In early 2022, the Illinois Supreme Court ruled on a certified question in McDonald v. Bronzeville Park, LLC. The question before the Court was whether the exclusivity provisions of the Workers’ Compensation Act (“Compensation Act”) bar a claim for statutory damages under the Biometric Information Privacy Act (“BIPA” or the “Privacy Act”) where an employer is alleged to have violated an employee’s statutory privacy rights under the Privacy Act.
In this case, plaintiff Marquita McDonald filed a class action against the defendant Symphony Bronzeville Park for unlawful collection, use, and storage of her biometric data due to alleged misuse of a fingerprint timekeeping system Bronzeville used to track employees’ hours. At issue in this case was the interplay between two Illinois statutes: the Privacy Act and the Compensation Act.
The Privacy Act was enacted to help ensure that biometric identifiers and information such as retina scans, fingerprints, or face scans, were retained, stored, and handled responsibly. As a result, the Privacy Act imposes certain limitations on how private entities such as Bronzeville may collect and use their employees’ biometric information.
Separately, the Compensation Act was enacted to provide financial protection for employees injured on the job until they are able to return to work. For each injury contemplated under the Act, there is a predetermined fee schedule created by the Illinois Workers’ Compensation Commission to eliminate any variability in judgment awards. The Compensation Act includes two “exclusivity provisions” which essentially establish the Compensation Act as an employee’s exclusive means by which they are able to recover damages for a work-related injury.
In light of the Compensation Act’s exclusivity provisions, Bronzeville argued that as McDonald’s injury was employment related, her claims were barred under the Privacy Act. It was Bronzeville’s position that if McDonald and the rest of the class were to be redressed for their injury, they should have gone through the prescribed channels of the Compensation Act.
To resolve this issue, the Court sought to determine whether McDonald’s injury under the Privacy Act was a type of injury that fell within the purview of the Compensation Act. In doing so, the Court considered the legislature’s intent when drafting both Acts. The Court concluded that the Compensation Act was intended to compensate for injuries that affect an employee’s “capacity to perform employment related duties.” The Privacy Act, on the other hand, exists to protect injuries that are personal and societal.
Based upon this reasoning, the Court held that the injury alleged by McDonald did not fall within the scope of the Compensation Act. As a result, the suit was not preempted by the exclusive-remedy provisions in the Compensation Act, and the Court allowed the suit to continue.
In the wake of this holding, employers in violation of the Privacy Act are at an increased risk of exposing themselves to liability greatly in excess of that provided by the Compensation Act. Therefore, employers collecting or using employees’ biometric data should exercise caution and consult legal counsel to ensure compliance with the Privacy Act