Heyl Royster


Heyl Royster


IL Supreme Court Rules Exclusivity Provisions in Workers’ Comp Act Doesn’t Bar Claims Under BIPA

By Emily Galligan

The Illinois Supreme Court recently considered the question as to whether the exclusivity provisions of the Illinois Workers’ Compensation Act bar a claim for statutory damages under the Biometric Information Privacy Act where it was alleged that an employer violated an employee’ statutory privacy rights under the Privacy Act.

The Marquita McDonald v. Symphony Bronzeville Park, LLC, 163 N.E.3d 746, 444 Ill.Dec. 183, 2021 WL 4150197 (S.Ct. of Ill.) case arose after the plaintiff, Marquita McDonald, filed a class action lawsuit against her former employer, the defendant, Symphony Bronzeville Park, LLC, alleging that Bronzeville’s collection, use, and storage of its employees’ biometric data violated the Privacy Act. McDonald alleged that she and other employees were required to scan their fingerprint as a means of authenticating employees and tracking their time, but that they were never provided or signed a release consenting to the storage of their biometric data. Bronzeville filed a motion to dismiss McDonald’s class action lawsuit, asserting that the claim was barred by the exclusive remedy provisions of the Workers’ Compensation Act.

The Court initially noted the purpose of the Privacy Act is to help regulate “the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information”, and impose restrictions on the handling of biometric data. The Privacy Act requires a private entity to inform the individual in writing regarding the fact that their biometric information is being collected or stored, the specific purpose of collecting it, the length and term for which it will be stored and/or used before obtaining an individual’s fingerprint. The Privacy Act also requires a private entity to obtain a signed written release from an individual before collecting the biometric information and before disclosing or disseminating that information to a third party.

Bronzeville argued that despite language in Section 20 of the Privacy Act, which provides a right of action in a state circuit court, the Workers’ Compensation Act precludes McDonald’s class action in the circuit court because the alleged injury occurred in the course of employment. The Workers’ Compensation Act is a remedial statute courts construe liberally to effectuate its main purpose – to provide financial protection for injured workers until they can return to the workforce. It serves as the exclusive remedy if an employee sustains a compensable injury. However, an employee can escape the exclusivity provisions of the Workers’ Compensation Act if the employee establishes that the injury (1) was not accidental, (2) did not arise from his employment, (3) was not received during the course of employment, or (4) was not compensable under the Workers’ Compensation Act.

In this case, the Court analyzed whether McDonald’s alleged injuries were compensable under the Workers’ Compensation Act. McDonald argued that the fourth exception was construed to mean that only physical or psychological injuries are compensable under the Act. However, Bronzeville argued that the exclusivity provisions were broadly worded and required exclusive resort to the Workers’ Compensation Act’s remedy for any injury arising out of and in the course of employment.

The Court agreed that McDonald’s failure to maintain her privacy rights was not a psychological or physical injury that is compensable under the Workers’ Compensation Act. Additionally, the Court agreed with the First District’s ruling holding that a violation under the Privacy Act is not the type of injury that categorically fits within the purview of the Workers’ Compensation Act and is thus not compensable. The Court reasoned that the plain language of the Privacy Act supports a conclusion that the legislature did not intend for the Privacy Act to be preempted by the Workers’ Compensation Act. The Privacy Act, which postdates the Workers’ Compensation Act, defines the pre-collection of biometric data written release to include “a release executed by an employee as a condition of employment.” Therefore, the legislature was aware that Privacy Act claims could arise in the employment context, yet it treated them identically to nonemployee claims except as to permissible methods of obtaining consent.

Bronzeville further argued that when workplace injuries can be cleverly characterized to evade the broad sweep of the exclusivity provisions of the Workers’ Compensation Act, the proverbial litigation floodgates will open and protections for Illinois employers will erode. Thus, if the Court allowed Privacy Act claims to proceed against employers, it would expose employers to potentially devastating class action lawsuits. The Court noted that it was aware of the consequences that were imposed by the legislature as a result of Privacy Act violations, and that the General Assembly intended to prevent such issues by imposing safeguards to ensure that the individual’s privacy rights in their biometric information are properly protected before being compromised. The Court concluded that McDonald and the putative class could pursue Privacy Act claims in the circuit court rather than before the Illinois Workers’ Compensation Commission because the injury in this case was not compensable in a Workers’ Compensation proceeding and is therefore not preempted by the exclusive-remedy provisions of the Workers’ Compensation Act.

Employers must proceed with great caution when collecting biometric identifiers or information from its employees. Employers must inform employees in writing that biometric data will be collected, stored, and/or used, along with the specific purpose, and length of time before the data is collected, stored, and/or used. Employers are further required to publicly provide a retention schedule or guideline for permanently destroying the biometric identifiers and information. Additionally, after providing this information to employees, employers must obtain written releases from their employees, providing consent to the collection, storage, and/or use of their biometric identifiers and information, including consent to disclosing the information to a third party.