawsuits arising from personal injury claims by employees. That is precisely the structure and purpose of the state’s workers’ compensation system. But not all employee injuries are created equal, and according to a recent decision by the Illinois Supreme Court, not all employee injuries fall within the purview of the Illinois Workers’ Compensation Act (the “Compensation Act”). Specifically, the court has held that claims for statutory damages by an employee for an employer’s alleged violation of Illinois’ Biometric Information Privacy Act (“BIPA”) are not barred by the Compensation Act.

Many employers collect biometric information from employees such as fingerprints, voices, and other markers for security, timekeeping, or other purposes. For any company that does so, the court’s ruling in McDonald v. Symphony Bronzeville Park, LLC opens a Pandora’s Box of potential BIPA liability if they obtain and retain such information without the consents and disclosures required by the act.

BIPA’s Requirements

BIPA imposes several obligations on all private entities regarding the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information. Specifically, a private entity may not obtain or possess a person’s biometric identifiers or information unless it first:

  • informs the person in writing that it is doing so;
  • advises the person in writing of the specific purpose and length of term for which the identifier or information is being collected, stored, and used; and
  • receives a written release from the person authorizing the collection of biometric identifiers and information.

Additionally, all companies in possession of biometric information and identifiers must develop data retention and destruction policies, get additional consents before disclosing any such information, and otherwise use reasonable standards of care to protect the security of biometric information.

Any person “aggrieved by” a BIPA violation may recover “for each violation” $1000 in liquidated or actual damages for negligent violations and $5,000 in liquidated or actual damages for intentional or reckless violations, whichever is greater. A prevailing plaintiff can recover attorney’s fees and costs as well.

In January 2019, the Illinois Supreme Court held that a BIPA claimant does not need to demonstrate an adverse effect or specific harm, such as evidence that personal information was misused or stolen, to have standing to sue under BIPA. A procedural violation is sufficient to support a claim under the act, the court ruled.

BIPA Violations Are Not Physical or Psychological Work Injuries Covered By Workers’ Compensation

In McDonald, an employee of one of the defendants filed a putative class action alleging that her employer’s collection, use, and storage of her and the putative class’s biometric information violated BIPA. Specifically, the plaintiff alleged that while employed, she was required to scan her fingerprint into an electronic system to track her time. Plaintiff claimed that her employer did not provide her with nor did she ever sign a release. She also asserted that her employer never informed her of the purpose or length of time for which her information was being stored in violation of BIPA’s informed consent provisions.

The defendant employer moved to dismiss the suit, asserting that the Compensation Act’s exclusivity provisions barred claims for accidental injuries transpiring in the workplace and that an employee has no common law or statutory right to recover damages from an employer for injuries incurred in the course of employment.

Affirming both the trial and appellate court's denial of the defendant’s motion, the Illinois Supreme Court held that the alleged injuries involved in a BIPA claim were not the type of injuries compensable under the Compensation Act and therefore were not subject to the act’s exclusivity provisions.

The court noted that the test for whether an employee’s injury is compensable under the Compensation Act is "`whether there was a harmful change in the human organism—not just its bones and muscles, but its brain and nerves as well.'"

“The personal and societal injuries caused by violating the Privacy Act's prophylactic requirements are different in nature and scope from the physical and psychological work injuries that are compensable under the Compensation Act,” the court concluded. “Likewise… a Privacy Act violation is not the type of injury that categorically fits within the purview of the Compensation Act and is thus not compensable under the Compensation Act.”

Employers that collect any type of biometric information from their employees need to immediately take steps to ensure compliance with BIPA. This includes issuing and obtaining the required written notification and consent from existing employees and new hires, as well as developing compliant policies and practices involving the use, storage, and disposal of such information.

Let Us Help

If you have questions or concerns about how BIPA affects your company and what steps you need to take to ensure compliance and avoid exposure, please contact Colin T.J. O’Brien at Latimer LeVay Fyock today.