In an increasingly volatile field of biometric security, an Illinois court has ruled against an employer under their Illinois Biometric Privacy Act (BIPA) to determine whether they were liable for workers compensation.
At issue in this case were two laws, Illinois’ Workers Compensation Act and the aforementioned BIPA. BIPA is considered one of the first and most comprehensive Biometric privacy laws in the country if not the world. Signed into law in 2008, it protects a person’s right to privacy on their unique identifiers. These include DNA, Fingerprints, Retinal prints, and Facial recognition. Increasingly as a measure of security, companies have begun using such measures as a way of securing their company’s servers and data.
However, BIPA makes it so that companies need permission from their customers and their employees to store it, which leads to litigation based around privacy concerns. One of the first involved Six Flags America, when they were subjected to a lawsuit due to the fact, they used fingerprints as part of their entry process in which the plaintiff contended was a violation of their privacy over the fact they were not informed ahead of time over it. They recently settled for $36 million while admitting no fault.(1)
In this new case, the situation is similar. The case, McDonald v. Symphony Bronzeville Park, began when the defendant, a nursing home, began to use fingerprints as a way of clocking in employees top keep track of their time and authenticating people. The employees argued that this was a violation because they were never told this was going to happen and never given the releases for this collection of data and thus sued under BIPA. The defendant argued that since this violation occurred at work, BIPA didn’t apply, rather the Workers Compensation Act did. Under the Act in Illinois, in exchange for compensation, the injured employees must relinquish their rights to sue for that same workplace injury, unless the injury (1) was not accidental; (2) did not arise from his employment; (3) was not received during the course of employment; or (4) was not compensable under the Compensation Act.(2) The question before the Court was where the line of compensable injury was.
The Illinois Court ruled against the employer, arguing the Compensation Act, “is intended to provide employees a financial-layover until they can work again. In this way, the Compensation Act contemplates only those physiological or psychological injuries that would prevent an employee from working. As additional evidence of this, the Court pointed to the fact that the Act expressly provides a compensation schedule that corresponds to death and to injuries to specific body parts.
The Court concluded that injuries of this nature are quite unlike the “personal and societal injuries” caused by violating BIPA. Therefore, BIPA violations are not compensable under the Workers’ Compensation Act. Accordingly, the Workers’ Compensation Act does not preempt BIPA claims, and an employee may seek compensation under both statutes.” (3)
This is a serious blow to employers in the state as this expands BIPA’s scope in how privacy is handled. With more cases on the various dockets waiting for this case to play out, litigation is expected to increase. In the long term, employers must develop ways to mitigate BIPA and privacy risks.