October 25, 2021

Volume XI, Number 298

Advertisement
Advertisement

October 25, 2021

Subscribe to Latest Legal News and Analysis

Illinois Panel Issues Important Ruling on BIPA Statute of Limitations

On September 17, 2021, a three-judge panel of the Illinois Appellate Court for the First Judicial District issued a long-awaited decision regarding the statute of limitations for claims under the state’s Biometric Information Privacy Act (“BIPA”) in Tims v. Black Horse Carriers, Inc. The Tims decision marks the first appellate guidance regarding this issue.  Although the BIPA is silent as to the applicable statute of limitations, the panel concluded that claims brought under section 15(a), (b), and (e) of the statute, which are the claims requiring companies to have a publicly available policy, obtain informed consent, and reasonably safeguard biometric data, are subject to a five-year limitations period.  BIPA claims brought under sections 15(c) and (d) of the statute, which are the claims which prohibit profiting from the use of biometric data or disclosure of biometric data are subject to a one-year statute of limitations.

In reaching its split decision regarding the applicable statute of limitations, the panel noted that each duty under the BIPA is “separate and distinct,” and that a private entity “could violate one of the duties while adhering to others.”  The panel further opined that “a plaintiff who alleges and eventually proves violation[s] of multiple duties could collect multiple recoveries of liquidated damages.” The panel looked to the text of the BIPA without consideration of the legislative history of the statute, and precedent, including the Illinois Supreme Court’s decision in Rosenbach v. Six Flags Entertainment Corp.in reaching its conclusion.

Section 13-201 of the Illinois Code of Civil Procedure provides that there is a one-year statute of limitations for “actions for slander, libel or for publication  matter violating the right of privacy,” while section 13-205 has a five-year “catchall” statute of limitations for “all civil actions not otherwise provided for.”  The panel concluded that 13-201 does not apply to all privacy actions, but rather only privacy actions “where publication is an element or inherent part of the action.”  On these grounds, the panel determined that section 13-201’s one-year statute of limitations only applies to BIPA claims under sections 15(c) and (d) of the statute, which prohibit entities from “sell[ing], leas[ing], trad[ing], or otherwise profit[ing] from” or disclosing biometric data. With respect to those claims, the panel held that “publication or disclosure of biometric data is clearly an element of an action.”

Conversely, the panel concluded that claims under sections 15(a), (b), and (e) “have absolutely no element of publication or dissemination,” and thus, the five-year “catchall” statute of limitations applies.

In Tims, the First District was not asked, nor did it decide, the issue of when a claim under the BIPA accrues.  However, the accrual issue is currently the subject of an appeal before the federal Seventh Circuit Court of Appeals in Cothron v. White Castle.  The Seventh Circuit heard oral argument in Cothron on September 14, 2021, and has been asked by the plaintiff-appellant to certify the accrual issue to the Illinois Supreme Court for consideration.  In Marion v. Ring Container, the Illinois Appellate Court for the Third Judicial District is set to decide whether a one-year, two-year, or five-year statute of limitations applies to claims under the BIPA.  The Marion appeal is currently stayed pending a decision in McDonald v. Symphony Bronzeville, in which the Illinois Supreme Court will decide with finality whether BIPA claims arising in the employment context are preempted by the Illinois Workers’ Compensation Act.

There has been an influx of biometric privacy litigation in recent years. Private entities that collect, use, and store biometric data increasingly face compliance obligations as the law attempts to keep pace with ever-evolving technology. Creating a robust privacy and data protection program or regularly reviewing an existing one can mitigate risk and ensure legal compliance.

Jackson Lewis P.C. © 2021National Law Review, Volume XI, Number 263
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Jody Mason, Employment Law Litigator, Employer Attorney, Jackson Lewis, Chicago Law Firm
Principal

Jody Kahn Mason is a Principal in the Chicago, Illinois, office of Jackson Lewis P.C. She is an experienced employment law litigator and defends employers before federal and state courts and administrative agencies throughout the midwest.

Ms. Mason handles all types of single plaintiff and class action employment litigation, including claims of discrimination, sexual harassment and retaliation, and matters arising under Title VII, the Age Discrimination in Employment Act (ADEA), the Family and Medical Leave Act (FMLA), the Americans with...

312-803-2535
Principal

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm's Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and...

973- 538-6890
Jason C. Gavejian, Employment Attorney, Jackson Lewis, Principal, Restrictive Covenants Lawyer
Principal

Jason C. Gavejian is a Principal in the Morristown, New Jersey, office of Jackson Lewis P.C. and a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals.

Mr. Gavejian represents management exclusively in all aspects of employment litigation, including restrictive covenants, class-actions, harassment, retaliation, discrimination and wage and hour claims in both federal and state courts. Additionally, Mr. Gavejian regularly appears before administrative agencies,...

(973) 538-6890
Attorney

Maya Atrakchi is the Knowledge Management (“KM”) Attorney for Jackson Lewis P.C.’s Privacy, e-Communication and Data Security and International Employment Issues Practice Groups, and is based in the New York City, New York, office of Jackson Lewis P.C.

212-545-4000
Advertisement
Advertisement
Advertisement