The Illinois Supreme Court has answered a long-awaited question regarding the Illinois Biometric Information Privacy Act (BIPA) and its interaction with the state’s workers’ compensation statute. In McDonald v. Symphony Bronzeville Park, LLC, the Supreme Court addressed a certified question from the Court of Appeals to determine whether the Worker’s Compensation exclusivity provisions bar an employee’s claims filed under BIPA. The Court distinguished those workplace injuries suffered that were subject to the exclusivity provision, reasoning that a BIPA violation “is not the type of injury that categorically fits within the purview of the Compensation Act and is thus not compensable under the Compensation Act.”
In doing so, the Supreme Court removed what had previously been the prevailing defense for employers accused of technical violations of BIPA. The Court stated, “We are cognizant of the substantial consequences the legislature intended as a result of [BIPA] violations. Pursuant to [BIPA], the General Assembly has adopted a strategy to limit the risks posed by the growing use of biometrics by businesses and the difficulty in providing meaningful recourse once a person’s biometric identifiers or biometric information has been compromised.”
This dictum strengthens the recent holdings of Illinois’s Appellate courts, which have weighed in on the BIPA ruling on an expansive definition for when a claim accrues and leaving open the question of how to calculate damages for successive violations. This question may need to be addressed on remand in the McDonald case, which involves the repeated scanning of an employee’s fingerprint to keep track of worked time.
What constitutes biometric information and how does BIPA protect it?
Illinois enacted the Illinois Biometric Information Privacy Act in 2008 to create a private tort action in response to privacy violations related to biometric data. BIPA states a “Biometric Identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.
Given the rise of biometric data used across industries such as transportation, finance, hospitality, retail, and education, all businesses must be keenly aware of the requirements under the act. Any private entity which collects biometric information must:
- Create a publicly available policy on its biometric data practices;
- Provide disclosures;
- Obtain releases from individuals for whom biometric identifiers are collected before the collection occurs; and
- Use a reasonable standard of care based on industry to store, transmit, and protect the information.
Who can make a BIPA claim?
The Illinois Biometric Information Privacy Act is written broadly to protect any individual (consumers, employees, etc.) who might have a biometric identifier collected by a private entity.
Importantly, in a watershed 2019 decision by the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp., the Court’s unanimous decision settled a circuit split among Illinois appellate courts regarding the pleading standard for demonstrating a claimant was “aggrieved” under the act determining a claimant need not plead actual harm to recover under the statute.
Six Flags had a practice of collecting fingerprints for pass membership to their amusement park but had not complied with the notice and consent provisions of BIPA. The Second District Illinois Appellate Court dismissed the claim given there was no breach and consequently no actual harm demonstrated. However, the Illinois Supreme Court reversed the decision, finding that “aggrieved” under BIPA included technical violations of the statutory requirements because they created substantive rights.
“Such a characterization, however, misapprehends the nature of the harm our legislature is attempting to combat through this legislation. The Act vests in individuals and customers the right to control their biometric information by requiring notice before collection and giving them the power to say no by withholding consent.”
The Illinois Biometric Information Privacy Act has distinct subparts which could each constitute individual violations:
- Failing to develop a written policy under 15(a);
- Failing to provide written notice of collection under 15(b);
- Profiting from the biometric data under 15(c);
- Unlawfully disclosing the biometric identifier under 15(d); or
- Not taking reasonable care in storing, transmitting, or otherwise protecting the information under 15(e).
When does a BIPA claim accrue?
In Watson v. Legacy Healthcare Financial Services, LLC et al., the First District Illinois Appellate Court determined that a claim does not accrue on only the initial capture of a claimant’s biometric data but at the time of each individual capture.
What are the damages in a BIPA claim?
The court in Watson did not address whether each capture represented a separate violation under the Illinois Biometric Information Privacy Act or how multiple captures of biometric data might affect monetary damages under BIPA, which establishes damages in the amount of $1,000 for each negligent violation and up to $5,000 for intentional or reckless violations. A claimant is entitled to seek more if their actual damages would exceed the statutory amount.
In enacting the law, the Illinois General Assembly expressly noted that “[b]iometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, Social Security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”
Biometric Information Privacy outside of Illinois
Currently, only the states of Arkansas, California, Texas, and Washington have enacted legislation similar to Illinois’ Biometric Information Privacy Act. Additionally, several large cities have adopted their own biometric technology regulations, including New York City, San Francisco, Baltimore, and Portland, Oregon.
Numerous other legislatures, including Missouri, have bills in the works to adopt BIPA-like legislation in the future.
Protect yourself from BIPA claims
Technology evolves, and so does the law. Whether your business is on the cutting edge or keeping up with the times, it’s imperative that you have skilled counsel on your side. The attorneys at Rasmussen Dickey Moore can help your business maintain compliance and stay out of the courtroom or work to extricate you from litigation should it arise. Contact RDM today to protect your business from BIPA claims.