Illinois Supreme Court Finds 5-Year Limitations Period for Biometric Information Privacy Act Claims

Illinois Supreme Court Finds 5-Year Limitations Period for Biometric Information Privacy Act Claims

Blog WilmerHale Privacy and Cybersecurity Law

On February 2, 2023, the Illinois Supreme Court held in a unanimous opinion that individuals have five years after an alleged violation to bring claims under the state’s Biometric Information Privacy Act (BIPA). This ruling raises the potential compliance risk associated with BIPA even more, as not only do companies have to worry about the law’s private right of action and statutory damages but also have to account for an extended statute of limitations period. 

Companies that have not been BIPA-compliant for all of the past five years should take note that there may be some BIPA-related litigation risk that they had not previously accounted for if they had assumed a one-year statute of limitations. This risk can be quite substantial given that BIPA allows up to a $5,000 penalty per violation. For example, in October 2022, a jury awarded a class of over 45,000 truck drivers a $228 million judgment against BNSF Railway Co. for collecting—through a third-party vendor—the truck drivers’ fingerprints without proper consent in violation of BIPA. 

Businesses that collect and process biometric information (particularly of Illinois residents) should review their notice and consent processes to ensure that they align with BIPA. Companies should also be aware of laws in other states that regulate the use of biometric information. For example, a number of the comprehensive state privacy laws that are in effect or will go into effect in 2023 (such as in California and Colorado) regulate biometrics as “sensitive” information. Additionally, a number of states have proposed biometric laws that are similar to BIPA, including proposals that also include a private right of action.

We have provided additional background on BIPA and the relevant case in this blog post, as well as other key considerations that businesses should be aware of when processing biometric data pursuant to BIPA. We are happy to answer any questions you may have on these issues.   

BIPA Background
 
BIPA, enacted in 2008, regulates the collection, retention, disclosure, and destruction of biometrics, such as fingerprints, handprints, voiceprints, eye scans, and the facial geometry characteristics captured by facial recognition systems. Specifically, section 15 of BIPA outlines the obligations of private entities that collect or otherwise obtain biometrics. BIPA also provides a private right of action for parties that have been aggrieved by a BIPA violation, which makes possible lawsuits like the one addressed here.  

Case Background

The underlying case addressed by the Illinois Supreme Court, Tims v. Black Horse Carriers, Inc., is a class-action against an employer—Black Horse—alleging violations of sections 15(a), 15(b), and 15(d) of BIPA based on Black Horse’s use of a fingerprint-based system for employees to clock-in and clock-out. Through a series of immediate appeals at the motion to dismiss stage, the certified question before the Illinois Supreme Court was whether the BIPA claims were governed by the one-year limitations period of section 13-201 of the Code of Civil Procedure (Code) (735 ILCS 5/13-201 (West 2018)) or the five-year limitations period of section 13-205 of the Code.

Section 13-201 of the Code imposes a one-year limitations period on actions for “publication of matter violating the right of privacy” along with slander and libel. Black Horse argued that claims under section 15 of BIPA fell within that scope as privacy-related violations. The plaintiffs, however, asserted that their BIPA claims fell within Section 13-205’s “catchall” five-year limitations period for “all civil actions not otherwise provided for” because BIPA itself does not contain a limitations period. The court agreed with the plaintiffs and also found that the five-year limitations period comported with the legislature’s public welfare and safety aims by allowing an aggrieved party sufficient time to discover and act on potential violations. 
 
Other Considerations

BIPA-related damages risks may become even greater depending on the outcome of another case with a certified question pending before the Illinois Supreme Court, Cothron v. White Castle System Inc., Ill. In Cothron, the court will decide whether each scan or transmission of a person’s biometric identifier—like an employee’s fingerprint—constitutes a separate BIPA violation or whether only the first scan and transmission count. 
Any entities that collect or otherwise obtain biometrics should continue to ensure compliance with BIPA and consider whether a review of their policies for the past five years is necessary to adequately assess litigation risk. We will continue to monitor developments related to BIPA and other legislation covering biometric data. 
 

Authors

Related Solutions

We help companies protect data, comply with evolving regulations, and respond to investigations and litigation.

More from this series

Explore the Full Series

Notice

Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.

I Accept Cancel