The Supreme Court of the State of Illinois held in Tims v. Black Horse Carriers Inc. that a five-year statute of limitations applies to all claims under the state’s Biometric Information Privacy Act (BIPA).
In so holding in the February 3 decision,[1] Illinois’ highest court rejected contrary arguments that either a one-year statute of limitations should apply, or the applicable statute of limitations should vary based on the specific violation alleged.[2] The court held that “one limitations period should govern” the entirety of BIPA, and that this should be the state’s “catchall” limitations period of five years.[3]
This ruling expands the scope of potential liability under BIPA, which is unique among state biometric privacy laws in that it creates a private right of action for individuals who allege their biometric data was collected, maintained, or disseminated in a manner inconsistent with the Act’s terms.[4] BIPA also awards statutory damages to anyone who can prove such a violation, even if they are incapable of proving they have suffered any tangible injury.[5] Tims was one of two anticipated opinions from the Illinois Supreme Court addressing BIPA liability this year, with the other, Cothron v. White Castle System, fully submitted and awaiting a decision.
Enacted by the Illinois legislature in 2008, BIPA sets forth comprehensive requirements for private entities that collect or handle “biometric identifiers” or “biometric information.”[6] A biometric identifier is defined as meaning a “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,”[7] and biometric information is defined as meaning information derived from biometric identifiers, which can be used to identify a specific person.[8]
Among other requirements, BIPA provides that companies may not collect biometric identifiers or information without subjects’ consent, may not disclose biometric identifiers or information except under authorized circumstances, and must maintain publicly available policies concerning the retention and deletion of biometric identifiers and information.[9]
Although Illinois is not the only state to have enacted laws regulating the collection and use of biometric data, BIPA is the only such law that creates a private right of action for individuals who allege their biometric data was handled in a manner inconsistent with the act.[10] BIPA also imposes fixed, minimum penalties for anyone who prevails on such a cause of action, providing that an individual may recover the greater of either their actual damages, $1,000 per negligent violation, or $5,000 per reckless violation, plus reasonable attorneys’ fees and costs.[11]
In 2019, the Illinois Supreme Court held that a person has standing to bring a claim under BIPA—and can seek to recover the aforementioned statutory damages—even if they cannot prove they suffered any tangible injury as a result of the alleged violation.[12]
The plaintiff in Tims brought a putative class action lawsuit against his former employer, alleging that he had been required to clock in and out using a timeclock that scanned his fingerprints in order to identify him.[13] The plaintiff alleged that the company was therefore collecting biometric identifiers and/or information from its employees (i.e., fingerprints), and further alleged that the company had failed to collect and handle this data in compliance with BIPA.[14]
The defendant moved to dismiss, arguing that the claims were untimely under the Illinois Code of Civil Procedure, which applies a one-year statute of limitations to claims arising from “publication of matter violating the right of privacy.”[15] The circuit court denied the motion, holding that violations of BIPA do not necessarily involve the “publication” of biometric information, and that the applicable statute of limitations would therefore be Illinois’ “catchall” limitations period of five years.[16]
On an interlocutory appeal, Illinois’ intermediate appellate court took a different approach, holding that—depending on the specific subpart of BIPA that was implicated—a claim could either be subject to a one-year statute of limitations or a five-year statute of limitations.[17] Specifically, the intermediate appellate court held that the subsections of BIPA regulating the dissemination of biometric identifiers and information concern the “publication” of private information, and would therefore be governed by the one-year statute of limitations, while the remaining subsections would be governed by the five-year limitations period.[18] Both parties appealed this decision to the Supreme Court of Illinois.
The Supreme Court of Illinois rejected the notion that different statutes of limitations could apply to different subparts of BIPA: “One of the purposes of a limitations period is to reduce uncertainty and create finality and predictability in the administration of justice. . . . Two limitations periods could confuse future litigants about when claims are time-barred, particularly when the same facts could support causes of action under more than one subsection [of BIPA].”[19]
The court went on to find that—although a rational argument had been made for why a one-year statute of limitations could apply to certain subsections of BIPA—“when we consider not just the plain language of [the statute] but also the intent of the legislature, the purposes to be achieved by the statute, and the fact that there is no limitations period in the Act, we find that it would be best to apply the five-year catchall limitations period. . . .”[20]
Specifically, the Supreme Court of Illinois noted that the legislature had included a statement of intent in BIPA that indicated the act was intended to address the “fears of and risks to the public surrounding the disclosure of highly sensitive biometric information,” and that in light of these concerns “it would thwart legislative intent to (1) shorten the amount of time an aggrieved party would have to seek redress for a private entity's noncompliance with the Act and (2) shorten the amount of time a private entity would be held liable for noncompliance with the Act.”[21]
Tims was one of two anticipated opinions from the Illinois Supreme Court addressing BIPA liability this year, with the other, Cothron v. White Castle System, fully submitted and awaiting a decision.[22] Cothron involves a certified question from the United States Court of Appeals for the Seventh Circuit, which is whether a separate cause of action accrues under BIPA each time the same person’s biometric identifier is collected and/or transmitted by an entity, or whether a claim only accrues the first time this happens.[23]
The minimum statutory penalties imposed by BIPA are specifically recoverable for “each violation” of the act, which means the forthcoming decision about whether the same violative conduct can give rise to multiple “violation[s]” against the same person will have significant consequences for defendants’ potential liability.[24] The Supreme Court of Illinois heard oral arguments in Cothron in May 2022, and a decision is expected sometime this year.
The terms of BIPA apply not just to businesses located within Illinois, but also to businesses that are alleged to have committed a violation “primarily and substantially in Illinois.”[25] This is a fact-based inquiry, with mixed case law on what kind of facts will establish that a transaction took place “in Illinois.” In light of this ambiguity—as well as BIPA’s five-year statute of limitations and significant statutory penalties—any business that handles biometric information may wish to assess whether it is doing so in a manner consistent with BIPA’s terms, or whether it is exposing itself to potential liability.
If you have any questions about how BIPA or other biometrics laws may affect your business, please contact any of the following:
[1] See Tims v. Black Horse Carriers, Inc., N.E.3d, 2023 WL 1458046 (Ill. 2023).
[2] See id. at *1-3.
[3] Id. at *3.
[4] See 740 ILCS 14/20.
[5] See id.
[6] 740 ILCS 14/1 et seq.
[7] 740 ILCS 14/10.
[8] Id.
[9] See 740 ILCS 14/15
[10] See 740 ILCS 14/20. In July 2021, New York City enacted a local biometric privacy law that provides for a private right of action, but BIPA remains unique among state laws.
[11] See 740 ILCS 14/20.
[12] See Rosenbach v. Six Flags Ent. Corp., 129 N.E.3d 1197 (Ill. 2019).
[13] See Tims, 2023 WL 1458046, at *1.
[14] See Tims, 2023 WL 1458046, at *1.
[15] Tims, 2023 WL 1458046, at *2 (citing 735 ILCS 5/13-201).
[16] Id. (citing 735 ILCS 5/13-205).
[17] See id.
[18] Id. (citing 735 ILCS 5/13-201).
[19] Id. at *3.
[20] Id. at *6.
[21] Id. at *7
[22] Cothron v. White Castle System, Inc., No. 1280004 (Ill.)
[23] See Cothron v. White Castle Sys., Inc., 20 F.4th 1156 (7th Cir. 2021)
[24] See 740 ILCS 14/20.
[25] Neals v. PAR Tech. Corp., 419 F. Supp. 3d 1088, 1090 (N.D. Ill. 2019)