Miss a day, miss a lot. Subscribe to The Defender's Top News of the Day. It's free.

The Illinois Supreme Court last week said a Chicago-area long-term care facility violated the rights of a former employee when, without initially notifying her or obtaining written consent, the company collected the individual’s biometric information when scanning her fingerprints as part of the company’s timekeeping system.

The court’s Feb. 3 unanimous 7-0 decision in McDonald v. Symphony Bronzeville Park LLC upheld a previous ruling by the Illinois Appellate Court that the Illinois Workers’ Compensation Act (IWCA) does not prevent claims for statutory damages under the state’s pioneering biometric privacy law, the Biometric Information Privacy Act (BIPA).

The ruling opens the door for plaintiffs seeking to bring claims under BIPA, which gives consumers and employees rights over how their voices, fingerprints, facial scans, and the like are collected and shared by companies, Bloomberg Law reported.

Marquita McDonald in August 2017 sued Symphony Bronzeville Park LLC and other long-term care facilities in the Chicago area. The lawsuit reached the Illinois Appellate Court, which in September 2020 found Symphony could not avoid the BIPA claim and the damages sought by McDonald could not be classified as a workplace injury occurring in the line of duty, which would place it under the purview of the IWCA.

The initial ruling represented the first time a state appeals court weighed in on the issue of whether workers’ compensation law preempts claims under a biometric data privacy law.

In the Illinois Supreme Court’s decision, Justice David K. Overstreet stated:

“The personal and societal injuries caused by violating the Privacy Act’s prophylactic requirements are different in nature and scope from the physical and psychological work injuries that are compensable under the Compensation Act.

“The Privacy Act involves prophylactic measures to prevent compromise of an individual’s biometrics.”

The legal precedent set by the Illinois Supreme Court shoots down a commonly-used defense by employers and opens the door for a potential flood of new lawsuits and claims under BIPA in relation to how individuals’ biometric data is collected, stored and shared by companies.

Under BIPA, individuals can claim liquidated damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation.

The Illinois legislature in 2008 unanimously passed BIPA, in part due to support from the American Civil Liberties Union of Illinois.

The law establishes standards for how companies must handle the biometric data of Illinois consumers and employees. Control over the data is considered to rest with each individual, and private companies are prohibited from collecting such data unless they:

  • Inform the individual in writing of what data is being collected or stored.
  • Inform the individual in writing of the specific purpose and length of time for which the data will be collected, stored and used.
  • Obtain written consent from the individual in question.

Under the law, biometric data includes DNA, facial scans, fingerprints, hand scans, retina or iris scans and voiceprints.

BIPA is recognized as one of only a few biometric privacy laws in the U.S. that includes the private rights of action, including written consent and disclosure of a data retention schedule.

It is also considered the only state law of its kind that allows individuals to take a company to court over alleged violations.

BIPA also prohibits any company from selling or profiting from such biometric information.

The specific legal question at hand in McDonald v. Symphony Bronzeville Park LLC pertained to whether Illinois lawmakers, in passing BIPA, intended for the law to be preempted by exclusivity provisions contained within the IWCA.

The Illinois Supreme Court found there is no such preemption, stating that the plain language of BIPA demonstrates there was no intent for the law to be preempted by the IWCA.

According to the decision, “personal and societal injuries” caused by BIPA violations differ in nature and scope from injuries that can be compensated under the IWCA:

“As such, the circuit court correctly reasoned that McDonald’s loss of the ability to maintain her privacy rights was not a psychological or physical injury that is compensable under the Compensation Act.

“Likewise, the appellate court correctly held that a Privacy Act violation is not the type of injury that categorically fits within the purview of the Compensation Act and is thus not compensable under the Compensation Act.”

What the Illinois Supreme Court ruling could mean for similar state, federal claims

Despite having been passed in 2008, legal experts consider BIPA to still be a “new and untested statute.” As such, the Illinois Supreme Court ruling is one of the first of its kind which clarifies the applicability of the act and the types of claims that can be filed under its provisions.

Another such case in progress, Cothron v. White Castle Sys. Inc., is currently before a federal court, the Seventh Circuit Court of Appeals.

This case pertains to whether BIPA claims accrue each separate time a company violates a law, or if only the first instance of any given violation legally constitutes a claim.

In December 2018, plaintiff Latrina Cothron sued her employer, the White Castle restaurant chain, claiming the company violated BIPA when it used her fingerprints as part of its timekeeping system without first obtaining her written consent.

In January 2019, the case was moved to federal court, the U.S. District Court for the Northern District of Illinois. In August 2020, this court ruled Cothron had alleged multiple timely violations of BIPA.

Cothron is supported in her case by a technology advocacy group, the Electronic Privacy Information Center (EPIC).

EPIC filed an amicus brief with the Seventh Circuit asking the court to rule that an individual suffers a new legal injury under BIPA with each separate instance in which that person’s privacy rights under the law are violated.

According to John Davisson, senior counsel and director of litigation at EPIC, the question at hand in this case regards:

“…incentivizing companies to correct their errors or their mishandling of personal and biometric data in particular.

“It’s also about compensating individuals whose data has been misused and to ensure that they’re not given a small fraction of the remedies to which they’re entitled.”

By contrast, attorney Meredith Slawe, chair of the retail group and co-chair of the class actions practice division of the Philadelphia-based Cozen O’Connor law firm, argued that counting each separate instance of biometric data collection as a separate violation would have a “catastrophic” impact on businesses, as damages could quickly multiply.

Slawe filed an amicus brief on behalf of the defendants in this case.

Any ruling coming out of the Seventh Circuit may have broad national implications for cases pertaining to data privacy and biometrics, including those involving other similar state laws, such as the California Consumer Privacy Act.

As explained by attorney Kristin Bryan, a senior associate at the Cleveland-based Squire Patton Boggs law firm:

“Potentially billions of dollars hang on the line for this Seventh Circuit appeal. It’s going to have a huge impact on current and future litigation.

“Any ruling from the Seventh Circuit Court of Appeals will be a persuasive authority to other courts when confronted with data privacy class actions.”

Indeed, concerns over the collection and use of personal biometric data recently attained national prominence, after the Internal Revenue Service (IRS) announced, in November 2021, that by summer 2022, individuals would only be able to access their records on the irs.gov website through ID.me, an online identity verification service that collects biometric data, such as live facial scans via webcams or smartphone cameras.

A growing number of online services, including many “FinTech” websites, already utilize such a credentialing system in order for users to create an account or to log in.

Following public backlash, however, the IRS announced on Feb. 7 that it is abandoning its plans to implement the ID.me biometric verification system.