Last week, the Illinois Supreme Court held that a five-year statute of limitations applies to all claims under the Illinois Biometric Privacy Act (BIPA), further expanding the already broad scope and application of the Illinois statute.1
Enacted in 2008, BIPA regulates the collection and possession of biometric data by private entities operating in Illinois. Biometric data includes, for example, fingerprints, voiceprints, eye scans, and face/hand scans (but not photographs or written signatures). BIPA requires entities to comply with certain obligations when collecting biometric data—among other things, entities must provide notice to the individual whose biometric data is being collected, obtain written consent from that individual, establish and implement a written data retention policy, and ensure compliance with limitations on any transfers of biometric data, including prohibition on “sale” and “lease” of biometric data. Notably, BIPA establishes a private right of action, allowing any person to seek damages, attorneys’ fees, and injunctive relief if they have been aggrieved by a BIPA violation. The statutory damages available for a person aggrieved by a BIPA violation are steep, including $1,000 to $5,000 per violation, attorneys’ fees and costs, and the possibility of injunctive relief. In 2019, the Illinois Supreme Court clarified that a plaintiff may seek damages when the only injury is a violation of BIPA,2 a decision that accelerated the trend of filing putative class action lawsuits under the statute.
This latest decision by the Illinois Supreme Court again emphasizes the broad scope of BIPA and the importance of remaining sensitive to BIPA requirements. Below is additional information regarding the decision as well as some practical steps that companies can take to help reduce potential BIPA liability.
Tims v. Black Horse Carriers
In March 2019, the plaintiff filed a class action complaint against his former employer relating to the former employer’s use of finger-scan technology for purposes of timekeeping. The plaintiff alleged, among other things, that the employer-defendant: “(1) failed to institute, maintain, and adhere to a publicly available biometric information retention and destruction policy required under [S]ection 15(a); (2) failed to provide notice and to obtain his consent when collecting his biometrics, in violation of [S]ection 15(b); and (3) disclosed or otherwise disseminated his biometric information to third parties without consent in violation of [S]ection 15(d).” The employer-defendant moved to dismiss the complaint on statute of limitations grounds, arguing that the one-year limitations period applicable to “publication of matter violating the right of privacy,” 735 ILS 5/13-201, barred the claims. The plaintiff maintained that a five-year limitations period in a “catch-all” provision, 735 ILCS 5/13-205, should apply. The circuit court initially denied the motion to dismiss, holding that that the five-year statute of limitations applied. On interlocutory appeal, the appellate court affirmed in part and reversed in part, applying different limitations periods to different BIPA subsections: a one-year limitations period to claims under Sections 15(c) and (d) and a five-year limitations period to claims under Sections 15(a), (b), and (e), since the latter claims did not incorporate an “element of publication or dissemination” as required to fall within the one-year limitations provision.3
On February 2, 2023, the Illinois Supreme Court held that the five-year limitations period applies to claims under all BIPA provisions. In reaching this conclusion, the Illinois Supreme Court emphasized the need for consistency and predictability and reasoned that a five-year limitations period aligns with legislative intent. The Court further noted that, unlike “defamation torts (libel and slander)” that fall under the shorter limitations period, “the full ramifications of the harms associated with biometric technology is unknown,” and a longer limitations period would allow an aggrieved party more time to discover a violation.
Practical Steps Companies Can Take to Reduce Risk
The Illinois Supreme Court’s decision is yet another example of courts broadly interpreting the scope and application of BIPA. The Illinois Supreme Court is still considering a different and significant open question as to when Section 15(b) and Section 15(d) claims accrue: either each time a person’s biometric identifier is collected or disclosed, or only once at the first collection or disclosure.4 The court heard oral argument on this issue in May 2022 but has yet to issue its decision.
Companies should continue to remain sensitive to the requirements outlined by BIPA. Below are some steps companies may consider taking to help enhance BIPA compliance and mitigate against the risk of a BIPA violation.
- Review Your “In Practice” Compliance With BIPA. For companies that collect and store biometric data, it is important to routinely review compliance with BIPA. For example, what data retention and destruction policies are in place, and how does the company implement those policies in practice?
- Review Your Vendor Contracts and Vendor Management Processes. Outsourcing certain parts of your BIPA compliance program (e.g., providing notice or obtaining consent on your behalf) does not guarantee your company will not face liability under BIPA. As such, review relevant vendor contract language as well as the processes in place for your vendors to ensure compliance with BIPA.
- Provide Appropriate Disclosures and Obtain Appropriate Consents. Take steps to provide required disclosures and obtain the required consents before collecting or obtaining biometric data. Special care should be taken when collecting data pertaining to minors; a parent or guardian may claim that the minor lacks the ability to consent to the collection of biometric data and that a parent or guardian signature is required.
- Data Minimization—Review Your Need for Biometric Data. Routinely review and consider whether the collection and retention of biometric data is still needed (or if it can be easily replaced with other procedures). An easy way to minimize BIPA risk is to not collect or store biometric data.
1See Tims v. Black Horse Carriers, 2023 IL 127801.
2See Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186.
3Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563.
4See Cothron v. White Castle System, Inc., Case No. 128004.
This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.