February 2022 saw several court decisions concerning the Illinois Biometric Information Privacy Act (“BIPA”) (740 ILCS 14/1 et seq.). Regarding the two state court decisions, one looks at the exclusivity provisions of the Illinois Workers’ Compensation Act in the light of BIPA, and the other examines Section 301 of the Labor Management Relations Act (29 U.S.C. §185) and how BIPA reflects on collective bargaining agreements. This article provides a brief review of each of these two cases and concludes with some thoughts for business leaders to reflect upon when considering their BIPA compliance and potential liabilities.
BIPA and Workers’ Compensation
In a February 3, 2022, decision, the Illinois Supreme Court held that the exclusivity provisions of the Illinois Workers’ Compensation Act [(“Compensation Act”) (820 ILCS 305/1 et seq.)] do not bar a claim for statutory damages under the Biometric Information Privacy Act (“BIPA”) where an employer is alleged to have violated an employee’s statutory privacy rights under BIPA.
The plaintiff (employee) in McDonald v. Symphony Bronzeville Park, LLC, et al., 2022 WL 318649 (Illinois Supreme Court, 20220203) was seeking damages under BIPA and attempting to form a class. The defendants (the employer) filed a motion to dismiss the plaintiff’s class action complaint, asserting, inter alia, that plaintiff and the putative class’s alleged claims were barred by the exclusive remedy provisions of the Compensation Act. In particular, defendant argued that the Compensation Act is the exclusive remedy for accidental injuries transpiring in the workplace and that an employee has no common-law or statutory right to recover civil damages from an employer for injuries incurred in the course of her employment.
In its analysis the Illinois Supreme Court stated, “The personal and societal injuries caused by violating the Privacy Act’s prophylactic requirements are different in nature and scope from the physical and psychological work injuries that are compensable under the Compensation Act. The Privacy Act involves prophylactic measures to prevent compromise of an individual’s biometrics. Rosenbach, 2019 IL 123186, ¶ 36 [432 Ill.Dec. 654, 129 N.E.3d 1197]. McDonald’s [plaintiff’s] claim seeks redress for the lost opportunity ‘to say no by withholding consent.’ Id. ¶ 34. McDonald [plaintiff] alleges that Bronzeville [employer] has violated her and the class’s right to maintain their biometric privacy. See id.” (For a more detailed discussion of Rosenbach, see “Biometric Information – Permanent Personally Identifiable Information Risk” available at http://bit.ly/BIP-PII-RISK-ABA-BUS-CORP-LIT20190702.)
The Illinois Supreme Court distinguished the different purposes of the Compensation Act and BIPA and commented on the legislative intent:
We are cognizant of the substantial consequences the legislature intended as a result of Privacy Act violations. Pursuant to the Privacy Act, the General Assembly has adopted a strategy to limit the risks posed by the growing use of biometrics by businesses and the difficulty in providing meaningful recourse once a person’s biometric identifiers or biometric information has been compromised. Rosenbach, 2019 IL 123186, ¶ 35 [432 Ill.Dec. 654, 129 N.E.3d 1197]; see also 740 ILCS 14/5(c) (West 2016) (once biometrics are compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions). The General Assembly has tried to head off such problems before they occur by imposing safeguards to ensure that the individuals’ privacy rights in their biometric identifiers and biometric information are properly protected before they can be compromised and by subjecting private entities who fail to follow the statute’s requirements to substantial potential liability (740 ILCS 14/20 (West 2016)) whether or not actual damages, beyond violation of the law’s provisions, can be shown. Rosenbach, 2019 IL 123186, ¶ 36 [432 Ill.Dec. 654, 129 N.E.3d 1197]. “It is clear that the legislature intended for this provision to have substantial force.” Id. ¶ 37.
“When private entities face liability for failure to comply with the law’s requirements without requiring affected individuals or customers to show some injury beyond violation of their statutory rights, those entities have the strongest possible incentive to conform to the law and prevent problems before they occur and cannot be undone.” Id.
BIPA and Collective Bargaining Agreements
In a February 22, 2022, decision, the Appellate Court of Illinois, First District, held that plaintiff (union employee) and his fellow unionized employees are not prohibited from pursuing redress for a violation of their right under BIPA to biometric privacy—they are simply required to pursue those rights through the grievance procedures in their collective bargaining agreement rather than in state court in the first instance. In essence, the Illinois Appellate Court determined that a union member-employee (plaintiff) “cannot bypass his union, his sole and exclusive bargaining agent,” to demand that the employer “deal with him directly” on this issue.
