On September 17, 2021, a three-judge panel of the Illinois Appellate Court for the First Judicial District issued a long-awaited decision regarding the statute of limitations for claims under the state’s Biometric Information Privacy Act (“BIPA”) in Tims v. Black Horse Carriers, Inc. The Tims decision marks the first appellate guidance regarding this issue. Although the BIPA is silent as to the applicable statute of limitations, the panel concluded that claims brought under section 15(a), (b), and (e) of the statute, which are the claims requiring companies to have a publicly available policy, obtain informed consent, and reasonably safeguard biometric data, are subject to a five-year limitations period. BIPA claims brought under sections 15(c) and (d) of the statute, which are the claims which prohibit profiting from the use of biometric data or disclosure of biometric data are subject to a one-year statute of limitations.
In reaching its split decision regarding the applicable statute of limitations, the panel noted that each duty under the BIPA is “separate and distinct,” and that a private entity “could violate one of the duties while adhering to others.” The panel further opined that “a plaintiff who alleges and eventually proves violation[s] of multiple duties could collect multiple recoveries of liquidated damages.” The panel looked to the text of the BIPA without consideration of the legislative history of the statute, and precedent, including the Illinois Supreme Court’s decision in Rosenbach v. Six Flags Entertainment Corp., in reaching its conclusion.
Section 13-201 of the Illinois Code of Civil Procedure provides that there is a one-year statute of limitations for “actions for slander, libel or for publication matter violating the right of privacy,” while section 13-205 has a five-year “catchall” statute of limitations for “all civil actions not otherwise provided for.” The panel concluded that 13-201 does not apply to all privacy actions, but rather only privacy actions “where publication is an element or inherent part of the action.” On these grounds, the panel determined that section 13-201’s one-year statute of limitations only applies to BIPA claims under sections 15(c) and (d) of the statute, which prohibit entities from “sell[ing], leas[ing], trad[ing], or otherwise profit[ing] from” or disclosing biometric data. With respect to those claims, the panel held that “publication or disclosure of biometric data is clearly an element of an action.”
Conversely, the panel concluded that claims under sections 15(a), (b), and (e) “have absolutely no element of publication or dissemination,” and thus, the five-year “catchall” statute of limitations applies.
In Tims, the First District was not asked, nor did it decide, the issue of when a claim under the BIPA accrues. However, the accrual issue is currently the subject of an appeal before the federal Seventh Circuit Court of Appeals in Cothron v. White Castle. The Seventh Circuit heard oral argument in Cothron on September 14, 2021, and has been asked by the plaintiff-appellant to certify the accrual issue to the Illinois Supreme Court for consideration. In Marion v. Ring Container, the Illinois Appellate Court for the Third Judicial District is set to decide whether a one-year, two-year, or five-year statute of limitations applies to claims under the BIPA. The Marion appeal is currently stayed pending a decision in McDonald v. Symphony Bronzeville, in which the Illinois Supreme Court will decide with finality whether BIPA claims arising in the employment context are preempted by the Illinois Workers’ Compensation Act.
There has been an influx of biometric privacy litigation in recent years. Private entities that collect, use, and store biometric data increasingly face compliance obligations as the law attempts to keep pace with ever-evolving technology. Creating a robust privacy and data protection program or regularly reviewing an existing one can mitigate risk and ensure legal compliance.