Q. Does the Workers’ Compensation Act bar a claim for damages under Illinois’ Biometric Privacy Act (BIPA)?

A. The Illinois Supreme Court recently issued an opinion, finding that the Workers’ Compensation Act does not bar a claim for damages under BIPA.

As a refresher, BIPA regulates the collection, use, safeguarding, and storage of biometric information (such as fingerprints, retina scans, or face scans). It generally requires any private entity possessing such biometric information to: (1) develop a written policy governing management of the information; (2) inform the owner of the biometric information in writing; and (3) obtain informed prior consent to collect the biometric information and a retention schedule for destroying it.

In the action, plaintiff McDonald filed a putative class action against Symphony Bronzeville Park LLC (Bronzeville), alleging that Bronzeville’s use of fingerprints for its timekeeping system violates BIPA. Bronzeville owns a network of post-acute care facilities, from rehabilitative to palliative care. As an employee, McDonald was required to scan her fingerprint to authenticate her identity and track her time. She alleged that Bronzeville failed to obtain written releases before collecting, using, and storing her biometric information, and negligently failed to publicly provide a retention schedule or guideline for permanently destroying biometric identifiers and information. Bronzeville brought a motion to dismiss on the grounds that the Workers’ Compensation Act preempted BIPA.

A remedial statute, the Workers’ Compensation Act (Act) awards damages according to a predetermined fee schedule created by the Illinois Workers’ Compensation Commission, which eliminates variability in the value of each judgment. The Act generally provides that recovery for any injury or death sustained by an employee while engaged in the line of work is solely provided by the Act’s provisions. However, an employee may escape the exclusivity provision if the employee establishes the injury (1) was not accidental; (2) did not rise from his employment; (3) was not received during the course of employment; or (4) is not compensable under the Workers’ Compensation Act.

The circuit court denied Bronzeville’s motion and held McDonald’s injury involved the loss of her ability to maintain her privacy rights, which is neither a psychological nor physical injury and thus not compensable under the Workers’ Compensation Act. The appellate court affirmed, concluding that “a claim by an employee against an employer for liquidated damages under the Privacy Act — available without any further compensable actual damages being alleged or sustained and designed in part to have a preventative and deterrent effect — [does not] represent the type of injury that categorically fits within the purview of the Compensation Act, which is a remedial statute designed to provide financial protection for workers that have sustained an actual injury.”

In affirming the lower court’s opinion, the Illinois Supreme Court considered the type of injuries envisioned by the Workers’ Compensation Act compared to those BIPA protects. The Supreme Court concluded that “[t]he personal and societal injuries caused by violating the Privacy Act’s prophylactic requirements are different in nature and scope from the physical and psychological work injuries that are compensable under the [Workers] Compensation Act.”

The Illinois Supreme Court’s holding is significant, as numerous companies have relied on the Workers’ Compensation Act as a defense to a BIPA claim. Since BIPA is one of the only privacy statutes in the nation that provides a private right of action, many employees have sought relief in Illinois against companies for unlawful use of their biometric data, often in the context of timekeeping purposes. Given that the Workers’ Compensation Act cannot be relied on to bar a BIPA claim, it is important for employers for ensure their compliance with BIPA’s requirements, including developing a written policy governing management of privacy information, informing the owner of biometric information in writing, and obtaining informed prior consent to collect biometric information and a retention schedule for destroying it.