The plaintiff (union member-employee) in William Walton, Individually and on Behalf of Others Similarly Situated, v. Roosevelt University, 2022 WL 522760 (Appellate Court of Illinois, 1st District, 2nd Division, 20220222) alleged claims under BIPA. The defendant argued that the claims asserted by the plaintiff are preempted and moved to dismiss the complaint. The circuit court denied the motion to dismiss but certified the relevant question (“Does Section 301 of the Labor Management Relations Act (29 U.S.C. § 185) preempt [Privacy Act] claims (740 ILCS 14/1) asserted by bargaining unit employees covered by a collective bargaining agreement?”) for interlocutory review.
The Illinois Court of Appeals noted that while the Walton appeal was pending, the United States Court of Appeals for the Seventh Circuit directly addressed the question brought to bear in this appeal. In Fernandez v. Kerry, Inc., 14 F.4th 644, 646-47 (7th Cir. 2021), the U.S. court of appeals found that unionized employees’ claims that their employer violated the BIPA were preempted by the Labor Management Relations Act (29 U.S.C. § 185). As Walton (plaintiff) conceded at oral argument, the relevant factual and legal circumstances of this case were indistinguishable from Fernandez, so, as noted by the Court, the Court’s real objective in this appeal was to determine whether the court of appeals’ ruling on a matter of federal law was wrongly decided in such a way that the Court would deem it to be without logic and reason. (For a more detailed discussion of Fernandez, see “Biometric Information Privacy Act and Collective Bargaining Agreements” available at https://bit.ly/BIPA_Collective_Bargining_Agmts_MIB_202109.)
In addressing the issues raised by the certified question, the Court reasoned:
In contrast to finding the court of appeals’ decision to be without logic or reason (see State Bank of Cherry, 2013 IL 113836, ¶ 54), we think it is the proper interpretation of the Privacy Act when viewed through the prism of the Labor Management Relations Act’s preemptive effect. The Privacy Act contemplates the role of a collective bargaining unit that may act as an intermediary on issues concerning the employee’s biometric information. See 740 ILCS 14/15(b) (West 2020). The Privacy Act provides that “[n]o private entity may collect *** a person’s *** biometric identifier or biometric information, unless it first: (1) informs the subject or the subject’s legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored; (2) informs the subject or the subject’s legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) receives a written release executed by the subject of the biometric identifier or biometric information or the subject’s legally authorized representative.” (Emphases added.) Id. Under the Privacy Act, it is clearly within a union’s purview to negotiate with the employer about its members’ biometric information. The grievances that Walton has raised against Roosevelt are all things that his union can bargain about, but his complaint raises the question of whether such bargaining has occurred, either implicitly or explicitly.
The collective bargaining agreement at issue in this case contains a broad management rights clause. The agreement makes the union the sole and exclusive bargaining agent for the employees in the union. Walton and any other similarly situated employees agreed to their employment being covered by the subject collective bargaining agreement. The timekeeping procedures for workers are a topic for negotiation that is clearly covered by the collective bargaining agreement and requires the interpretation or administration of the agreement. The members of the collective bargaining unit in this case have surrendered their individual right to bargain with their employer about timekeeping procedures, even where those timekeeping procedures also include the collection and use of the employees’ biometric information. …
Unions frequently bargain for matters concerning their members’ privacy and protection. Collective bargaining agreements may include express and implied terms (id.), and it is up to an arbitrator, not a state court, to define the scope of the parties’ agreement (Fernandez, 14 F.4th at 646-47).
In answering the certified question, the Illinois Court of Appeals held:
Walton and his fellow unionized employees are not prohibited from pursuing redress for a violation of their right to biometric privacy—they are simply required to pursue those rights through the grievance procedures in their collective bargaining agreement rather than in state court in the first instance. Walton cannot bypass his union, his sole and exclusive bargaining agent, to demand that Roosevelt deal with him directly on this issue. Walton comes to the court attempting to represent a class of similarly situated employees over a workplace grievance, but that is a place for his union, not Walton himself. Federal law prevents state courts from stepping in and usurping the bargained-for dispute resolution framework where the parties have elected to establish a working relationship that comes within the purview of the Labor Management Relations Act. Accordingly, we answer the certified question in the affirmative and find that Privacy Act claims asserted by bargaining unit employees covered by a collective bargaining agreement are preempted under federal law.
The bottom line is that employers using, or planning to use, biometric devices (e.g., timeclocks, facial recognition, etc.) in the workplace need to be aware of the biometric privacy legislation applicable to the jurisdictions where they do business and where their employees (and others interacting with those biometric devices) reside. In particular, employers subject to a Workers’ Compensation Act or collective bargaining agreement under the Labor Management Relations Act (29 U.S.C. § 185 (2018)) need to understand their compliance responsibilities in light of the employer’s use of biometric devices and the relationship to their employees’ rights, and the business’s liabilities (which can be significant under BIPA-type legislation).