CHICAGO (LN) — An Illinois appellate panel on Monday ruled that a government contractor accused of sharing employee fingerprint data with a third-party payroll vendor cannot invoke the Biometric Information Privacy Act's government contractor exemption unless the alleged violation occurred within the scope of its actual government contract work, handing a first-impression statutory construction ruling to a putative class of workers at Cornerstone Services, Inc.
Tiara Thomas, who worked at Cornerstone from 2020 to 2022, alleged in her amended class action complaint that the corporation tracked employee time through a finger-scanning clock and then disclosed workers' fingerprint biometric identifiers to Automatic Data Processing, a third-party payroll processor, without the required consent under BIPA.
Cornerstone, which provides housing and support services to Illinoisans with intellectual and developmental disabilities, pushed back with a blunt argument: it holds a contract with the state Department of Human Services, DHS payments made up 60% to 73% of its revenue during Thomas's employment — more than $23 million annually — and therefore the government contractor exemption in section 25(e) of the Act shielded it from any BIPA liability for the duration of that relationship.
The Third District rejected that reading. Writing for a unanimous panel, Justice Bertani held that the phrase "when working for that State agency or local unit of government" is not merely temporal. The definition of "working (for)," the court noted, means "as in serving" and "to be a servant for" — language that ties the exemption to the scope of the contractor's government work, not to the calendar period in which a contract happens to be active.
"A government contractor is not exempt when it violates the Act while pursuing private undertakings outside of its government contractual responsibilities," the court wrote.
The panel answered the two certified questions in sequence. On the first — whether the exemption covers only contractors in an exclusive relationship with the government — the court said no, declining to read a limitation into the statute that the legislature never expressed. On the second, it held that a nexus must exist between the alleged BIPA violation and the scope of the defendant's government contract work before the exemption attaches.
Cornerstone had warned the court that its reading would create an "unworkable scheme" requiring government contractors to separate portions of their workforce to ensure compliance. The panel was unmoved, noting that the Act already offers private entities a path to compliance — obtaining the necessary consent before disclosing biometric data.
The court also observed that Cornerstone's categorical interpretation would "insulate a private entity from responsibility under the Act for all of its activities, even those not connected with the contract," a result it said would "invalidate the intended purpose of the Act, which seeks to protect the public from private entities that compromise biometric data."
The Illinois Supreme Court had intervened to force the Third District to take the case after the appellate court initially denied Cornerstone's application for leave to appeal on November 19, 2024, issuing a supervisory order on March 26, 2025, directing the panel to vacate that denial and answer the certified questions.
According to the allegations in the amended complaint, Cornerstone collected and stored employee fingerprints for time-tracking purposes beginning around 2008. Whether those underlying class claims survive on remand remains to be determined.