On February 2, 2023, the Supreme Court of Illinois ruled that the state’s Biometric Information Privacy Act (BIPA or the Act) is subject to a five-year “catch-all” statute of limitations. In so ruling, the court settled a years-long split among the lower courts, which have struggled to decide whether BIPA claims are cut off after one year, two years, or five years. In applying the longest possible limitations period, the court adopted the view of the plaintiffs bar, and companies dealing with BIPA claims may see settlement demands increase as a result.
Enacted in 2008, BIPA created a comprehensive regulatory framework for “the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information” in Illinois.1 Among other things, BIPA requires most private entities operating in the state that collect or store biometric information or identifiers — including “fingerprints,” “voiceprints,” and scans of “face geometry” — to provide notice and obtain written consent.2 Individuals “aggrieved” under the Act may assert a private right of action seeking liquidated damages of up to $5,000 “per violation,” as well as reasonable attorneys’ fees.3
For over a decade, the Act went mostly unenforced. That changed in 2019 when, in a case called Rosenbach v. Six Flags Entertainment Corp., the Supreme Court of Illinois held that individuals are aggrieved by the loss of control attendant to a violation of the Act, and therefore a technical violation of the Act is sufficient to support a claim.4 This one ruling opened the floodgates, with as many BIPA cases filed in the months following Rosenbach as had been filed in the preceding decade. In 2021, the rate of filings grew to more than 100 new BIPA cases per month.5
Notably, BIPA does not contain its own statute of limitations, and many plaintiffs sought to therefore apply Illinois’s catch-all, five-year statute — 735 ILCS 5/13-205. In contrast, seeing an opportunity to limit liability, many defendants sought instead to apply Illinois’s one-year statute — 735 ILCS 5/13-201 — which governs actions for the “publication of matter violating the right of privacy.” This makes sense. As the Rosenbach court explained, BIPA protects the “right to privacy in and control over” one’s biometric data.6 To that end, BIPA regulates the manner in which entities collect, store, and disseminate — i.e., publish — biometric information.7 And indeed, the Supreme Court of Illinois held in a case captioned West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc. that BIPA claims fell within the provision in an insured’s policy covering “publication of material that violates a person’s right of privacy.”8
Faced with these opposing views, the Appellate Court of Illinois split the baby in a case captioned Tims v. Black Horse Carriers, Inc., holding that different parts of BIPA are governed by two separate statutes of limitations.9 There, plaintiff brought a putative class action alleging that his former employer’s use of finger-scan timekeeper technology — which is common in the retail, restaurant, health care, and logistics industries — did not comply with BIPA’s strict disclosure and consent regime.10 Specifically, plaintiff claimed that his former employer violated Section 15(a) of the Act by failing to maintain a public retention schedule for biometric data; violated Section 15(b) of the Act by failing to obtain informed written consent before obtaining biometric data; and violated Section 15(d) of the Act by disclosing or disseminating biometric data without first obtaining consent.11 The employer moved to dismiss, arguing that all of plaintiff’s claims were barred by the one-year statute of limitations applicable to privacy claims.12
The appellate court agreed in part. Consistent with the statutory language, the appellate court held that the one-year limitations period does apply to those sections of the Act where “publication or disclosure of biometric data is clearly an element” of the claim — namely, Sections 15(c) and 15(d).13 In contrast, the appellate court held that the five-year limitations period would apply to all remaining claims under the Act — namely, those brought under Section 15(a), 15(b), and 15(e) — as “no element of publication or dissemination” exists in those claims.14
The Supreme Court of Illinois reversed on appeal, holding that the five-year limitations period applies to all claims under the Act.15 The court took issue with the appellate court’s split approach, finding application of two limitation periods to a single statute “would create an unclear, inconvenient, inconsistent, and potentially unworkable regime.”16 Having to choose between the one-year and five-year periods, the court found the latter better suited to both the language and purpose of the Act. First, while “acknowledg[ing] that the one-year statute of limitations could be applied to subsections (c) and (d),” the court determined the same could not be said for Section 15 overall, which therefore falls within the five-year, catch-all statute.17 Second, given the unique character of biometric information, the court reasoned that the longer limitations period would better support the legislature’s goal of preventing disclosures from occurring in the first place.18
While providing much needed clarity to the lower courts, Tims does not resolve all questions surrounding the limitations period applicable to BIPA claims. Most notably, Tims does not address when a BIPA claim in fact accrues — a question currently pending before the Supreme Court of Illinois.
If you are currently or intend to roll out any purported biometric technology in Illinois or elsewhere, we strongly encourage you to contact counsel to discuss.