Cyber authorities sound the alarm

Illinois’ Biometric Information Privacy Act (“BIPA”) is considered the most comprehensive law governing the processing of biometric data. Passed in 2008, BIPA sets out requirements for private entities, including employers, that collect, use, store, and share biometric information.  It’s also one of the most popular class action suits today – hundreds, if not thousands of cases have been filed in recent years – and there is no sign that the litigation is slowing down.

There are open questions, however, about the ceiling for damages and whether the statute or other Illinois statutes limit plaintiffs’ potential recovery.  As written, the statute provides statutory damages of either $1,000 or $5,000 “per violation.” Courts are being asked to consider whether statutory damages accrue each time there is a use of biometric data, similar to the Telephone Consumer Protection Act (“TCPA”) where every offending text adds to a party’s potential liability, or, if the statutory damages only apply to the first violation.  The Illinois Supreme Court is expected to answer this question sometime later this year.

As we wait for the Illinois Supreme Court to address this fundamental question, it has answered a more narrow defense to BIPA damages.  Last week, the Illinois Supreme Court ruled in McDonald v. Symphony Bronzeville Park that the exclusivity provisions in the Illinois Workers’ Compensation Act (“Compensation Act”) did not bar BIPA damages.  The court distinguished between physical injuries (covered by the Compensation Act) and injuries to privacy (covered by BIPA).  The ruling stemmed from a class action that alleged the defendant employer collected employees’ fingerprints without their consent.  In response, the defendant claimed that the Compensation Act’s exclusivity provisions barred these allegations because the Compensation Act is the exclusive remedy for accidental injuries that occur in the workplace.

But the Illinois Supreme Court differentiated between a “harmful change in the human organism,” which is protected by the Compensation Act, and “personal and societal injuries” protected by BIPA.  McDonald v. Symphony Bronzeville Park, LLC,  2022 IL 126511 (Ill. 2022).  Injuries to one’s privacy, the court reasoned, fall into the latter category, even where they occur at the workplace.  As a result, employers cannot rely on the Compensation Act to preempt damages under BIPA.

Sadly for those monitoring BIPA litigation, the court failed to answer the question about how damages should be calculated.

What this Means

Another potential defense to BIPA damages has been ruled out.  While Illinois legislators have introduced bills to revise or clarify BIPA, they have not made much progress.  So the potential damages plaintiffs can seek under BIPA can be staggering.

It is possible that a decision upholding damages for each day fingerprints are collected could push the legislature to clarify the ambiguity in BIPA in an attempt to prevent excessive rewards.  Indeed, the Illinois Supreme Court acknowledged this possibility.  The court specifically referenced an amicus brief that suggested that awarding damages for each day the employer captured fingerprints could expose employers to potentially devastating class actions.  In response to the points raised in the brief, the court said it was “cognizant of the substantial consequences the legislature intended as a result of [BIPA] violations.”  McDonald v. Symphony Bronzeville Park, LLC,  2022 IL 126511, (Ill. 2022).  The court found that “whether a different balance should be struck under [BIPA] . . . is a question more appropriately addressed to the legislature.”  The court explained it was not its role to find a compromise in the law, but rather to interpret the laws as written. Id. at  ¶ 49.

Looking Forward

Businesses should be prepared for a sharp uptick in litigation against employers given the clarity that the Compensation Act does not bar damages under BIPA.  Businesses with outstanding BIPA suits may also be encouraged to settle, albeit at potentially higher amounts, before the Illinois Supreme Court makes an unfavorable determination on claims accrual.  Finally, as more states pass comprehensive data protection laws, and specifically comparable biometric data privacy laws, high settlements may nudge legislatures to clarify damages provisions.

The threat of potentially large  damages in a BIPA suit are a real threat.  We recommend businesses evaluate their risk in connection with potential BIPA claims.  Additionally, businesses should review their policies and procedures around how biometric data is collected and processed.