Claims under Illinois Biometric Information Privacy Act governed by 1-or-5 year limitations, Illinois appellate court finds
The Illinois First District Appellate Court recently found that, depending on the type of alleged violation at issue, a limitations period of either one or five years applies to claims under the Illinois Biometric Information Privacy Act (“BIPA”). Although that highly anticipated decision adds some clarity in this evolving area of law, it is hardly the last word on the subject and is likely to be appealed to the Illinois Supreme Court.
The case is Tims v. Black Horse Motor Carriers, Inc. The plaintiff filed his class action complaint in March 2019, asserting various claims under BIPA section 15. According to the complaint, the plaintiff worked for the defendant from June 2017 until January 2018, and during that time the defendant scanned the fingerprints of all employees, including the plaintiff, and used fingerprint scanning in its employee timekeeping. The defendant moved to dismiss on statute of limitations grounds. It argued that because BIPA does not impose its own limitations period, the one-year period for privacy actions under Illinois code section 13-201 applied because BIPA’s purpose is privacy protection. In response, the plaintiff argued that the five-year catch-all limitations period under code section 13-205 for all civil actions not otherwise provided for applied. The circuit court agreed with the plaintiff and denied the motion to dismiss.
On interlocutory appeal, the First District agreed in part with both sides. Accepting the plaintiff’s argument, it held that the five-year catch-all statute of limitations applies to BIPA sections 15(a), 15(b) and 15(e), which require private entities to develop and adhere to a publicly available written policy and data retention schedule and obtain consent to collect biometric data from an individual before doing so. But it also held that the one-year limitations period for privacy claims involving publication applies to BIPA sections 15(c) and 15(d), which prohibit private entities in possession of biometric data from selling, trading, or disclosing biometric data to third parties without first obtaining consent from the affected individuals to do so. The distinction, the court held, turned on whether the BIPA provision at issue contemplated publication, which is required for application of the shorter limitation period under section 13-201. According to the court, BIPA sections 15(c) and (d) involve disclosure of biometrics and thus are governed the one-year limitation, whereas sections 15(a), (b), and (e) do not and thus are governed by the five-year limitations period.
The Tims decision provides little comfort to defendants looking to avoid liability under BIPA on statute of limitations grounds, because the vast majority of BIPA claims assert violations of one or more of sections 15(a), (b), or (e). And the decision gives additional reason for concern. In concluding its analysis, the First District noted that because a “‘prevailing party may recover for each violation,’ a plaintiff who alleges and eventually proves violations of multiple duties could collect multiple recoveries of liquidated damages.” This gratuitous comment, which relates to another unsettled and hotly contested issue under the law – the computation of damages – suggests that a plaintiff may be able to “stack” and collect separate statutory damages for multiple BIPA violations based on a single discrete act or oversight by a defendant.
It is likely that one or both parties will seek to appeal the First District’s decision to the Illinois Supreme Court, and it remains to be seen how that court will decide the statute of limitations question. In the meantime, the First District’s holding – and its statement regarding recoverable damages – underscore the continued risks businesses collecting or using biometrics face if they fail to adhere to BIPA’s requirements. Companies should carefully review their biometric policies and procedures to ensure that those policies and procedures comply with all aspects of BIPA.