In McDonald v. Symphony Brozevill Park, LLC, the Illinois Supreme Court recently held that the state’s exclusivity provision in the Illinois Workers’ Compensation Act does not bar civil claims under the Illinois Biometric Privacy Act (the “Privacy Act”).1 Illinois courts have found that workers’ compensation is the exclusive remedy unless one of the following applies: (1) the injury was not accidental; (2) the injury did not arise from his or her employment; (3) the injury was not sustained during the course of employment; or (4) the injury was not compensable under the act.2 This ruling will impact any company with any operations in the State of Illinois that collects its employees’ biometric data. While the Privacy Act is certainly concerning to Illinois’ trucking industry, many other states have set the legal framework for biometric privacy. The ruling by the Illinois Supreme Court has the momentum to set the stage for new legal precedent and standards within other states that have biometric privacy act(s), and likely will mean ongoing litigation regarding their scope and purview.
Under the Privacy Act, “biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.3 Employers in the trucking industry, almost as a rule, have embraced the collection of employees’ biometric data to better manage their workforces, increase security, and improve safety on the roads. For example, companies routinely use fingerprint software for security locks on devices, and utilize in-cab cameras to detect driver fatigue and roadway compliance.4 Because the trucking industry has embraced these technologies, they have become targets for Privacy Act claims as statutory damages include $1,000 for each negligent violation and $5,000 for each violation if proven intentional or reckless.5 Courts have established that a violation of the Privacy Act applies to every capture, not just when the company first obtains the information, so damages can quickly accumulate.6 Companies must take these claims seriously, and companies must implement safeguards to prevent future exposure.
In McDonald v. Symphony Bronzeville Park, LLC, the plaintiff, Marquita McDonald, filed a class action suit against her employer, Symphony Bronzeville Park (Bronzeville), alleging that Bronzeville negligently failed to obtain a written release prior to collecting, using, and storing her biometric data.7 The biometric identifier at issue in that case was her fingerprints, which Bronzeville used in conjunction with software for authenticating and tracking employees’ time.8 Bronzeville moved to dismiss McDonald’s claims arguing that the Illinois Workers’ Compensation Act was the exclusive remedy for accidental injuries occurring in the workplace.9 The trial and appellate courts each denied Bronzeville’s motion to dismiss, finding that the exclusivity provision of the Compensation Act does not bar claims alleging violations of an employee’s rights under the Privacy Act—and the Illinois Supreme Court agreed.10
In a special concurring opinion, Justice Michael Burke, pointed out that McDonald’s claim only prevailed because she withdrew her mental anguish claim in connection with Bronzville’s collection of her biometric data.11 Had she pursued such a claim, Justice Burke reasoned, the Workers’ Compensation Act’s exclusivity provision would have superseded the Privacy Act and barred her claim.12 This litigation strategy—which is surely a tactic to prevent the Workers’ Compensation Act from preempting such claims—is demonstrative that future plaintiffs will likely be able to proceed in cases where their biometric data was wrongly utilized, without having to overcome the “claim-hurdle” that the Act imposes, so long as they do not raise other claims involving anguish, pain and suffering, and the like.
While some states have comprehensive laws governing the collection of biometric information, Illinois is the only state that also permits a private right of action for violations of the Privacy Act.13 While the Illinois Supreme Court’s ruling in McDonald will impact any company with operations in the State, no industry may feel the ripple effect more than the trucking industry. Put bluntly, the McDonald decision slams the door on any hope that a court would intervene to prevent a flood of these types of claims against employers. Moreover, the decision almost certainly guarantees that the legislature will look to amend the statute to curb the anticipated increase in Privacy Act claims.
Under the Privacy Act, before obtaining an individual’s fingerprint, a private entity must inform the individual in writing that it is collecting and/or storing his or her biometric identifier or biometric information; the specific purpose of collecting or using the biometric identifier or biometric information; and, the length of time for which the biometric identifier or biometric information will be collected, stored, and used.14 The entity also must obtain a signed “written release” from an individual before collecting her biometric identifier or biometric information.15 Under the Privacy Act, “written release” is defined as “a release executed by an employee as a condition of employment.”16
So, what should companies do to comply with the Privacy Act and avoid potential litigation? Once again, companies are allowed to collect biometric data under the Privacy Act – they just need to make it clear to employees what they are collecting, and obtain their employees’ signed, written consent.17 Any company that operates in Illinois and collects biometric information from employees must conduct a thorough review of how it collects that data, and then revise existing policies to ensure compliance under the Privacy Act. Until the legislature amends the Act, the only way for companies to avoid these claims is to obtain written consent as provided in the statute. Thus far, courts in Illinois have sided with employees on this issue, and more litigation against companies likely will follow.
As a result, the decision in McDonald v. Symphony Bronzeville Park, LLC can be viewed as a case study for statutory interpretation, which may influence other courts. Given that every state has its own workman’s compensation statute, this case could “open the floodgates” so to speak in regard to the potential liability of trucking companies in states other than Illinois, should other courts follow the approach of the Illinois Supreme Court.18
The recent case Richard Rogers v. BNSF Railway Company provides another example of the consequences that the statute likely will impose on the trucking industry.19 In this case, Richard Rogers sued the BNSF Railway Company on behalf of a putative class for violations of the BIPA.20 Rogers sought to certify a class of 44,219 truck drivers, alleging that BNSF required them to scan their fingerprints to use automatic gate systems at its Illinois rail yards, without first obtaining their informed consent between April 4, 2014 and January 25, 2020.21 Particularly, the class representative claims that BNSF (1) unlawfully scanned his fingerprint without permission or notice; (2) violated BIPA by storing and using his biometric data without a publicly available retention policy; and (3) shared/disclosed his data to at least one third party without his prior consent.22 In a recent decision, the Northern District of Illinois certified the class, after concluding that the group satisfied the requirements of Federal Rule of Civil Procedure 23(a).23 With such a large class, damages could prove to be devastatingly high. While it is uncertain just how much may be awarded, BNSF, if found liable, would face, at a minimum, an award to pay $1,000 to each individual in the class. With 44,149 members in the class, BNSF could be paying a total of $44,149.
Due to the prolific utilization of biometric technology in the trucking space, companies would be wise to ensure their policies conform with the laws of the jurisdictions in which they operate. MG+M continues to monitor the use of biometric data and privacy laws in the trucking industry.