Today, the Illinois Supreme Court resolved the hotly disputed question of whether a one-year or five-year statute of limitations period applies to claims brought under the Biometric Information Privacy Act (“BIPA”). In Tims v. Black Horse Carriers, Inc., the Court conclusively held that a five-year statute of limitations period applies to BIPA claims, expanding the timeframe for a plaintiff to bring a claim in a plaintiff-friendly ruling.
The Tims Decision
Tims initially brought claims under Sections 15(a), 15(b), and 15(d) of BIPA against his former employer, Black Horse Carriers, Inc., and Black Horse moved to dismiss the complaint as untimely, claiming that because the text of BIPA does not contain a statute of limitations period, the one-year statute of limitations for privacy actions under Illinois code provision 735 ILCS 5/13-201 should apply. Plaintiff argued in response that the five-year statute of limitations provided as a catchall for civil actions under 735 ILCS 5/13-205 should apply instead. In a closely watched decision, the First District split the difference, holding that Section 13-201 applied to claims brought under Sections 15(c) and (d), while Section 13-205 applied to BIPA actions under Sections 15(a), (b), and (e).
On appeal, the Illinois Supreme Court affirmed in part and reversed in part, holding that the five-year statute of limitations in Section 13-205 applies to all BIPA claims. The Court agreed with the plaintiffs’ assertion that the five-year limitations period should apply where a statute itself does not contain its own limitations period. Observing that Section 13-201 governs actions for the “publication of matter violating the right of privacy” (emphasis added), the Court looked to the plain text of BIPA and affirmed that Sections 15(a), (b), and (e) did not concern publication in any respect. Although the Court acknowledged that the terms “sell,” “lease,” “trade,” “disclose,” “redisclose,” and “disseminate” in Sections 15(c) and (d) could potentially be read as involving publication, it found that it would be “best” to apply the five-year statute of limitations period to the entire statute in considering the intention of the legislature, the intended purposes of BIPA, and the absence of a statute of limitations in the law. The Court found that this would also further certainty and predictability in BIPA actions.
Analysis & Takeaways
Expanded Scope of Potential Liability
With the Tims decision, plaintiffs now have five years from the date of non-compliance with Illinois’s biometric statute to file suit for BIPA non-compliance. More importantly, in addition to the extremely low bar set for establishing cognizable claims in BIPA litigation set by the Illinois Supreme Court in Rosenbach v. Six Flags Ent. Corp. 2019 IL 123186, 129 N.E.3d 1197 (Ill. 2019), the Tims opinion now allows plaintiffs in BIPA disputes to broaden putative classes. Classes may now comprise all individuals who allegedly had their privacy rights violated due to BIPA non-compliance over a five year period dating back from the time suit is filed—a significant expansion for BIPA putative class actions.
Continued Trend of Liberal Interpretations of BIPA’s Statutory Text
As noted in Privacy World’s 2022 Biometrics and Artificial Intelligence Year-in-Review Report, one of the most significant trends in BIPA class action litigation that took place over the course of last year was the broad, expansive interpretation of key aspects of Illinois’s biometric privacy statute employed in a number of BIPA decisions by both state and federal courts. The Illinois Supreme Court’s decision in Tims continues this trend and, in so doing, also continues the outward expansion of the contours of Illinois’s biometric statute even further. Of note, the Tims Court readily acknowledged that Section 15(c) and (d) claims could arguably involve activities properly characterized as a “publication,” which would make Illinois’s shorter, one-year limitations period applicable. Despite this, however, the Court nonetheless applied the longer, five-year period, which the Court reasoned was necessary in order to best safeguard the privacy interests of Illinois residents that BIPA was enacted to protect.
Importantly, the reasoning set forth in Tims demonstrates how courts heavily favor plaintiff-friendly, liberal interpretations of BIPA’s statutory text, often reasoning that these interpretations align with the stated intent and purposes of Illinois’s biometrics statute. Tims serves as a cautionary tale and a reminder of the significant risks and liability exposure associated with BIPA non-compliance. Not only that, but the Illinois Supreme Court’s use of BIPA’s statutory intent and purposes as its main basis for applying a more plaintiff-friendly limitations period for BIPA claims will likely be utilized by plaintiffs in subsequent class actions in support of arguments designed to expand the contours and scope of Illinois’s biometrics statute even further as it relates to other key, unsettled aspects of the law.
The Illinois Supreme Court May Soon Expand Liability Exposure Even Further in Resolving the Question of Claim Accrual in BIPA Class Litigation
Beyond Tims, the Illinois Supreme Court is set to render another much-anticipated opinion in Cothron v. White Castle Sys., No. 128004 (Ill Sup. Ct.) sometime in the immediate future, which will definitively resolve the currently unsettled issue of claim accrual in BIPA litigation. Depending on how the Court answers the question of whether every discrete failure to comply with BIPA’s requirements amounts to a separate, independent violation of the statute, the scope of liability exposure and damages underlying BIPA class actions may further increase for those companies that leverage the benefits of biometrics in their day-to-day operations.
What to Do Now: Practical Compliance Tips
The forthcoming Cothron opinion will offer much-needed clarity regarding the scope of statutory damages at issue for purported BIPA violations. However, if the Illinois Supreme Court rejects a “one and done” theory of accrual, and instead applies the continuing violation theory to BIPA claims, the overall scope of potential damages—which is already significant—will further expand.
In the interim, companies should work closely with experienced biometric privacy counsel to review and conduct a thorough audit of their current compliance practices to identify and remediate any gaps in advance of the Cothron decision and any resulting expansion in liability exposure. In particular, companies should assess their current compliance programs to ensure they encompass the following practices:
-
Maintain a Public Privacy Policy: Maintain a publicly-available privacy policy which, at a minimum, establishes a retention schedule and guidelines for permanently destroying biometric data when the initial purpose for collecting or obtaining such data has been satisfied.
-
Permanently Destroy Biometric Data in a Timely Manner: Maintain practices and protocols to ensure that biometric data is permanently destroyed within BIPA’s mandated timeframes. As a general rule of thumb, biometric data should be permanently destroyed when it is no longer needed for the initial purpose for which it was originally collected (even where compliance with BIPA is not required).
-
Supply Pre-Collection Notice: Provide notice to all individuals prior to the time biometric data is collected which, at a minimum, informs the individual: (1) that biometric data is being collected/stored; (2) the specific purpose for collecting the individual’s biometric data; and (3) the period of time over which the company will use and store such biometric data before it is permanently destroyed.
-
Obtain Pre-Collection Consent: Obtain consent from all individuals prior to the time biometric data is collected, allowing the company to collect, use, and store their biometric data, as well as permitting the company to share/disclose such data with the company’s vendors and service providers.
-
Maintain Security Measures to Safeguard Biometric Data: Store, transmit, and safeguard biometric data using reasonable security measures designed to prevent unauthorized access, disclosure, or acquisition of such data. Two security protocols that all companies should consider implementing whenever feasible are encryption and multi-factor authentication, both of which are extremely effective in safeguarding all types of sensitive personal information. At the same time, only those individuals with a business need for biometric data should be afforded access to such data.
-
Strictly Prohibit Sales and Any Other Form of Profiting From Biometric Data: Strictly bar employees and vendors from selling or otherwise profiting from biometric data, which can be accomplished through the implementation and enforcement of an internal biometric data policy.
-
Vendor Compliance: Ensure that all of the company’s vendors and service providers are also fully compliant with the mandates of Illinois’s biometric privacy statute.