On February 2, 2023, the Illinois Supreme Court declared that the statute of limitations for all claims arising under Illinois’ Biometric Information Privacy Act (“BIPA”) is 5 years. The Supreme Court vacated an earlier decision from the intermediate appellate court, which had found that the statute of limitations ranged from 1 year to 5 years depending on the nature of the alleged violation at issue.
The implications of the Illinois Supreme Court’s decision are momentous because many BIPA lawsuits are class actions. In addition to expanding the pool of potential plaintiffs, a five-year statute of limitations for BIPA claims greatly increases the potential class size and, consequently, defendants’ potential damages exposure.
Background
By way of background, Illinois enacted BIPA in 2008 after a company called Pay-by-Touch started a pilot program at Chicago-area retail stores to enable customers to pay for purchases using fingerprint scans linked to their credit cards. When Pay-by-Touch subsequently filed for bankruptcy after collecting customers’ biometric and financial account information, the bankruptcy trustee listed the customers’ biometric information as an asset and sought to sell it to pay off creditors. This motivated the Illinois legislature to enact BIPA.
BIPA’s Requirements
BIPA contains five different subsections regulating the use of biometric information. The differences between the following five subsections were critical to the intermediate court’s decision that the Supreme Court vacated:
- First, anyone in possession of biometric information must develop a publicly-available retention policy.
- Second, prior to collecting any biometric information, the collecting party must disclose the purpose and length of time for which the information will be used, and obtain a release from the subject of the information.
- Third, biometric information cannot be disclosed without the authorization of the subject.
- Fourth, a party cannot profit from the sale of biometric information under any circumstances.
- Fifth and finally, a party must protect biometric information using the standard of care in the industry, and at least the same protection measures that the party uses for other personal and confidential information.
Debate Over The Statute of Limitations for BIPA Claims
BIPA itself does not specify the applicable statute of limitations, and the plaintiff and defense bars disagreed on the applicable limitations period. Prior to the Supreme Court’s decision, the litigation in the trial courts had centered around three potential limitations periods, including the following:
- One-year period for actions based on “publication of matter violating the right of privacy.” 735 ILCS 5/13-201;
- Two-year period for personal injuries or “statutory penalties.” 735 ILCS 5/13-202; or
- Five-year period for “all civil actions not otherwise provided for.” 735 ILCS 5/13-205.
The Subject Lawsuit
An employee sued his former employer alleging that his employer required him to clock in for work using a biometric time clock and that his employer violated BIPA by failing to obtain his informed consent, failing to have a retention policy, and disclosing his information to third parties such as the time clock vendor.
The plaintiff stopped working for the defendant in January 2018, and he filed suit in March 2019. The employer moved to dismiss the lawsuit, arguing that the suit was time-barred because the one-year statute of limitations for “publication of matter violating the right of privacy” applied. The plaintiff, of course, disagreed and argued that the five-year statute of limitations for “civil actions not otherwise provided for” applied. The trial court agreed with the plaintiff but certified the question for interlocutory appeal.
The Intermediate Court’s Decision
On appeal, the intermediate court found that the applicable statute of limitations depends on which of the five BIPA subsections is at issue. More specifically, the First District found that the one-year limitations period is limited to matters involving “publication.” Using this framework, the First District found that only two of BIPA’s subsections involve publication: the prohibition of unauthorized disclosure and the prohibition of the sale of biometric information. On the other hand, the First District found that the other three requirements (the retention policy requirement, informed consent requirement, and standard of care requirement) can be violated without any publication, and therefore are subject to the five-year statute of limitations.
The Supreme Court’s Decision
The Supreme Court rejected the intermediate court’s piecemeal analysis, stating that the policy motivation for the statute of limitations is to create clarity. The Supreme Court found that applying a single statute of limitations for BIPA claims provided more clarity than the intermediate court’s mixed-results framework.
The Supreme Court further found that the five-year limitations period should apply, based on precedent indicating that the five-year period applies whenever a statute does not explicitly establish a limitations period, regardless of the nature of the right created by the statute.
The Supreme Court did not directly address the two-year limitations period for statutory penalties, but the nature of their decision makes it unlikely that the court would reverse its course.
Impact
The court’s decision cements the considerable damage exposure of BIPA class actions. With a 5-year statute of limitations for BIPA claims, any BIPA class action will cast a wide net that draws in a large number of potential class members. More class members equals greater class-wide damage exposure. Also, more class members increase the pool of individuals that trial lawyers can recruit to serve as named plaintiffs for a class action.
The litigation over Illinois’ biometric privacy law is just one example of the many legal risks posed by the constantly-evolving law on data privacy. Octillo monitors developments regarding data privacy and security law, including biometric privacy requirements. Our team of experienced data security and privacy attorneys, who are also devoted technologists, are specially equipped with the skills and experience necessary to help businesses evaluate the legal risks posed by modern technologies. Octillo can help businesses develop comprehensive and scalable data privacy compliance programs, as well as defend businesses currently facing data privacy litigation.
*Attorney advertising: Prior results do not guarantee future outcomes.