The Illinois Biometric Information Privacy Act (“BIPA”) is considered the most comprehensive law governing the processing of biometric data. Adopted in 2008, BIPA sets requirements for private entities, including employers, that collect, use, store and share biometric information. It’s also one of the most popular class action lawsuits today — hundreds, if not thousands of cases have been filed in recent years — and there are no signs that litigation is slowing down.
There are open questions, however, about the cap on damages and whether the statute or other Illinois laws limit plaintiffs’ potential recovery. As written, the law provides for statutory damages of $1,000 or $5,000 “per violation”. Courts asked to consider whether statutory damages accrue every time there is a use of biometric data, similar to the Telephone Consumer Protection Act (“TCPA”) where each offensive text adds to a party’s potential liability, or, if statutory damages do not apply only to first violation. The Illinois Supreme Court is expected to answer that question later this year.
As we wait for the Illinois Supreme Court to rule on this fundamental issue, it has responded to a narrower defense against BIPA damages. Last week, the Illinois Supreme Court ruled McDonald v. Bronzeville Symphony Park that the exclusivity provisions of the Illinois Workers’ Compensation Act (“Compensation Act”) did not preclude BIPA’s damages. The court distinguished between physical injuries (covered by the Compensation Act) and privacy breaches (covered by BIPA). The decision stemmed from a class action lawsuit alleging that the defendant employer had collected the employees’ fingerprints without their consent. In response, the defendant asserted that the exclusivity provisions of the Compensation Act prohibited these claims because the Compensation Act is the only remedy for accidental injuries occurring in the workplace.
But the Illinois Supreme Court differentiated between an “injurious change in the human organism,” which is protected by compensation law, and “personal and societal harm” protected by BIPA. McDonald v. Symphony Bronzeville Park, LLC, 2022 IL 126511 (Fig. 2022). According to the court, privacy breaches fall into the latter category, even when they occur in the workplace. Therefore, employers cannot rely on compensation law to anticipate damages under BIPA.
Unfortunately for those who monitor BIPA litigation, the court did not answer the question of how damages should be calculated.
What does that mean
Another potential defense against BIPA damage has been ruled out. While Illinois lawmakers have introduced bills to revise or clarify BIPA, they haven’t made much headway. So the potential damages that plaintiffs can seek under BIPA can be staggering.
It is possible that a decision confirming damages for every day fingerprints are collected could prompt lawmakers to clarify BIPA’s ambiguity in an attempt to prevent excessive rewards. Indeed, the Illinois Supreme Court has recognized this possibility. The court specifically referred to a friend brief suggesting that awarding damages for each day the employer fingerprinted could expose employers to potentially devastating class action lawsuits. In response to points raised in the brief, the court said it was “aware of the substantial consequences Parliament intended as a result of [BIPA] fines. » McDonald v. Symphony Bronzeville Park, LLC, 2022 IL 126511, (Fig. 2022). The tribunal concluded that “if a different balance must be struck under [BIPA] . . . is a more appropriate question addressed to the legislator. The court explained that its role was not to find a compromise in the law, but rather to interpret the laws as they are written. Identifier. at ¶ 49.
Businesses should be prepared for a surge in litigation against employers as it is clear that the Compensation Act does not prohibit damages under BIPA. Companies with pending BIPA lawsuits may also be encouraged to settle, albeit in potentially higher amounts, before the Illinois Supreme Court rules adversely on the accumulation of claims. Finally, as more states pass comprehensive data protection laws, and in particular comparable biometric data privacy laws, high regulations may prompt legislatures to clarify damages provisions. and interests.
The threat of potentially significant damages in a BIPA lawsuit is a real threat. We recommend that companies assess their risk in relation to possible BIPA claims. Additionally, companies should review their policies and procedures regarding how biometric data is collected and processed.