Feb 102023

Illinois Supreme Court Clarifies Statute of Limitations for Illinois Biometric Privacy Act Claims: Five Years

Kathleen Carlson, Lawrence P. Fogel, Geeta Malhotra, Stephen W. McInerney, Andrew F. Rodheim and Carly R. Owens
, ,

Last week, the Illinois Supreme Court held that a five-year statute of limitations applies to all claims under the Illinois Biometric Privacy Act (BIPA), further expanding the already broad scope and application of the Illinois statute.1

Enacted in 2008, BIPA regulates the collection and possession of biometric data by private entities operating in Illinois. Biometric data includes, for example, fingerprints, voiceprints, eye scans, and face/hand scans (but not photographs or written signatures). BIPA requires entities to comply with certain obligations when collecting biometric data—among other things, entities must provide notice to the individual whose biometric data is being collected, obtain written consent from that individual, establish and implement a written data retention policy, and ensure compliance with limitations on any transfers of biometric data, including prohibition on “sale” and “lease” of biometric data. Notably, BIPA establishes a private right of action, allowing any person to seek damages, attorneys’ fees, and injunctive relief if they have been aggrieved by a BIPA violation. The statutory damages available for a person aggrieved by a BIPA violation are steep, including $1,000 to $5,000 per violation, attorneys’ fees and costs, and the possibility of injunctive relief. In 2019, the Illinois Supreme Court clarified that a plaintiff may seek damages when the only injury is a violation of BIPA,2 a decision that accelerated the trend of filing putative class action lawsuits under the statute.

This latest decision by the Illinois Supreme Court again emphasizes the broad scope of BIPA and the importance of remaining sensitive to BIPA requirements. Below is additional information regarding the decision as well as some practical steps that companies can take to help reduce potential BIPA liability.

Tims v. Black Horse Carriers

In March 2019, the plaintiff filed a class action complaint against his former employer relating to the former employer’s use of finger-scan technology for purposes of timekeeping. The plaintiff alleged, among other things, that the employer-defendant: “(1) failed to institute, maintain, and adhere to a publicly available biometric information retention and destruction policy required under [S]ection 15(a); (2) failed to provide notice and to obtain his consent when collecting his biometrics, in violation of [S]ection 15(b); and (3) disclosed or otherwise disseminated his biometric information to third parties without consent in violation of [S]ection 15(d).” The employer-defendant moved to dismiss the complaint on statute of limitations grounds, arguing that the one-year limitations period applicable to “publication of matter violating the right of privacy,” 735 ILS 5/13-201, barred the claims. The plaintiff maintained that a five-year limitations period in a “catch-all” provision, 735 ILCS 5/13-205, should apply. The circuit court initially denied the motion to dismiss, holding that that the five-year statute of limitations applied. On interlocutory appeal, the appellate court affirmed in part and reversed in part, applying different limitations periods to different BIPA subsections: a one-year limitations period to claims under Sections 15(c) and (d) and a five-year limitations period to claims under Sections 15(a), (b), and (e), since the latter claims did not incorporate an “element of publication or dissemination” as required to fall within the one-year limitations provision.3

On February 2, 2023, the Illinois Supreme Court held that the five-year limitations period applies to claims under all BIPA provisions. In reaching this conclusion, the Illinois Supreme Court emphasized the need for consistency and predictability and reasoned that a five-year limitations period aligns with legislative intent. The Court further noted that, unlike “defamation torts (libel and slander)” that fall under the shorter limitations period, “the full ramifications of the harms associated with biometric technology is unknown,” and a longer limitations period would allow an aggrieved party more time to discover a violation.

Practical Steps Companies Can Take to Reduce Risk

The Illinois Supreme Court’s decision is yet another example of courts broadly interpreting the scope and application of BIPA. The Illinois Supreme Court is still considering a different and significant open question as to when Section 15(b) and Section 15(d) claims accrue: either each time a person’s biometric identifier is collected or disclosed, or only once at the first collection or disclosure.4 The court heard oral argument on this issue in May 2022 but has yet to issue its decision.

Companies should continue to remain sensitive to the requirements outlined by BIPA. Below are some steps companies may consider taking to help enhance BIPA compliance and mitigate against the risk of a BIPA violation.

  • Review Your “In Practice” Compliance With BIPA. For companies that collect and store biometric data, it is important to routinely review compliance with BIPA. For example, what data retention and destruction policies are in place, and how does the company implement those policies in practice?
  • Review Your Vendor Contracts and Vendor Management Processes. Outsourcing certain parts of your BIPA compliance program (e.g., providing notice or obtaining consent on your behalf) does not guarantee your company will not face liability under BIPA. As such, review relevant vendor contract language as well as the processes in place for your vendors to ensure compliance with BIPA.
  • Provide Appropriate Disclosures and Obtain Appropriate Consents. Take steps to provide required disclosures and obtain the required consents before collecting or obtaining biometric data. Special care should be taken when collecting data pertaining to minors; a parent or guardian may claim that the minor lacks the ability to consent to the collection of biometric data and that a parent or guardian signature is required.
  • Data Minimization—Review Your Need for Biometric Data. Routinely review and consider whether the collection and retention of biometric data is still needed (or if it can be easily replaced with other procedures). An easy way to minimize BIPA risk is to not collect or store biometric data.

1See Tims v. Black Horse Carriers, 2023 IL 127801.
2See Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186.
3Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563.

4See Cothron v. White Castle System, Inc., Case No. 128004.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Kathleen Carlson

Chicago

kathleen.carlson@sidley.com

Lawrence P. Fogel

Chicago

lawrence.fogel@sidley.com

Geeta Malhotra

Chicago

gmalhotra@sidley.com

Stephen W. McInerney

Chicago

smcinerney@sidley.com

Andrew F. Rodheim

Chicago

arodheim@sidley.com

Carly R. Owens

New York

cowens@sidley.com

You might also like
Regulatory Update: National Association of Insurance Commissioners Spring 2024 National Meeting

The National Association of Insurance Commissioners (NAIC) held its Spring 2024 National Meeting (Spring Meeting) March 15 through 18, 2024. This Sidley Update summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include proposed updates to the regulatory review process for affiliated investment management agreements, continued discussion of considerations related to private equity ownership of insurers, and continued development of accounting principles and investment limitations related to certain types of bonds and structured securities.

District Court Finds Communications Decency Act Provides Automotive Device Manufacturer Immunity for Clean Air Act Violations

On March 28, 2024, in US v. EZ Lynk, the U.S. District Court for the Southern District of New York dismissed the Department of Justice’s (DOJ) claim that an automotive device manufacturer violated Section 203 of the Clean Air Act (CAA), holding that Section 230 of the Communications Decency Act (CDA) provided complete immunity from CAA liability for the sale of certain aftermarket automotive devices. This decision of first impression offers an important precedent in the automotive industry and beyond. The decision gives effect to the CDA as drafted and will make it significantly harder for the government to hold manufacturers and online retailers liable for content, including software, created and sold by third parties.

Cybersecurity Takeaways From White House Tech Report

On Feb. 26, the White House’s Office of the National Cyber Director (ONCD), released a report on how technology manufacturers and software developers can improve the cybersecurity posture of the U.S. This report, “Back to the Building Blocks: A Path Toward Secure and Measurable Software,” aligns with the Biden administration’s current, intense focus on combatting ever-increasing cyberthreats through software development and software manufacturer accountability. In this article, published by Law360 on March 26, Sidley lawyers Alan Charles Raul, Stephen McInerney and Vishnu Tirumala discuss the ONCD report and provide key take-aways for software developers and manufacturers, their senior management, and boards.